DVWAweb渗透测试SQL注入中高(3)
安全级别中 源码
<?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $id = $_POST[ 'id' ]; $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id); $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) { // Display values $first = $row["first_name"]; $last = $row["last_name"]; // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } } // This is used later on in the index.php page // Setting it here so we can close the database connection in here like in the rest of the source scripts $query = "SELECT COUNT(*) FROM users;"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); $number_of_rows = mysqli_fetch_row( $result )[0]; mysqli_close($GLOBALS["___mysqli_ston"]); ?>
其中mysql_real_escape_string函数是实现转义 SQL 语句字符串中的特殊字符,如输入单引号 ’ 则处理时会在其前面加上右斜杠 \ 来进行转义,如果语句错误则输出相应的错误信息。其中受影响的字符如下:
\x00 \n \r \ ' " \x1a
虽然在代码中通过mysql_real_escape_string函数对一些敏感字符进行了相应的过滤,但是在SELECT语句中变量 id的值的获取并没有通过外加单引号或者双引号来实现,即那层过滤也形同虚设,只需在输入中连需要闭合用的单引号等都不需要添加了,直接输入相应的语句即可:
例子中payload为:
1 union select table_name,table_schema from information_schema.tables
其他具体的挖掘参照low级别的操作即可
浙公网安备 33010602011771号