DVWA loophole drill platform - SQL injection

Others 2019-08-03 15:43:32 views: null

SQL injection is inserted through the SQL command into the Web form is submitted the query string or enter a domain name or page request, and ultimately to deceive the server to execute malicious SQL commands, specifically, it is the use of existing application (malicious) SQL command injection into the back-end database engine the ability to execute it by entering SQL statements in the database to get a Web form on the site of a security vulnerability, rather than according to designer intention to execute SQL statements.

Next you need to set up their own DVWA loopholes drilling environment, system environment I used here is: Centos 7 + PHP 7 + MariaDB 5.5 + DVWA 1.10

 

Low security level demo

? <PHP 
IF (isset ($ _ the REQUEST [ 'the Submit'])) { 
    // removed in accordance with the ID number of the corresponding field 
    $ ID = $ _REQUEST [ 'ID']; 
    $ Query = "the SELECT FIRST_NAME, last_name the FROM Users the WHERE user_id = '$ ID'; "; 
    $ result = the mysql_query ($ Query) or Die (. '<pre>' mysql_error () '</ pre>'.); 

    // return result acquisition cycle, and print it to the screen 
    $ NUM = mysql_numrows ($ Result); 
    $ I = 0; 
    the while ($ I <$ NUM) { 
        $ First = mysql_result ($ Result, $ I, "FIRST_NAME"); 
        $ Last = mysql_result ($ Result, $ I, "last_name"); 
        echo "<pre> ID: $ {ID} <br /> First name:} {$ <br /> First the Surname: Last} {$ </ pre>"; 
        $ I ++;
    }
    mysql_close();
}
?>

The code above is the low security level of the core code, and the observed line 5, and did not check in constructing queries in the $ id parameter is legitimate, but is brought directly into the database queries conducted, it is clear that there is here SQL injection vulnerability can be used directly.

When we enter 1 in the input box, PHP interpreter will replace $ id to 1, in fact, the background of the SQL statement is as follows:

SELECT first_name, last_name FROM users WHERE user_id = '1';

Because PHP code and no legalization $ id parameter filtering, can lead us to skillfully use single quotes to complete the closure of the SQL statement, and into other SQL commands by using and, or, union and other command, as we can Construction of a SQL statement with a closing function:

user_id = '$ id' ----> $ id = '1' and '1' = '1' ----> final statement: 1 'and' 1 '=' 1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Security level demo

High security level demo

SQL blind demo

Guess you like

Origin www.cnblogs.com/LyShark/p/11294000.html
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com