[SUCTF 2019]EasySQL

1;show databases;  Burst database 
1;show tables;	   Name of the table 
1;show columns from Flag	from Filtered 

At first, there was a web source code leak , Look at the source ：

<?php
    session_start();

    include_once "config.php";

    $post = array();
    $get = array();
    global $MysqlLink;

    //GetPara();
    $MysqlLink = mysqli_connect("localhost",$datauser,$datapass);
    if(!$MysqlLink){
    
        die("Mysql Connect Error!");
    }
    $selectDB = mysqli_select_db($MysqlLink,$dataName);
    if(!$selectDB){
    
        die("Choose Database Error!");
    }

    foreach ($_POST as $k=>$v){
    
        if(!empty($v)&&is_string($v)){
    
            $post[$k] = trim(addslashes($v));
        }
    }
    foreach ($_GET as $k=>$v){
    
        }
    }
    //die();
    ?>

<html>
<head>
</head>

<body>

<a> Give me your flag, I will tell you if the flag is right. </ a>
<form action="" method="post">
<input type="text" name="query">
<input type="submit">
</form>
</body>
</html>

<?php

    if(isset($post['query'])){
    
        $BlackList = "prepare|flag|unhex|xml|drop|create|insert|like|regexp|outfile |readfile|where|from|union|update|delete|if|sleep|extractvalue| updatexml|or|and|&|\"";
        //var_dump(preg_match("/{$BlackList}/is",$post['query']));
        if(preg_match("/{
      $BlackList}/is",$post['query'])){
    
            //echo $post['query'];
            die("Nonono.");
        }
        if(strlen($post['query'])>40){
    
            die("Too long.");
        }
        $sql = "select ".$post['query']."||flag from Flag";
        mysqli_multi_query($MysqlLink,$sql);
        do{
    
            if($res = mysqli_store_result($MysqlLink)){
    
                while($row = mysqli_fetch_row($res)){
    
                    print_r($row);
                }
            }
        }while(@mysqli_next_result($MysqlLink));

    }
    
    ?>

It is found that many keywords are indeed filtered , Find the main sql sentence

 $sql = "select ".$post['query']."||flag from Flag";

There is a || sentence ,|| Is a logical operator .

|| The specific grammatical rules are ：
When both operands are not NULL When the value of , If any of the operands is nonzero , The return value is 1, Otherwise, the result is 0;
When one of the operands is NULL when , If the other operand is nonzero , The return value is 1, Otherwise, the result is NULL;
Suppose both operands are NULL when , The return value is NULL.

So there is this sentence in , Any numeric input will return 1, Because of the operation , Can't get the value of the real query
So the primary goal is to make || Fail or bypass

 Method 1 ： The input content is *,1, At this time, the structure of SQL Statement for ：
select *,1||flag from Flag, That is to say select *,1 from Flag
 Method 2 ： take || Becomes a string connector , That is, connect the query results 
 The input content is 1;set sql_mode=pipes_as_concat;select 1
 The executed statements are select 1 and set sql_mode=pipes_as_concat and select 1||flag from Flag, read out flag

We can see the result of method 2 ：flag There are connected 1, Method 1 no