DVWA series of 3 medium level SQL injection

Set "DVWA Security" to medium medium level, first click "View Source" in the lower right corner to see the source of the Web page at this time, mainly observe the difference between the low level.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m00/76/de/wkiom1zemrgi7emdaabaxvedrra392.png "height="/>

It can be found that the user input ID parameter is filtered, the main method is to use the mysql_real_escape_string () function, this function can be $id variable in the single quotation mark ', double quotation mark ', slash \ and other characters escaped, so we enter the previous "' or 1 =1 # "will be an error, from the wrong hint can be found that the single quotation mark ' has been escaped to the \ ', so the injection statement does not work.

It should be explained that in PHP there is a function similar to the mysql_real_escape_string () function: Addslashes (), the function of both functions are to escape the special characters, then which function is better? Baidu a bit, found that everyone is also uncompromising. Some people say that the mysql_real_escape_string () function needs to be connected to the database beforehand, it may error, so it is recommended to use Addslashes (); others say Addslashes () filter is not strict enough, recommend using Mysql_real_ Escape_string (). In Dvwa it is obvious that mysql_real_escape_string () is recommended, then we believe DVWA is good.

Here we analyze how to bypass the filter, continue to inject it? We have a closer look at the source code, you can find that the parameter ID has been changed to digital type, the third line of the statement "user_id = $id", and the previous low level is "user_id = ' $id '", in fact, this is DVWA deliberately left a loophole.

We can further confirm, enter 3 in the text box and 1+2, found that both show the same results, so you can conclude that the parameter is a digital type, here should adopt the digital injection method.

The biggest difference between digital injection and text type is that you don't need to consider closing the quotation marks, let's inject them below.

First enter "1 and 1=1", display normal, enter "1 and 1=2", display is not normal. Determine the presence of injection points.

Enter "1 ORDER by 1" and "1 Order by 2" respectively, display normal; Enter "1 ORDER by 3", display an error, and determine that there are 2 fields.

Enter "1 Union select" to determine that two fields can be queried in the parameters.

The next operation is the same as before.

This article from "a pot of turbid wine" blog, reproduced please contact the author!

DVWA series of 3 medium level SQL injection