Shulou(Shulou.com)06/01 Report--

How to use sqlmap for php+mysql injection, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Discovery and scanning of 1.1php injection points

1. Use vulnerability scanning tool to scan vulnerabilities

Put the target url address in wvs to scan for vulnerabilities, as shown in figure 1. The scan results show that there are SQL blind injection and SQL injection, and the parameters of the vulnerability are the same page.

Figure 1 scan the target website using wvs

two。 Use sqlmap tool to verify vulnerabilities of injection points

As shown in figure 2, verify using the sqlmap injection check command:

The verification results show that there is indeed a sql injection vulnerability in the url, and the database is mysql.

Figure 2 using sqlmap tool to verify vulnerabilities of injection points

1.2 sql injection testing using sqlmap

1.sql injection into payload

As shown in figure 3, there are three types of vulnerabilities: boolean-based blind, AND/OR time-based blind and UNION query through sqlmap or the injection point, which is consistent with the results of wvs scanning. After the sqlmap vulnerability test, the corresponding payload is automatically given. For example, the first one can be tested in the browser:

Fig. 3 sql injection payload

two。 Get the current database name

Get that the current database is xbase, as shown in figure 4.

Figure 4 gets the current database name

3. Get the current user

The command directly gets the current database account as root@localhost, as shown in figure 5.

Figure 5. Get the current database user account

4. View database users and passwords

Since the injection point of this example is the mysql root account, you can view the database user (--users) and database password (--password) through the sqlmap command, as shown in figure 6. Execute the command as follows:

Figure 6 View database users and passwords

5. Crack and obtain the plaintext password of the database

(1) crack and sort out the database password online

Remove the previous "*" number from the password hash, and copy it to www.cmd5.com and somd5.com to crack it. Note that the password type mysql5 needs to be selected for this value. The query result is as follows:

(2) you can also directly query database users and passwords through-- sql-shell.

After executing the above command, obtain the password by querying the command, as shown in figure 7:

Figure 7 query mysql database host, user and password

(3) scan the server port

Masscan-p 3306 114.That is the most important thing.

If the database port is open, you can connect directly, and the scan results show that only port 80 is open.

6. Summary of some commonly used sqlmap commands

Webshell access to 1.3php website

(4) exploit and obtain loopholes in background file upload

Obtain the administrator password and backend address by injecting the point, and log in to the backend to find the upload address and upload loopholes to obtain webshell.

(5) the file contains vulnerabilities to obtain webshell

two。 Failed to get webshell directly

For a root account, the webshell can generally be obtained through the-- os-shell command, as shown in figure 8. After executing the command, the shell is not obtained.

Figure 8 failed to get shell

3. Get the real physical path

Through the test, it is found that there is a phpinfo page in the root directory of the website, as shown in figure 9. In this page, you can see that the database is the intranet IP address 192.168.77.88 and the real physical path is / usr/local/apache/htdocs.

Figure 9 get the official path of the website

4. Write file test

Knowing the physical path, you can use sqlmap to perform file read and write commands and execute commands:

Sqlmap.py-u http://www.***.com.cn/happystudy/happystudy_info.php?idnow=34-- file-write= "C:\ tools\ sqlmap\ 1.php"-- file-dest= "/ usr/local/apache/htdocs/happystudy/shell.php"

As shown in figure 10, sqlmap successfully executed the command, tested the file access through url, and the page does not exist.

Figure 10 write file test

5. Local build environment test write file

The previous write file was executed successfully, and it is suspected that there is a problem with the command, so the test is carried out in the local build environment, and the test command is as follows:

Sqlmap.py-d mysql://root:123456@172.17.26.16:3306/mysql-- file-write= "C:\ tools\ sqlmap\ 1.php"-- file-dest= "C:\ ComsenzEXP\ wwwroot\ shell.php"

As a result, the shell.php file is successfully written in the C:\ ComsenzEXP\ wwwroot\ directory. The reasons for this analysis may be as follows:

(1) the directory does not have write permission

(2) magic_quotes_ GPC value is on

6. Try the general_log file to get the webshell method

(1) check the configuration of genera files

(2) close general_log

(3) obtain webshell through the general_log option

Because the above command needs to be executed on the mysql client command line or phpmyadmin, it is not available in this case and cannot be implemented through the-- sql-shell and-- sql-query commands.

