Topic analysis

Input 1 have a look

The routine tried other numbers and found that they were the same as the above , Tried. 1’ and 1’‘ No echo . Input 1 and 1=1 Wait for the same echo , as follows ：

It must be digital injection , Try it regularly order by1-99 try , Discover or Nonono, That is to filter some key characters .
Try Stack Injection


Try querying the fields in the table ：
1;select columns from ‘Flag’;
Discover or Nonono

Other Boolean injections , It's useless to try blind injection of time , It should be all filtered out

Method 1 ： Unexpected solution

Guess first SQL Statement! （ use burp You can know ＊ Is not filtered , I'm not going to do that here ）
Because this question is passed POST The ginseng query, No matter what number we input, it will only echo Array([0] =>1), Typing letters does not echo , But it doesn't say whether this letter is filtered , that query If the value of is If it is not a number, it cannot be echoed normally , Then the query statement should be as follows ：（ That is to say select Input data || A built-in column name from Table name ）

$sql="select".$_POST['query']."||flag from Flag";

( At this time || The role is or The role of
( To be honest, I really didn't expect such … I saw some other Masters wp That's how it's explained ： The echo obtained by entering a non-zero number 1 And the rest of the characters entered are not echoed => To determine that the internal query statement may have ||
After knowing the query statement , It's easy to do

Solution 1 ：
payload:

*,1

that sql The sentence becomes ：

select *,1 || flag from Flag

That is to say

select *,1 from Flag

obtain flag

1） Why *,1 Well My understanding is that ,1 In order to “ eat ” hinder || . Because we put || Think of it as an operator or There is （ Here it can be understood vividly as the disjunction of true and false propositions ）, therefore *,1 || flag == *,1 ( Enter other non 0 The same is true of numbers , And input *,0 , According to the result, we can judge flag This column does not exist
2）select 1 from Flag The role of is
Add temporary Columns , The column value of each row is written in select The number after .

Method 2 ： The expected solution

By modifying the SQL Configuration will ** Or operator ||** Set as connector

set　sql_mode=PIPES_AS_CONCAT

payload:

1;set sql_mode=PIPES_AS_CONCAT;select 1

So the execution SQL Statement for ：

select 1;set sql_mode=PIPES_AS_CONCAT;select 1||flag from Flag;

After changing the semantics, the query result of the previous field is spliced with the query result of the next field , In this way, both fields will be queried . obtain flag

Reference article ：https://blog.csdn.net/mochu7777777/article/details/108937396