banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel

A CTF SQL injection question

The Cause of the Incident#

From a certain internal testing ground, not open for registration, following the steps of the "lation" brother from Byte Pulse to reproduce it, learning posture, target address

Exploring the Injection Method#

The target looks like this:

image

It looks like a "simple" login box, intercept with burp and start probing with repeater

image

It looks normal, with only the username and passwd fields, let's try the universal password account first

image

Login failed, here's a little trick, it is recommended to select the part you added when changing the parameters with burp and pass it through URL encoding with ctrl+U

Adding a single quote to admin doesn't do anything, adding and 1=1 and and 1=2 doesn't do anything either

Let's try adding a single quote to the passwd field

image

Still no response, let's try error-based injection:

image

Still no response, let's try wide character injection:

image

Error occurred, let's try closing the error statement:

image

After testing, besides --+, # and -- - can also be used to close it

Injecting Data#

As usual, let's first query the number of columns:

image

Error occurred, we can see that the error message indicates near 'der by 3, which means our or has been eaten, let's try double writing to bypass it:

image

image

order by 3 is fine, order by 4 gives an error, let's use union select to view the echoed fields:

image

Directly echoed "Login successful, flag is in the flag1 table, column name is key1" (it's a bit overlapping in my display), let's directly check the value

image

No changes found

When performing error-based injection, reading permissions for the information_schema database are required

If there is no reading permission for the information_schema database, it is necessary to guess both the column names and table names (more difficult)

So let's use the previous error-based injection to query the data:

image

Note that there is another % after %df%27

Reference article:

End of the article.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.