devbox
从前慢现在也慢
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

DVWA靶场-SQL InjectionSQL注入

作者:从前慢现在也慢 | 2024-03-19 09:54:17

DVWA靶场-SQL InjectionSQL注入

 SQL Injection(SQL注入)概念

就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。具体来说,它是利用现有应用程序,将(恶意)的SQL命令注入到后台数据库引擎执行的能力,它可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。

手工注入常规思路 

1.判断是否存在注入,注入是字符型还是数字型

2.猜解SQL查询语句中的字段数

3.确定回显位置

4.获取当前数据库

5.获取数据库中的表

6.获取表中的字段名

7.得到数据

low等级
  1. <?php
  2.  
  3. if( isset( $_REQUEST[ 'Submit' ] ) ) {
  4. 	// Get input
  5. 	$id = $_REQUEST[ 'id' ];
  6.  
  7. 	switch ($_DVWA['SQLI_DB']) {
  8. 		case MYSQL:
  9. 			// Check database
  10. 			$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
  11. 			$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
  12.  
  13. 			// Get results
  14. 			while( $row = mysqli_fetch_assoc( $result ) ) {
  15. 				// Get values
  16. 				$first = $row["first_name"];
  17. 				$last  = $row["last_name"];
  18.  
  19. 				// Feedback for end user
  20. 				$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  21. 			}
  22.  
  23. 			mysqli_close($GLOBALS["___mysqli_ston"]);
  24. 			break;
  25. 		case SQLITE:
  26. 			global $sqlite_db_connection;
  27.  
  28. 			#$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);
  29. 			#$sqlite_db_connection->enableExceptions(true);
  30.  
  31. 			$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
  32. 			#print $query;
  33. 			try {
  34. 				$results = $sqlite_db_connection->query($query);
  35. 			} catch (Exception $e) {
  36. 				echo 'Caught exception: ' . $e->getMessage();
  37. 				exit();
  38. 			}
  39.  
  40. 			if ($results) {
  41. 				while ($row = $results->fetchArray()) {
  42. 					// Get values
  43. 					$first = $row["first_name"];
  44. 					$last  = $row["last_name"];
  45.  
  46. 					// Feedback for end user
  47. 					$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  48. 				}
  49. 			} else {
  50. 				echo "Error in fetch ".$sqlite_db->lastErrorMsg();
  51. 			}
  52. 			break;
  53. 	} 
  54. }
  55.  
  56. ?>

 没有对用户输入进行任何过滤或转义,直接注入即可

medium等级
  1. <?php
  2.  
  3. if( isset( $_POST[ 'Submit' ] ) ) {
  4. 	// Get input
  5. 	$id = $_POST[ 'id' ];
  6.  
  7. 	$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
  8.  
  9. 	switch ($_DVWA['SQLI_DB']) {
  10. 		case MYSQL:
  11. 			$query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
  12. 			$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
  13.  
  14. 			// Get results
  15. 			while( $row = mysqli_fetch_assoc( $result ) ) {
  16. 				// Display values
  17. 				$first = $row["first_name"];
  18. 				$last  = $row["last_name"];
  19.  
  20. 				// Feedback for end user
  21. 				$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  22. 			}
  23. 			break;
  24. 		case SQLITE:
  25. 			global $sqlite_db_connection;
  26.  
  27. 			$query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
  28. 			#print $query;
  29. 			try {
  30. 				$results = $sqlite_db_connection->query($query);
  31. 			} catch (Exception $e) {
  32. 				echo 'Caught exception: ' . $e->getMessage();
  33. 				exit();
  34. 			}
  35.  
  36. 			if ($results) {
  37. 				while ($row = $results->fetchArray()) {
  38. 					// Get values
  39. 					$first = $row["first_name"];
  40. 					$last  = $row["last_name"];
  41.  
  42. 					// Feedback for end user
  43. 					$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  44. 				}
  45. 			} else {
  46. 				echo "Error in fetch ".$sqlite_db->lastErrorMsg();
  47. 			}
  48. 			break;
  49. 	}
  50. }
  51.  
  52. // This is used later on in the index.php page
  53. // Setting it here so we can close the database connection in here like in the rest of the source scripts
  54. $query  = "SELECT COUNT(*) FROM users;";
  55. $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
  56. $number_of_rows = mysqli_fetch_row( $result )[0];
  57.  
  58. mysqli_close($GLOBALS["___mysqli_ston"]);
  59. ?>

 mysqli_real_escape_string()

mysqli_real_escape_string()函数用于对用户输入的id进行转义,以防止恶意SQL代码被插入到SQL查询语句中。通过使用这个函数,特殊字符(如单引号)将被转义,从而使输入的数据变得安全,并且不会破坏SQL查询语句的结构。

