DVWA high level是不可被攻破的

详细说明:http://webguvenligi.org/dergi/DamnVulnerableWebApp-Aralik2009-RyanDewhurst.pdf

DVWA-HIGH

High: This vulnerability level gives the user an example of how to secure the
vulnerability via secure coding methods. It lets the user understand how the
vulnerability can be counter measured. This level of security should be un-hackable
however as we all know this is not always the case. So if you manage to bypass it, let
us know.

Shit!

DVWA学习-SQL Injection-Level Low

SQL Injection

SQL注入攻击,又是一个简单问题。直接上结果吧!

DVWA-SQL
还是直接上代码吧,感觉DVWA LOW的题目实在是太简单了,我应该从中级开始做才好~~~

<?php     

if(isset($_GET['Submit'])){ 
     
    // Retrieve data 
     
    $id = $_GET['id']; 

    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; 
    $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); 

    $num = mysql_numrows($result); 

    $i = 0; 

    while ($i < $num) { 

        $first = mysql_result($result,$i,"first_name"); 
        $last = mysql_result($result,$i,"last_name"); 
         
        echo '<pre>'; 
        echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
        echo '</pre>'; 

        $i++; 
    } 
} 
?>

很明显的SQL注入漏洞,啥都不说了~~注释符号都不用加~~

DVWA学习-File Inclusion-Level Low

File Inclusion

文件包含漏洞

这个漏洞太常见了,实验也挺简单的。

DVWA-File Inclusion原来的页面是通过一个参数来显示的,?page=index.php,那么这样就可以通过修改index.php来控制要读取并显示的内容,比如显示/etc/passwd文件,可以使用../../../../../../../../../../etc/passwd,这样

DVWA-File Inclusion1

 

源代码也很简单,就是一行代码;

<?php 

    $file = $_GET['page']; //The page we wish to display  

?>