BugKuCTF --- sql injection Writeup

My BlogMarsguest's BLog

BugKuCTF—sql injection Writeup

The original title address http://103.238.227.13:10083/
first construct the link

http://103.238.227.13:10083/?id=1'

It is found that there is filtering, and the page does not respond. Right-click the source file and find the encoding rule GB-2312, guessing it is mysql wide byte injection

---

Briefly explain what wide byte injection is :
1. After the server GETs the data sent from the front end, it can filter specific characters through functions such as php addslashes, mysql_real_escape_string, mysql_escape_string, and add escape characters in front of it. This makes these specific characters invalid when splicing sql statements later. The
filtered characters include

（1）          ASCII（NULL）字符\x00，
（2）          换行字符\n，addslashes不转义
（3）          回车字符\r，addslashes不转义
（4）          反斜杠字符\，
（5）          单引号字符'，
（6）          双引号字"，
（7）          \x1a，addslashes不转义

2. When mysql uses GBK encoding, it will consider two characters as one Chinese character. When we write the injection connection as

http://103.238.227.13:10083/?id=1%df'

After %df' is sent to the background php for processing, it becomes %df\' . At this time, the code corresponding to %df\' is %df%5c' , that is, the Chinese character " yun' ", which is equivalent to using php for filtering and The added escape character \ is swallowed to bypass the filter.

---

Continue the previous question, use the wide byte injection structure to inject the POC, and explode the library name

http://103.238.227.13:10083/?id=1%df' union select 1,database() %23

Here %23 is the character #, a special character for comments in mysql, comment out the following quotation marks to

find database sql5, and then construct the POC according to the prompt to get the flag

http://103.238.227.13:10083/?id=1%df' union select 1,string from sql5.key %23