A few days ago the world only to find offense and defense this platform, it is really Brief Encounter, Zhengchou no place to test learning outcomes four years of university study safety of their own, so immersed in looking flag, a day or schedule one to two theme (complete solution of two problems school another go, in spite of the quite slow) in solving problems but also summed up the security aspects, and uses a variety of tools to determine and exploit vulnerabilities ..... finally stumbled recently finished web novice exercises, thrilled and nervous mood into the master advanced, blowing is two questions, the election of one minute in the name of one of the most straightforward - NewsCenter :
Only a title search box is displayed below the search results, the first consideration is the sql injection, the first simple structure SD 'or' 1 = 1 , and she returned all the news (7) to view the page source code and found that there is a post way, consider using sqlmap.
But such forms of vulnerability should sql there are other ways, after all, to see that no filter verification, there is no pre-compiled ahead of time, is the most basic sql vulnerability, and here try to manually construct statement and see what can be obtained information.
In the school, the teacher gave way is to single quotes, such as 1,2 try, then basically you can use union joint inquiry to get a lot of information. union is the result of two deduplication collection, but the premise is the same number of columns, the first column of data to try a few out.
An input configured to: SD 'SELECT Union # 1,2 and SD' Union SELECT 1,2, #. 3 (a first 'on a background closing command', the second background # commented ') is only 1, 2,3 when the right to return, indicating that the data format is three.
Then take advantage of INFORMATION_SCHEMA to get all the table names, commands are many, so here constructed:
sd' union select 1,2,table_name from information_schema.tables # 前面的1,2,就完全是凑列数的,得到一大串表名,耐下心来找,发现最后有一个secret_table数据库,按照攻防世界“此地无银三百两”的提示习惯,目标就是他,没跑儿了!
接下来就是要利用information_schema.columns的结构来获得secret表的信息了,根据一位大牛的文章,我们要得到的信息也就只有column_name了,或者再加上colume_type查看数据类型。那么构造:
sd' union select 1,column_type,column_name from information_schema.columns where table_name='secret_table' #
里面果然有flag,那么就直接:
sd' union select 1,2,fl4g from secret_table #
得到flag。
总结一下吧,这道题是难度很低的sql注入题,网页有回显不用盲注,也没过滤不用考虑绕过,属于给小白增加自信的题目——作为小白的我现在是满满的成就感!