![]() Use group_concat() function, which combines the data of the same line -1' union select group_concat(table_name),2,3 from information_schema.tables where table_schema="ctfshow_web"-+ NamelyĪfter successfully obtaining the library name, query its table name. Change the id to - 1 to empty the data echoed by the query id. When this operator is used, duplicate rows in the result set are automatically removed. Union:This operator is used to obtain the union of two result sets. So the union query is used to obtain the database 1' union select database(),2,3 -+ However, you can use – + to comment out the following quotation mark, that is, id = '1' limit 1 If you enter 1 ', it constitutes limt 1 with id =' 1 ' There must be an error It can be found that the closing method is single quotation mark. The statement is $sql = "select username,password from user where username !='flag' and id = '".$_GET."' limit 1 " ![]() Just after entering, we can see that there are three columns: id, username and password
0 Comments
Leave a Reply. |