涉及的字符是 NUL(ASCII 0)、\n、\r、\、'、" 和 Control-Z 

high等级
  1. <?php
  2.  
  3. if( isset( $_SESSION [ 'id' ] ) ) {
  4. 	// Get input
  5. 	$id = $_SESSION[ 'id' ];
  6.  
  7. 	switch ($_DVWA['SQLI_DB']) {
  8. 		case MYSQL:
  9. 			// Check database
  10. 			$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
  11. 			$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
  12.  
  13. 			// Get results
  14. 			while( $row = mysqli_fetch_assoc( $result ) ) {
  15. 				// Get values
  16. 				$first = $row["first_name"];
  17. 				$last  = $row["last_name"];
  18.  
  19. 				// Feedback for end user
  20. 				$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  21. 			}
  22.  
  23. 			((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);		
  24. 			break;
  25. 		case SQLITE:
  26. 			global $sqlite_db_connection;
  27.  
  28. 			$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
  29. 			#print $query;
  30. 			try {
  31. 				$results = $sqlite_db_connection->query($query);
  32. 			} catch (Exception $e) {
  33. 				echo 'Caught exception: ' . $e->getMessage();
  34. 				exit();
  35. 			}
  36.  
  37. 			if ($results) {
  38. 				while ($row = $results->fetchArray()) {
  39. 					// Get values
  40. 					$first = $row["first_name"];
  41. 					$last  = $row["last_name"];
  42.  
  43. 					// Feedback for end user
  44. 					$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  45. 				}
  46. 			} else {
  47. 				echo "Error in fetch ".$sqlite_db->lastErrorMsg();
  48. 			}
  49. 			break;
  50. 	}
  51. }
  52.  
  53. ?>

在上面的代码中,虽然没有直接调用mysqli_real_escape_string()函数对$_SESSION['id']进行转义处理,但是通过将$_SESSION['id']直接插入到SQL查询语句中,可以利用PHP会自动转义会话变量的特性来防止SQL注入。

SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;

这个LIMIT 1;会在sql注入中被注释符号注释掉,相当于没用

impossible等级
  1. <?php
  2.  
  3. if( isset( $_GET[ 'Submit' ] ) ) {
  4. 	// Check Anti-CSRF token
  5. 	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
  6.  
  7. 	// Get input
  8. 	$id = $_GET[ 'id' ];
  9.  
  10. 	// Was a number entered?
  11. 	if(is_numeric( $id )) {
  12. 		$id = intval ($id);
  13. 		switch ($_DVWA['SQLI_DB']) {
  14. 			case MYSQL:
  15. 				// Check the database
  16. 				$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
  17. 				$data->bindParam( ':id', $id, PDO::PARAM_INT );
  18. 				$data->execute();
  19. 				$row = $data->fetch();
  20.  
  21. 				// Make sure only 1 result is returned
  22. 				if( $data->rowCount() == 1 ) {
  23. 					// Get values
  24. 					$first = $row[ 'first_name' ];
  25. 					$last  = $row[ 'last_name' ];
  26.  
  27. 					// Feedback for end user
  28. 					$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  29. 				}
  30. 				break;
  31. 			case SQLITE:
  32. 				global $sqlite_db_connection;
  33.  
  34. 				$stmt = $sqlite_db_connection->prepare('SELECT first_name, last_name FROM users WHERE user_id = :id LIMIT 1;' );
  35. 				$stmt->bindValue(':id',$id,SQLITE3_INTEGER);
  36. 				$result = $stmt->execute();
  37. 				$result->finalize();
  38. 				if ($result !== false) {
  39. 					// There is no way to get the number of rows returned
  40. 					// This checks the number of columns (not rows) just
  41. 					// as a precaution, but it won't stop someone dumping
  42. 					// multiple rows and viewing them one at a time.
  43.  
  44. 					$num_columns = $result->numColumns();
  45. 					if ($num_columns == 2) {
  46. 						$row = $result->fetchArray();
  47.  
  48. 						// Get values
  49. 						$first = $row[ 'first_name' ];
  50. 						$last  = $row[ 'last_name' ];
  51.  
  52. 						// Feedback for end user
  53. 						$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
  54. 					}
  55. 				}
  56.  
  57. 				break;
  58. 		}
  59. 	}
  60. }
  61.  
  62. // Generate Anti-CSRF token
  63. generateSessionToken();
  64.  
  65. ?>

加了token检查

代码使用is_numeric()函数来检查id是否为数字类型。

使用intval()函数将id转换为整数类型,以确保输入的id是一个有效的整数值。

代码使用了PDO(PHP Data Objects)扩展来执行预处理语句,通过绑定参数和执行查询来防止SQL注入。

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/从前慢现在也慢/article/detail/267477
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号