0

嗨,我对 sqlmap 比较陌生,并试图在我的项目 web 中找到一个漏洞利用。这是我的运行方式;

python3 sqlmap.py -u http://localhost/output3/members.php?valueToSearch=mira

我尝试使用各种变量,如下所示;

--dbs
--columns
--tables
--level=5
--risk=3

但是,似乎 sqlmap 无法找到任何注入/利用。这是sqlmap的输出;

[21:15:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6c6e4118f5b...b74a20db38'). Do you want to use those [Y/n] y
[21:15:43] [INFO] testing if the target URL content is stable
[21:15:43] [INFO] target URL content is stable
[21:15:43] [INFO] testing if GET parameter 'valueToSearch' is dynamic
[21:15:43] [WARNING] GET parameter 'valueToSearch' does not appear to be dynamic
[21:15:43] [WARNING] heuristic (basic) test shows that GET parameter 'valueToSearch' might not be injectable
[21:15:43] [INFO] testing for SQL injection on GET parameter 'valueToSearch'
[21:15:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:15:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:15:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                       
[21:15:43] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:15:43] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                               
[21:15:43] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:15:43] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:15:43] [INFO] testing 'Generic inline queries'
[21:15:43] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:15:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:15:43] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:15:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:15:43] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:15:43] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:15:43] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[21:15:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:15:44] [WARNING] GET parameter 'valueToSearch' does not seem to be injectable
[21:15:44] [INFO] testing if GET parameter 'search' is dynamic
[21:15:44] [WARNING] GET parameter 'search' does not appear to be dynamic
[21:15:44] [WARNING] heuristic (basic) test shows that GET parameter 'search' might not be injectable
[21:15:44] [INFO] testing for SQL injection on GET parameter 'search'
[21:15:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:15:45] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:15:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                       
[21:15:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:15:45] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                               
[21:15:45] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:15:45] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:15:45] [INFO] testing 'Generic inline queries'
[21:15:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:15:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:15:45] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:15:45] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:15:45] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:15:45] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:15:45] [INFO] testing 'Oracle AND time-based blind'
[21:15:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:15:45] [WARNING] GET parameter 'search' does not seem to be injectable
[21:15:45] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 21:15:45 /2020-11-18/

我也在下面附上了我的源代码以供参考。此外,我的代码不要直接访问超全局 $_GET 数组。使用的 filter_input_array 似乎与当前的没有任何区别。任何建议将不胜感激。

?php
if(isset($_GET['search']))
//if(filter_input_array(INPUT_GET, 'search', FILTER_SANITIZE_NUMBER_INT))
{
    $valueToSearch = $_GET['valueToSearch'];
    //$valueToSearch = filter_input_array(INPUT_GET, 'search', FILTER_SANITIZE_NUMBER_INT);

    $query = "SELECT * FROM `user1` WHERE `user` LIKE '%".$valueToSearch."%' OR `name` LIKE '%".$valueToSearch."%' OR `contact_numberH` LIKE '%".$valueToSearch."%' OR `contact_numberM` LIKE '%".$valueToSearch."%'";

    $search_result = filterTable($query);
    
}
 else {
    $query = "SELECT * FROM `user1`";
    $search_result = filterTable($query);
}

// function to connect and execute the query
function filterTable($query)
{
    $connect = mysqli_connect("localhost", "root", "", "fyp2");
    $filter_Result = mysqli_query($connect, $query) or die(mysqli_error($connect));
    return $filter_Result;
}
 ?>
         <form action="members.php" method="get">
            <input type="text" name="valueToSearch" placeholder="Value To Search"><br><br>
            <input type="submit" name="search" value="Filter"><br><br>
            <table>
                <tr>
                    <th>User</th>
                    <th>Name</th>
                    <th>Home Number</th>
                    <th>Mobile</th>
                </tr>

      <!-- populate table from mysql database -->
                <?php while($row = mysqli_fetch_array($search_result)):?>
                <tr>
                    <td><?php echo $row['user'];?></td>
                    <td><?php echo $row['name'];?></td>
                    <td><?php echo $row['contact_numberH'];?></td>
                    <td><?php echo $row['contact_numberM'];?></td>
                </tr>
                <?php endwhile;?>
            </table> 
         </form>

更新 我运行 --parse-error 并导出日志,这就是我得到的

############################################################################

HTTP request [#75]:
GET /output3/members.php?valueToSearch=amira%20ORDER%20BY%207294--%20tsHB HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.11.8#dev (http://sqlmap.org)
Cookie: PHPSESSID=591d1cc1ebd182143bdf5d322fc61960
Host: localhost
Accept: */*
Accept-encoding: gzip,deflate
Connection: close

HTTP response [#75] (200 OK):
Date: Thu, 19 Nov 2020 04:48:19 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0
X-Powered-By: PHP/7.2.34
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 33
Connection: close
Content-Type: text/html; charset=UTF-8
URI: http://localhost:80/output3/members.php?valueToSearch=amira%20ORDER%20BY%207294--%20tsHB

<!DOCTYPE html>
Anda belum login

############################################################################
4

0 回答 0