MCIR SQLol Challenges SQL注入

Challenge 0

Your objective is to get the query to return all usernames instead of just one.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - GET
Sanitization - None
Output - All results, verbose error messages, query shown
      

題意是輸入所有usernames。

輸入‘=‘，也可以輸入’ or '1'='1

Challenge 1

Your objective is to find the table of social security numbers present in the database and extract its information.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - GET
Sanitization - None
Output - All results, verbose error messages, query shown
      

題意是找到social security present表并提取出該表的所有資訊。

1.判斷結果集的字段數

可知結果集的字段數是1。

2.獲得資料庫名字

可知資料庫名字是sqlol

3.獲得表名

顯然表ssn就是題目要求獲得的表。

4.獲得ssn表的列名

有兩列，name和ssn。

5.獲得結果

Challenge 2

Many people sanitize or remove single quotes in their Web applications to prevent SQL injection attacks. While this can be effective against injection into string parameters, it is ineffective at preventing injection into parameters which are not quote delimited, like integers or datetime values. This places restrictions on how your injection string can be written, but does not present much of an obstacle to an attacker.

Your objective is to find the table of social security numbers present in the database and extract its information.

PARAMETERS:
Query Type - SELECT query
Injection Type - Integer value in WHERE clause
Method - GET
Sanitization - Single quotes removed
Output - All results, verbose error messages, query shown
      

題意是過濾掉了單引号然後要實作Challenge1

則與Challenge1不同的是那些資料庫名表名在sql語句中要以十六進制表示出來。 1.判斷結果集的字段數

可知結果集的字段數為1 2.獲得資料庫名字

顯然資料庫的名字是sqlol 3.獲得表名

要用的表肯定是ssn啦 4.獲得ssn表的列名

5.輸出結果

Challenge 3

You don't always have the luxury of retrieving all rows of output from a query when performing an SQL injection attack. Sometimes, you only get one row. This challenge is similar to challenge 1, "SQL Injection 101", but only provides one row of output. To make things more challenging, this challenge configuration does not show you the query.

Your objective is to find the table of social security numbers present in the database and extract its information.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - POST
Sanitization - None
Output - One row, verbose error messages, query not shown
      

與Challenge1類似但要求是一次隻傳回一行的結果

使用limit 傳回第一行結果

傳回第二行結果

傳回第三行結果

Challenge 4

In this challenge, no output from the query is shown, but verbose errors are shown.

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT blind SQL injection techniques.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - POST
Sanitization - None
Output - No results, verbose error messages, query not shown
      

題意是results出沒有顯示内容，但查詢結果在errors處顯示出來。

mysql爆錯注入有floor，UpdateXml，ExtractValue，NAME_CONST，Error based Double Query Injection等方法

https://www.baidu.com/link?url=0iOs94fPT1vpVCTA5-i7pEv-k26D3OAWe9_yr2qOOukwOOv3LS0G4x8gjuQu4S1vkrHtC0CVLxAbqRe2nkIRhdEBHhnshe2rPYgROKR1Og_&ie=utf-8&f=8&tn=baidu&wd=ExtractValue%20sql%20mysql&inputT=1626    這個博文有詳細介紹。

' and updatexml('junk',concat(0x01,(SELECT concat(name,' ',ssn) FROM ssn limit 1,1),0x20),1) #

Challenge 5

You must perform a basic Blind SQL injection attack. Only an indication of whether the query returned results is available.

Your objective is to find the table of social security numbers present in the database and extract its information.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - POST
Sanitization - None
Output - Boolean results, no error messages
      

sql盲注，沒有錯誤提示

對于這種正常的輸入

對于不正常的輸入

是以構造的輸入語句應該為判斷類型語句，利用substring函數和二分查找法一個字元一個字元的确認。

1.與Challenge1一樣先确定結果集的字段數

明顯字段數為1. 2.确定資料庫中表的名字（以第一個表為例）   ' or ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) >= 115 #

 ' or ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) >= 116 #

從上面看出第一個表名的第一個字母為s。

第一個表的第二個字母也為s 用同樣的方法确定第三個字母......然後在一個字元一個字元的确定該表内的各個列名，以及表中的内容。 3.确定ssn表内第2列的列名的第二個字母

說明ssn表内第2列的列名的第二個字母為s，事實證明茲2列的列名是ssn。 4.在獲知兩個列名後，可用同樣的辦法找出每個項的内容。

Challenge 6

In this challenge, you must utilize stacked queries due to the difficulty of extraction in the SQLi scenario.

Your objective is to create a new table called "ipwntyourdb" using stacked queries.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - POST
Sanitization - None
Output - All results, verbose error messages, query shown
      

題意是使用堆疊查詢建立一個新表 不是說好通路MySQL,PHP不允許堆疊查詢的麼。這題怎麼做？

Challenge 7

In this challenge, no output from the query is shown, but verbose errors are shown.

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.

(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)

PARAMETERS:
Query Type - DELETE query
Injection Type - String value in WHERE clause
Method - POST
Sanitization - None
Output - No results, verbose error messages, query not shown
      

題意是用delete查詢來完成，其他與Challenge4一樣。

比較另類的注入方法，在http://www.moonsec.com/post-299.html有十分詳細的介紹。

傳回第一行結果' or updatexml(0,concat(0x01,(SELECT concat(name,' ',ssn) FROM ssn limit 0,1)),0) #

傳回第二行結果' or updatexml(0,concat(0x01,(SELECT concat(name,' ',ssn) FROM ssn limit 1,1)),0) #

Challenge 8

You must perform a very basic SQL injection attack, but a primitive blacklisting filter is in place.

Your objective is to find the table of social security numbers present in the database and extract its information.

PARAMETERS:
Query Type - SELECT query
Injection Type - String value in WHERE clause
Method - POST
Sanitization - Blacklist filter on "low"
Output - All results, verbose error messages, query shown
      

有黑名單過濾。 過濾的名單如下

雖然or被過濾掉，但是OR卻沒被過濾

--與#都不能用了，則要使用‘構造成完整的sql語句

Challenge 9

In this challenge, you are working with an UPDATE query. The query updates the field "username" in the "users" table for a given user.

Your objective is to inject into the query and cause it to update the "isadmin" field to 1 for the user with id 3.

PARAMETERS:
Query Type - UPDATE query
Injection Type - Value to be written
Method - POST
Sanitization - None
Output - Generic error messages, query shown
      

題意是把id=3的使用者提升權限 首先，要知道users表中的内容

還在研究中。。。

Challenge 10

In this challenge, you are working with an ordinary SELECT query. However, this is not a standard injection into the WHERE clause. In this challenge, you are injecting into the column name in the query.

Your objective is to obtain the social security numbers from the database.

PARAMETERS:
Query Type - SELECT query
Injection Type - Column name
Method - GET
Sanitization - None
Output - No error messages, query shown