cool hit counter bWAPP's SQLinjection-low rating_Intefrankly

bWAPP's SQLinjection-low rating

Sorry for the weather being a bit cold and not being able to update in time.

What I want to learn from you today SQL injection If there are students who have been in contact with website attack and defense before, they should already know what this is, and those who haven't, it's okay, we'll learn this today.

What is SQL Injection

SQL injection, which is achieved by inserting SQL commands into the query string of a Web form submission or input domain or page request, ultimately tricks the server into executing malicious SQL commands. Specifically, it is the ability to leverage an existing application to inject (malicious) SQL commands into a backend database engine for execution, which can get a database on a security-vulnerable website by entering (malicious) SQL statements into a Web form, rather than executing the SQL statements as the designer intended.

To learn SQL injection, Be sure to familiarize yourself withSQL vocabulary, You can go to these places to learn:

The main thing to learn is the content of the SELECT statement in SQL syntax, but of course, you should be familiar with the rest as well.

Experimenter IP.

Experimental Title.

bWAPP herSQL Injection (GET/Search)


bWAPP herSQL Injection (GET/Select)

All via the GET request method

Experiment content.

0x01:SQL injection(GET/Search)

As you can see, this is a search box that provides a search for website content, which is basically a feature that many websites will have. It's easy to be invaded if you don't have proper protection. The next step is to teach you how to find this SQL injection vulnerability manually and to hack into it.

0x02: Analyze the website's backend source code

Main source code.

As you can see, the backend is directly querying the database without any filtering of the input values, which is a fatal vulnerability. How to do protection, which we'll talk about in a future course, is the HIGH level approach to this platform.

0x03: Test Analysis

Enter some numbers in the input box and click search

Nothing came out.

Web site field.

Let's enter some more characters, enter an e and click search

You can see that a lot of content appears, and anything with an e in the Title bar will show up.

Web site field.

This allows us to analyze that this is a character-based get request here.

0x04: Testing for vulnerabilities

Next we perform a test to see if there is a SQL injection loophole

Commonly used methods.


After clicking on the search

It's an error., indicating a high probability of the existence of SQL injection It's a loophole.。

Test it again with the big OR method (since it's character-based, use AND for numeric)


Here we'll stop using an e and use a recurring the.

or 1=1 is a constant equation

# beMySQL Comment character in syntax, classifier for objects with a handle ' comment out

The page is displayed back normally.

again Input.

or 1=2 is a constant inequality

It was found that the query back was not working properly.

instructions, It does exist here. SQL injection loophole。

0x05: Exploding Fields (fields are the columns in this data table)

Methods used.


An error is reported indicating that the number of fields is less than 10

again Input.

This is a normal page, indicating that no information was checked and no errors were popped up, indicating that the number of fields is greater than 5 and less than 10.

again Input.

8 also reports an error, less than 8

again Input.

Found no error reported, 8 reported an error, and 7 didn't report an error, which means the number of fields is 7.

0x06: Explode the table (i.e. get the current data table)

Technology used


This 1 to 7 is the column we found out this table has

We can see that several numbers 2, 3, 5, 4 appear

Replacing these numbers with some built-in functions will give us what we want.

for example

To view the current database name.


We replace 2 with the function database()

You can see that the original 2 in the Title column becomes the name of the current database we want to check, bWAPP.

Related functions

These functions, you all try to replace the numbers in them yourselves, a few at a time is fine, as long as they're all numbers that we've looked up using the union query.

I check the version number and current database name of MySQL at.


You can see the MySQL version 5.547 appear in the Release column.

Storm Data Sheet


As you can see, there are five tables exploded, of which the USERS table is one of the more important ones and one that deserves our attention.

0x07: Get backend account username harmony pin number

First check all the columns of the users table


among otherslogin harmonypassword, It should be that we have what we want。

Then we'll find out about them.


The Title and Release columns explode them with the corresponding account number and password, where the password is md5 encrypted and we need to decrypt it

Go to this site and you can decrypt some MD5 encrypted passwords

OK, we've got all the content we want, and as soon as we find the backend, we can take control of the site as an administrator

1x01:bWAPP herSQL Injection (GET/Select)

As you can see, this is a selection box to choose to go to the query, different people's names come out with different information, we are not able to box to enter something, it will not be possible to install the method above to inject directly in the input box.

1x02: Testing

We select iron man and click go

Now that the iron man message is out, let's not pay attention to it and turn our attention to the browser's URL bar

Since it was a get request, we can see a lot of information in the address bar. In this case.

The movie should correspond to our choice of person's name

action is the button go now.

movie=2, the key, suggests that this may be a numeric type.

1x03: Vulnerability testing

Using the same two great methods

This time we're going to make a change in the address bar, (located) at2 Add a' see how

Carriage return, found an error reported, emmmm, there's a loophole!

Let's test it again using the AND method

correct return to the display

Didn't check the info.

can be derived, (located) atmovie=2 Here exists SQL injection loophole。

1x04: Exploded fields

It can be obtained that the number of fields is 7

1x05: Explosive table

We start by making movie equal to a number that doesn't exist in the data table, i.e. make it report an error, I'm changing it to -2 here, which definitely doesn't exist. Key points here

View database.

Access to data tables.

It was found that just one table blog table was exploded, we want to explode all tables at once, what to do

Get all data tables.

We use a group_concat() function to wrap the table_name

As you can see, we have all the tables visible in the Title column, where users is the table we want.

1x06: Get field information for a data table

among others,login harmonypassword The content is what we want。

1x07: Get an account harmony pin number

As you can see, account number harmony It's a password.。


Today, just these two, are important, so I hope you'll move your hands and take notes.

1、Translation of CRNN papers in English and Chinese
2、iOS Development Macros and methods related to adapting iPhone X
3、100 Days of Machine Learning a superb handson machine learning resource a must for beginners
4、Apple releases first developer beta of iOS 113 New features like battery and performance management
5、Coin Satoshi Finance Emercoin Market Analysis EMC falls below 2 can strong support levels buck the trend back up

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送