Moving machine
Table of contents
question
- Where there is data interaction, injection points are likely to occur.
- The core of sql injection: splicing user-entered data into code and executing it as sql statements
Problem solving process
The first step - find the place where the page interacts with the database
Enter any data and click Login
At this point, jump to the check.php page and get the result. It can be seen that this page interacts with the database
Step 2 - Check the SQL statement closure method
知识点:
How to determine the closing character
Principle of judging the closing method of SQL statements:
MYSQL database is relatively tolerant. For example, enter 1), 1", 1-, etc. The characters after these numbers are not closing characters, so the database will convert these entered incorrect data into the correct data type.
However, if the character after the entered number happens to be a closing character, a closure will be formed. If the sql statement formed after closing is wrong, the execution of the sql statement will be wrong, resulting in page display errors.
Determine the SQL injection closure method:
Method 1: Use (escape character) to determine the closing method of SQL injection
Principle: When the closing character encounters an escape character, it will be escaped. Then the statement without the closing character will be incomplete and an error will be reported. From the error message, we can infer the closing character.
Analyze the error message: Look at the character following the \slash to see what character it is and what its closing character is. If not, it is numeric.
(But there are two variables in this question, so this method is not suitable)
Method 2: Enter 1, 1’, 1" to determine the closing method of the SQL statement
Take the username as an example (the password is the same)
Enter the username respectively 1
, 1'
,1"
, enter password 123
When entering1
, 1"
in the user name
The same result occurred
Only when entering1'
, the following error occurred
知识点:
The difference between single quotes and double quotes in MySQL
Generally, SQL statements are closed with single quotes.
When enters
1
,1"
, no SQL statement reports an error, it just prompts us that the value entered is incorrect, so we can first assume that the SQL statement is closed The method is single quote
When username is entered
1
, the sql statement formed isSELECT*FROM table_name WHERE username='1'and password='123';
When username is entered
1"
, the sql statement formed is correct
SELECT*FROM table_name WHERE username='1"'and password='123';
When double quotes need to be included in the string, in addition to using escape characters , you can also use a pair of single quotes to enclose a string. Double quotes within a string are treated as ordinary characters and require no special treatment
Similarly, when a string needs to contain single quotes, in addition to using escape characters, a pair of double quotes can also be used. Quotation marks to enclose the string. Single quotes within strings are treated as ordinary characters and require no special treatment
username is entered
1'
, and the sql statement formed is wrong
SELECT*FROM table_name WHERE username='1''and password='123';
The first single quote and the second single quote form a new Closed, with the remaining third single quote, the SQL statement formed is incorrect, so the statement reports an error.
Therefore, it can be concluded that the closing method of SQL statements is single quotation marks.
Assume that the SQL statement is enclosed in double quotes
When username is entered
1
, the sql statement formed is correct
SELECT*FROM table_name WHERE username="1"and password="123";
When username is entered
1"
, the SQL statement formed is
SELECT*FROM table_name WHERE username="1""and password="123";
. A correct SQL statement cannot contain a pair of double quotes. Therefore, there should be a SQL error in the above line, but no error is actually reported, so the double quote closing method we assumed is not valid.
username input is
1'
, the formed SQL statement is correct and no error will be reported
SELECT*FROM table_name WHERE username="1'"and password="123";
However, in fact, this statement reports an error, so The double quote closure we assumed does not hold true.
In summary, we can deduce that the closing method of SQL statements is single quotes.
Step 3 - Perform SQL injection
Method 1: Universal account password
知识点:
Universal account password principle
一般来说,有账号密码登陆的题,在判断完闭合方式后,可以尝试先用万能账号密码解题
From the second step, we know that the database is closed with single quotes'
Therefore, using the single quote character type universal password here, you can get the correct flag< a i=2> (Username and password must have at least one. Enter the universal password to get the correct flag)
Get the correct flag
flag{938bf795-3f35-4edd-abd3-b23640b93d11}
Method 2: Use HackBar for SQL injection
(The idea is the same as the universal password. Learn how to use HackBar here)
1. View the parameter transmission method of the page
知识点:
How POST requests and GET requests pass and receive parsing parameters
Just enter some numbers (user: 111, password: 111)
First look at the url in the interface. You can see that the account and password we entered are all displayed in the url. It can be seen that this is the get parameter.
——> This interface is check .php page
——>So we can use HackBar for SQL injection
http://6c94579b-e71a-4310-9e9d-8d74f371cbaf.node4.buuoj.cn:81/check.php?username=aaa&password=111
GET比POST更不安全,因为GET参数会直接暴露在url上。所以不能用来传递敏感信息
?
means passing parameters, followed by parametersusername=aaa&password=111
. Generally speaking, the content of ?
is user-controllable.
The controllable parameters of the incoming SQL statement are divided into two categories:
- Numeric type, parameters do not need to be quoted
?passord=111
- For other types, parameters need to be quoted.
?username="aaa"
2. Use HackBar for SQL injection
知识点:
POST and GET request parameter encoding methods
Load URL: "frame" the URL
Split URL: Automatically split the URL to quickly find out what needs to be fixed a>
Execute: equivalent to F5
1. First "Load URL",
2. Then enter the sentence in the box
/check.php?username=a' or true %23& password=1
GET传参要经过url编码,所以使用url进行输入时,不能使用#,而应该使用其url编码%23
3. Then click "Execute" to get the correct flag
Summary of ideas
Question type:
- SQL injection
Steps to do the question:
- First find the place on the page where there is data interaction
- Determine the closing method of SQL statement
- Perform SQL injection (Universal Password/Hackbar)