当前位置:网站首页>SQL injection of cisp-pte (Application of secondary injection)
SQL injection of cisp-pte (Application of secondary injection)
2022-07-05 16:42:00 【Colorful @ star】
CISP-PTE Practical exercises SQL Inject
List of articles
Preface
I haven't sent you an article for a long time , Because I've been preparing CISP-PTE The test of , So in the practice of stepping up time , Recently, I found that SQL Injection is also a classic question type of secondary injection , I would like to share with you the method of doing questions .
One 、 Practical exercises SQL Inject
Because of this SQL The injection question is more troublesome , Explanation is troublesome , Just write this in an article first SQL Injection question , Later, we will update the explanation of new question types .
Two 、 Problem solving steps and methods
1. Find ways to solve problems
We can see from the meaning of the title , The answer is in our database , Just look for breakthroughs , Injection of statements , You can get the answer . Let's click in and see .
Discovery is an article publishing system . We're trying to log in once , Try with a weak password
Login failed , I can only register to have a look
Registered a hao,123 Users of , It is found that you can register
After going in , See the article published before , Now try to publish an article , See if there is any injection point
After filling in the data , Successfully inserted
Let's insert a garbled code and symbols to see
When we insert single quotation marks and comments , There is an error , Indicates that there is an injection point , Next, insert SQL Statement to inject .
2. perform SQL Injection of statements
At this time, we need to see what injection method is good , By looking at the question stem, I found , It's filtered out ’–' and # Number , And cannot be filled directly , Database information cannot be displayed after submission , At this time, we will think of the method of secondary injection , For injection SQL Query statement , The principle and method of secondary injection have been explained in the previous column of penetration test , You can look back .
(1) First register two accounts , My example is hao,*/‘hao’)#, The codes are all 123
The principle is , Here's the picture :
The injection is completed by secondary injection and injection semi closure , First in */’1234ewq’);# Insert the article content into the browser ,poc As follows
AAA’,(select database()),/*
AAA’,(select group_concat(table_name) from information_schema.tables where table_schema like 0x32776562),/*
AAA’,(select group_concat(column_name) from information_schema.columns where table_schema like 0x32776562 and table_name like 0x61727469636C6531 ),/*
AAA’,(select group_concat(content) from (select * from article1 limit 0,1)as a ),/*
Return to normal user 1234ewq
Here's the answer , utilize // To comment on extra quotes , Cause what we insert select Statements can be displayed , Secondly, due to the secondary injection of users */’1234ewq’);# The user name finally inserted into the table is actually 1234ewq So it needs to be checked by normal users
Let's see the effect
Take advantage of the difficulty :
First, mask the annotation #、–, However, the annotation is not masked at the time of registration , because mysql characteristic ,// The contents will be commented out , And insert into Table name value() Method needs to fill in the fields one by one , In other words, one more field is not enough , Not without one field ; And only 2/3 Field can be displayed , Therefore, first register a secondary injection user name , Then insert the user name into the statement with the help of secondary injection for special processing , formation
insert article1 value(’’,‘AAA’,(select database()),/’,’’,’/ ‘1234ewq’);#’)
In this way, inserting into the database will become like this
insert article1 value(’’,‘AAA’,(select database()), ‘1234ewq’)
The second is to query the fields after insertion , because article1 The same table name in the table will cause the database to loop , Report errors , Therefore, it is necessary to carry out as Alias , And if you don't join limit Statement restrictions , Then nothing can be exported ,limit Any value can
The above is a detailed online solution , Is to help everyone understand , Let me explain my method
Log on first */‘hao’)# account number , The principle of such a registered account , It's very clear , Just to comment out the quotation marks and commas before and after
(2) We log in and publish articles , The next step is to submit SQL Statement , Because the submission here is invisible , In fact, it is submitted to hao In your account
(3)SQL Manual injection method
select schema_name from information_schema.schemata( Check the library )
select table_name from information_schema.tables where table_schema= Library name ( Look up the table )
select column_name from information_schema.columns where table_name= Table name ( List )
select Name from Library name . Table name ( Check data )
First check which libraries
Insert the success
Look at the tables in the Library
Insert the success
At this time , We can see from the result of the insertion that article1 surface
Next, let's look at the fields in the table
There are these fields in the table , At this time, the answer is most likely to appear in title and content On , So we began to check the data , Output all the data
We can see the answer is content In the field , And not the first line , But in a random line , So limit a few more rows of data .
The answer is :key1:u9y8tr4n
summary
This way SQL The injection problem is resolved here , I hope you can have a good look at the problem-solving ideas and the method of secondary injection . It will be updated next time CISP-PTE Practical exercises for everyone .
边栏推荐
- How to set the WiFi password of the router on the computer
- How does win11 change icons for applications? Win11 method of changing icons for applications
- Apiccloud cloud debugging solution
- Summary of methods for finding intersection of ordered linked list sets
- The difference between searching forward index and inverted index
- Global Data Center released DC brain system, enabling intelligent operation and management through science and technology
- Intel 13th generation Raptor Lake processor information exposure: more cores, larger cache
- You should have your own persistence
- Bs-xx-042 implementation of personnel management system based on SSM
- 一些認知的思考
猜你喜欢
Single merchant v4.4 has the same original intention and strength!
Summary of methods for finding intersection of ordered linked list sets
How to install MySQL
Reduce the cost by 40%! Container practice of redis multi tenant cluster
单商户 V4.4,初心未变,实力依旧!
服务器的数据库连不上了2003,10060“Unknown error“【服务已起、防火墙已关、端口已开、netlent 端口不通】
Migrate /home partition
详解SQL中Groupings Sets 语句的功能和底层实现逻辑
Domestic API management artifact used by the company
Data access - entityframework integration
随机推荐
Apiccloud cloud debugging solution
tf.sequence_mask函数讲解案例
Migrate /home partition
记一次'非常诡异'的云安全组规则问题排查过程
Cartoon: what is the eight queens problem?
[echart] resize lodash to realize chart adaptation when window is zoomed
公司自用的国产API管理神器
How does win11 change icons for applications? Win11 method of changing icons for applications
Flet tutorial 12 stack overlapping to build a basic introduction to graphic and text mixing (tutorial includes source code)
Practice independent and controllable 3.0 and truly create the open source business of the Chinese people
OneForAll安装使用
StarkWare:欲构建ZK“宇宙”
Benji Bananas 会员通行证持有人第二季奖励活动更新一览
Solve the Hanoi Tower problem [modified version]
[js] 技巧 简化if 判空
单商户 V4.4,初心未变,实力依旧!
Cheer yourself up
英特尔第13代Raptor Lake处理器信息曝光:更多核心 更大缓存
【刷题篇】鹅厂文化衫问题
The database of the server is not connected to 200310060 "unknown error" [the service is up, the firewall is off, the port is on, and the netlent port is not connected]