topic
Problem-solving process
Tried single quotes, found injection type is MariaDB database
The first reaction is a tool to run at> _ <, ran out of the database name: supersqli
Continue stopwatch name, did not run out, try to execute the next sql, also wood of any return. . .
Looked at the current user is root, but not dba, is it wood have permission. . .
Then back to the next interview, I found that keyword filter, which should be the tool did not run out of reasons to the table.
The method tried again bypassed one by one, the injection may be stacked found, two isolated table name, but can not select data out (because the keyword filter ..)
Query fields in the table, flag in this table 1919810931114514
Query data in the table way I did not expect Baidu a bit, there are two: 1. The default search page is the words table, the table name and words 1919810931114514 exchange; 2 use of pre-mysql.
Preprocessing the input sentence as follows:
1';use supersqli;set @sql=concat('s','elect * from `1919810931114514`');PREPARE pre FROM @sql;EXECUTE pre;--+
Here is a clever use concat bypass the check keyword (this idea much, learn ~ ^ _ ^ ~)
Knowledge summary
1. MySQL table when called pure digital (also a plus when the table name and the reserved word conflicts backquote), to add anti-quotation marks: show columns from `1919810931114514`
2. MySQL official will prepare, execute, deallocate collectively known as PREPARE STATEMENT, is prepared statements
3. Character stitching function can be used to bypass consider checking keyword