DVWA——SQL Injection通关记录（Medium）

古城微笑少年丶 2022-12-17 04:25 109阅读 0赞

# Security Level：Medium #

### 1.判断注入点及注入类型 ###

这一等级明显加上了一些限制，用户无法在页面上直接输入，而是限制进行数字的选择

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70][]

这时就考虑抓包，看看能否在数据包中进行注入语句的构造

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 1][]

找到了id=1这一句，是数字型，看看是不是注入点

右键点击发送至Repeater

构造语句

> id=1 and 1=2

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 2][]

可以查询，确定是数字型

用字符型验证一下，构造语句

> 1' and 1=1\#

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 3][]

出错了，结尾的注释符其实可要可不要，Submit=Submit意思就是提交，默认也是这个值

再来看是否存在注入，构造语句

> 1 or 1=1\#

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 4][]

好，此处存在数字型注入

### 2.获取账号和密码 ###

步骤与Low等级完全相同，最后构造的语句为

> 1 union select user,password from users \#

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 5][]

再把口令解密成明文，结束

### 8.源码分析 ###

点击右下角View Source

SQL Injection Source
    vulnerabilities/sqli/source/medium.php
    <?php
    
    if( isset( $_POST[ 'Submit' ] ) ) {
        // Get input
        $id = $_POST[ 'id' ];
    
        $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
    
        $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
        $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
    
        // Get results
        while( $row = mysqli_fetch_assoc( $result ) ) {
            // Display values
            $first = $row["first_name"];
            $last  = $row["last_name"];
    
            // Feedback for end user
            echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
        }
    
    }
    
    // This is used later on in the index.php page
    // Setting it here so we can close the database connection in here like in the rest of the source scripts
    $query  = "SELECT COUNT(*) FROM users;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
    $number_of_rows = mysqli_fetch_row( $result )[0];
    
    mysqli_close($GLOBALS["___mysqli_ston"]);
    ?>

使用了 `mysqli_real_escape_string` 函数对特殊字符进行转义，同时前端页面设置了下拉选择表单，希望以此来控制用户的输入，但是能抓包的话就没什么障碍。

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70]: /images/20221123/1ac9d8c9e3f74b1a9031f5149838c2a5.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 1]: /images/20221123/532c9faa744644828fea3f1a9eaa9a35.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 2]: /images/20221123/12f6cf73605e473282c6c304bde3c23d.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 3]: /images/20221123/1118e4bac02d4115873f0055256c98eb.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 4]: /images/20221123/d2691732462f4be888edd423bacd1719.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 5]: /images/20221123/ddb6c41a8ebf40b984c0c69cf2c649aa.png