SQL-2
1. Why should we understand this knowledge
2. Principle
3. Own understanding and practice
4. CTF title case
The following statement may say it's not very friendly, so please comment if sensitive words I, the author would change
daily Tucao: Sql injection you say is difficult, it is not difficult, you say is not difficult, it is quite hard, sql injection really To test the experience, I learned a new sql injection payload. I think it is really necessary to record it with a memo
Why should we understand this knowledge
Joint injection actually has a lot of knowledge, so today you have to talk about it. It is really uncomfortable to hold CTF joint injection. I do n’t see much, but I also found that there are some common points. 1. Common keywords for filtering keywords are Which: 1.Union select 2.And 3.Or 4.From 5.Space In short, the code used for joint injection will be filtered, so sometimes you need to puzzing to see which keywords have not been filtered. Check out the big guy's writeup to copy a fuzzing table (Baishen is really good)principle
Most filtering is actually php regular expression, or there is a list table, but these are really miserablepreg_replace('/or/i',"",$id);//过滤or
Some will be filtered as
above. There are many simple ways to bypass
1. Random combination of size and mixed (SelECt)
2. Superposition (OorR)
3. Equivalent replacement and (&&) or (||)
4 .Code (if the space is filtered, you can use% 0A (\ n))
5. Inline comments (/ ** / replaceable spaces)
6. Equivalent function replacement (version-> @@ version)
7. Special symbols ( +, \\, ', @)
8. Add inline comments! (/ ! union /)
9. Buffer overflow
select * from users where id = 1 and (select 1) = (Select 0xA 1000) uNiOn SeLeCt 1,2, version (); // The self-test is successful, continue to refuel
0xA 1000 refers behind 0XA "a" 1000 repetitions
general application software configuration buffer overflow requires a relatively large length of the test
herein for reference 1000, it may in some cases be shorter
10.mysql characteristics bypass
select * from users where id = 1 union select @ test = user (), 2,3; // 1
select * from users where id = 1 union select @test: = user (), 2,3; // Self-test is available , Continue to cheer, root
select * from users where id = 1 union select @, 2,3; // NULL
11. Black magic
12. White space bypasses
MySQL white space:% 90,% 0A,% 0B,% 0D,% 20,% 0C ,% A0, / xxx /
Regular blank characters:% 09,% 0A,% 0B,% 0D,% 20
Example-1: union% 250Cselect
Example-1: union% 25A0select
CTF is generally used in combination boxing
Let's start to explain the filtering principle
1. Mixed case
Mysql has a feature that is not case sensitive, so no matter how you mix it, he will eventually convert to lowercase or uppercase. The most
common is to use the list to find, so the keywords of uppercase and lowercase will be imported into the list. In fact, this is very troublesome, so the upgraded version will now unify the SQL statement in lowercase or uppercase, and then filter, and then mixed case may be invalid
2. Overlay
because the case is invalid, so then consider the next step, The common filtering is to set the keyword to "", which is actually very simple to bypass, and the overlay is one of them. For example, selec select t automatically converts select to "" after the filter function, so selecselectt-> select, but encountered an upgraded version It's very uncomfortable, the filter function may set the keyword to other characters, then it depends on the situation, anyway, this method may be invalid
3. The equivalent
is replaced by the same function as the name suggests, because most of the is a list, black hat thinking, commonly used keywords ban, but will neglect some functions similar functions, such as filtering group by the order but also has a similar function
, but in case of Upgraded or uncomfortable, with a white hat thinking only allows you to specify a list of keywords, follow-up will be some of the white prostitute equivalent function inside the chiefs listed separately
4. coding
coding really is a good method to bypass the overlay as Similarly, a keyword of urlencode or hexadecimal can be bypassed because it will be decoded and executed in mysql, but the upgraded version is also very strong.It can be decoded and filtered first, but you can use n encoding to bypass
5. Inline comments
Inline comments mainly bypass the combination filtering, that is, no string such as select union can appear, but / ** / can also be used instead of spaces, I don't know why mysql can do this, I am fascinated by
/ ! Code/ Often bypasses rigorous regular expressions, because sql will execute the code in / ! Code /
6. buffer overflow, mysql feature bypass, black magic
These are bypass WAF, CTF generally does not come out
7. Bypassing
the blank sign This may really be the top priority. CTF often filters the spaces for you to see how you inject, which is undoubtedly really tiring,
but there are still a lot of
Mysql equivalent to spaces :% 90 because of ascall The largest is% 8f,% 90 is out of bounds, so it will represent unobservable characters so that it can replace blanks
% 0A,% 0B,% 0D are special escape symbols, line breaks, tabs, \ r, etc.,
in regular white space % 09,% 0A,% 0B,% 0D,
so we must judge whether it is regular filtering or php filtering function, but they can still use their common
8. Built-in comments are filtered
can try to find special symbols to see if there are special circumstances For example, such questions as <>, +, {}, [], *, etc. need to be puzzing, otherwise it is really difficult
CTF title case
i Spring Autumn Web SQL
There is no single quotes, so it should be an integer.
Try order by, and, or
found to be filtered.
At this time, you can replace it by equivalent.
Order by-> group by And->
&&
Or-> ||
1. Echo, so the group is not Filter
2. The code behind && disappears, indicating that && is replaced with #
3. || No error reported but not very
useful , || 1 = 1 echo test, 1 = 2 no change, you can also use superposition to judge whether it is converted to ""
However, I found that the input order will display the English of the injection attack, so this method is not available here
. I found 3 columns by group by.
Try union, select and
find that the filter is filtered.
Since my knowledge is short, I think of another way.
Try built-in comments / ! / It is
difficult to find that it is filtered , so you can only try special symbols to view
<>, [], {}, "
found <> was replaced with" ", so you can call <> to superimpose
union s <> elect 1, 2,3
/index.php?id=1+union+s<>elect+1,database(),3
View the current database as sqli
index.php?id=1+union+s<>elect+1,(sel<>ect%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3
Get the table name info, users (try as much as possible, but there is a hint info in front)
and then explode the column name.
Finally, the column name data is flag.
Finally, I still say a sentence. Such questions are still very good. It is recommended to try the
old rules yourself. You can refer to this The big guy's writeup
i Spring and Autumn WEB SQL
