是否可以在该死的易受攻击的Web应用程序上进行SQL注入(高级别)? [英] Is it possible to do SQL injection (HIGH Level) on Damn Vulnerable Web App?

查看:97
本文介绍了是否可以在该死的易受攻击的Web应用程序上进行SQL注入(高级别)?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在整个Google上进行了搜索,以了解如何绕过以下内容(来自DVWA的高度安全性):

I searched all over google to see how it would be possible to bypass the following (it's from the high level of security from DVWA):

$id = $_GET['id']; 
    $id = stripslashes($id); 
    $id = mysql_real_escape_string($id); 

    if (is_numeric($id)){ 

    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; 
    $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); 

    $num = mysql_numrows($result); 

    $i=0; 

    while ($i < $num) { 

        $first = mysql_result($result,$i,"first_name"); 
        $last = mysql_result($result,$i,"last_name"); 

        echo '<pre>'; 
        echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
        echo '</pre>'; 

        $i++; 
    } 
}

有可能破解吗?

对于不熟悉DVWA的人,以下是有关它的youtube视频: http://www.youtube.com/watch?v=oMV0JZVxvdQ

For those who aren't familiar with DVWA, here is a youtube video about it: http://www.youtube.com/watch?v=oMV0JZVxvdQ

此外,我的另一个关注点是中等水平.它确实具有mysql_real_escape_string()的功能,但是当您从低"级别使用相同的SQL注入并删除引号时,它将绕过保护.这是为什么?为何绕过mysql_real_escape string这么容易?

Also, my other concern is on Medium level. It does have the mysql_real_escape_string() working, but when you use the same SQL injection from Low level AND you remove the quotes, it bypasses the protection. Why is that? How come it was so easy to bypass mysql_real_escape string?

中等级别的代码(简洁版本)是这样:

The code (concise version) of the Medium level is this:

   $id = $_GET['id']; 
    $id = mysql_real_escape_string($id); 
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";

我想使用PDO,因为它可能更安全.请让我知道您对此的想法.

I want to use PDO's as it's probably much safer. Please let me know your thoughts on that.

非常感谢.

推荐答案

添加is_numeric不会使它成为完全成熟的sql攻击,但是is_numeric并不十分精确:

The addition of is_numeric would not make this a very likely full-blown sql attack, but is_numeric is just not very exact:

is_numeric('0xdeadbeef') // true
is_numeric('10e3') // true

使用过滤器可能更好:

if (false !== ($id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT))) {
}

这篇关于是否可以在该死的易受攻击的Web应用程序上进行SQL注入(高级别)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