7. Export webshell using the pangolin tool

As shown in figure 11, the sql injection address is tested through pangolin to try to export webshell to the Web site root / usr/local/apache/htdocs/xxx.php file, and the results are consistent with the previous analysis.

Figure 11 failed to export webshell using the pangolin tool

8. Read file test

(1) read files

As shown in figure 12, execute the command in turn to read / etc/passwd, / usr/local/apache/htdocs/index.php and other files

Sqlmap.py-u http://www.***.com.cn/happystudy/happystudy_info.php?idnow=34-- file-read= "/ usr/local/apache/htdocs/index.php" [/ align]

[align=left] sqlmap.py-u http://www.***.com.cn/happystudy/happystudy_info.php?idnow=34-- file-read= "/ etc/passwd" [/ align]

[align=left]

Figure 12 read system files and other files

(2) obtain the database password

Sqlmap automatically saves the acquired files to the current system user at C:\ Users\ john\ .sqlmap\ output\ www.****.com.cn\ files, as shown in figure 13. Read the contents of the conn.php file and successfully obtain the database root account password.

Figure 13 read the source code to get the root password

1.4 difficult backend address acquisition

1. Use havij to scan the background

As shown in figure 14, the target background address is obtained by tools such as havij. In this case, the login address of the ordinary user is obtained, but the real background address is not obtained.

Figure 14 uses havij to scan the background address

two。 Successfully obtain the background address through google

Later, Baidu was used to query the url address, "site:somesite.com background Management" could not get the relevant information, but successfully obtained its background address in google, as shown in figure 15. Sometimes google hacking works. You can see from the url that the management address is difficult to scan.

Figure 15 successfully obtain the background management address

3. Get the real management table

After querying all the tables in the database through sqlmap, it is found that there are many tables involving passwords, such as admin, admin_files, admin_groups and tb_admin. Later, it is successfully obtained by reading the source code of the login address, and the real administrator table is tygb, as shown in figure 16. Query through sql-shell: select * from tygb

Figure 16 gets the real management table

4. Log in to the background for management

As shown in figure 17, after a successful login, you can see that there are multiple systems in its cms system, and each management entry is viewed and tested, although some modules are uploaded, tested and do not have write permissions.

Figure 17 Log in to the background for management

5.fckeditor vulnerability verification

Found in the background that it used the fckeditor editor, successfully found its fckeditor editor file test page, and tested it, as shown in figure 18, whether there is a file permission problem, the vulnerability can not be exploited.

Figure 18 File upload vulnerability cannot be exploited

6. Failed to exploit side notes on the website.

After checking the domain name of the target website with the IP address, it is found that there are multiple domain names under the IP. After careful checking, it is found that the previous sql injection point can read its database and successfully enter the background by obtaining the background password, but it is also useless. There is an error in the system, and fckeditor cannot upload or write to the file.

Defense and summary of sql injection into 1.5php website

1. Infiltration summary

(1) this penetration mainly lies in the utilization of sql injection point injection vulnerability sqlmap under mysql+php architecture.

(2) use the file read and write function of sqlmap to write to webshell

(3) in some cases, it may not be possible to obtain webshell even if there are vulnerabilities.

2.php website sql injection Defense

(1) filter some common database operation keywords, such as select, insert,update,delete,and,*, etc., or filter the content through the system function addslashes.

(2) register_globals=off; is set to off in the php configuration file php.ini

(3) encapsulate sql statements to avoid direct leakage of SQL statements

(4) enable PHP security mode safe_mode=on

(5) turn on magic_quotes_gpc to prevent SQL injection. Default is off. When enabled, users will automatically submit sql query statements to convert "'" to "\".

(6) Control the output of error information, turn off the error message prompt, and write the error message to the system log.

(7) install waf protection software on the website

After reading the above, have you mastered how to use sqlmap to inject php+mysql? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.