Low security Dvwa--sql Injection

After logging in to Dvwa, click "SQL injection" on the left, and the following interface appears:

Here are some lessons to be learned.

The first step: use "ORDER by n" to get the number of attribute columns in the table, which means to sort the returned results with the nth attribute column in the table. We'll start with N 1 and then gradually increment until the database returns an error, and here's the result of n =:

The error "Unknown column ' 3 ' in ' order clause '" appears when n = 3 o'clock, stating that there is no 3rd attribute column in the current table. As to what this table is, I haven't studied it yet, and I'm assuming that the table is TB.

When the injected statement

1 '

is converted to the following form in the background:

Select  from where ' 1 ' 1 '

Here are a few points to note: First, the background when converting SQL statements, will automatically add a pair of single quotation marks; second, '--' is a single-line comment for the MySQL database, and there must be a space after the second '-' (the same is the SQL statement constructed below), where it comments out the single quotes added in the background. So the database executes only the SQL statement that precedes the semicolon.

Step Two: Union query

Now that you know that there are 2 attribute columns in the TB, we can use union to get some basic information about the database, such as

(1) Querying the current user and database name

1 '

The results are as follows

(2) Querying the database for version information and operating system information

1 '

Note that it is important to ensure that the SELECT statement on both sides of the Union has the same number of property columns queried, from the previous we know that there are 2 attribute columns in the current table, so in the right SELECT statement, we can only select two properties to query, more or less will cause the query to fail. In addition, there are several common functions of query, namely: @ @version Query the version information of MySQL, user () query username, database () query databases name, @ @datadir Query database path, @ @version_compile_ OS Query OS version ... You can choose according to the information you are interested in.

The third step: explosion of the Bank explosion list

When MySQL version is greater than 5.0, there is a default database Information_schema, which contains all the database information, such as database name, table name, column name, and so on.

(1) Bomb vault

1 '

The above statement returns the Schema_name attribute column of the schemata table in the INFORMATION_SCHEMA database, which is the name of all the databases in MySQL, with the following results

As you can see from the results, there are 6 databases currently in MySQL.

(2) Explosion chart

1 '

The above statement returns all the table names in each database, and the following is a partial result

Now we know that there are two tables in the DVWA database, namely guestbook and users, and we construct SQL statements to get all the property columns in the Users table.

(3) Explode the list

1 '

The above statement returns all the attribute columns from each table, with the results of the users table as follows:

Now that we know all the property column names in the Users table, we can look for things we're interested in, such as the user_id and password of the user.

(4) Password explosion

1 '

The above statement returns the user ID and its corresponding password, with the following results:

Unfortunately the password is encrypted, alas .....

Because I was just beginning to learn SQL injection, so there is a mistake is inevitable, welcome to correct, thank you!

2016-09-21

Low security Dvwa--sql Injection