I am currently looking for a pass (not blind) high level of category sql injection application dvwa.
Can not find the solution even if there are some ideas and tools that make life easier.
source code form is as follows for the fans:
if (isset($_GET['Submit'])) {
// Retrieve data
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i=0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
}
and mission and retrieve the values that are in the users table dvwa db which has this structure:
+------------+-------------+------+-----+---------+
| Field | Type | Null | Key | Default |
+------------+-------------+------+-----+---------+
| user_id | int(6) | NO | PRI | 0 |
| first_name | varchar(15) | YES | | NULL |
| last_name | varchar(15) | YES | | NULL |
| user | varchar(15) | YES | | NULL |
| password | varchar(32) | YES | | NULL |
| avatar | varchar(70) | YES | | NULL |
+------------+-------------+------+-----+---------+
6 rows in set (0.00 sec)
Then of course you will say (as I have seen everywhere on the net) to be encoded characters. That I understand, yes, we have more character set, which can write emails differently (eg multi-byte). But I just can not even find you. I understand the php form code above like this:
Already first have to bypass mysql_real_escape_string () so my research has focused to there first time. Using a game big5 character eg means we bypass it ... again yes maybe everything I saw Tenai the road but I have not actually tested. Why?
Suppose I bypass mysql_real_escape_string (), if we continue to read the next step performed by the php code, we can read the function:
if(is_numeric($id))...
checks the type of the variable. (and besides, I do not know if I use the exact term but good). This means that if I want to insert a quote here, it must be in forcemment numérique.Donc size I leaned on the famous php function and I realized that we could enter the same binary or hexadecimal values (but in all cases it will function for converting the output after me and now I really do not know ....). So my input in the first idea was to get 0x27 to insert a quote, but of course this value is interpreted as integer and not string type output, so how to interpret my quote ... I think the issue is on this side but I largues dint of thinking ... If you have nothing but a track (except to tell me to look in google, something I've been doing for four days now ^ ^), I'm interested. So guys (or girls for that matter), that Will is nicknamed Master Sqli?? Thank you for your time ... (sorry for google translation)
Why would you even use mysql library, when it is deprecated? Use mysqli instead.
Secondly, if you want to get rid of any danger of sql injection, it would be much easier to use prepared statement, so something like the following is all that is needed.
$stmt = $mysqli->prepare("SELECT first_name, last_name FROM users WHERE user_id = ?")
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($res);
$stmt->fetch();
if($res)
...
By the way, mysqli can be used in functional (not oop) style very similar to mysql.
来源:https://stackoverflow.com/questions/17381302/bypass-php-is-numeric-function-is-possible