第三十五課:與Sqlmap結(jié)合攻擊
專注APT攻擊與防御
https://micropoor.blogspot.com/

msf在非session 模式下與session模式下都支持第三方的加載與第三方框架的融合。代表參數(shù)為load。兩種模式下的load 意義不同。本季主要針對非session模式下的load sqlmap情景。
加載Sqlmap后,主要參數(shù)如下:

1 Sqlmap Commands
2 ===============
3
4 Command Description
5 ‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
6 sqlmap_connect sqlmap_connect <host> [<port>]
7 sqlmap_get_data Get the resulting data of the task
8 sqlmap_get_log Get the running log of a task
9 sqlmap_get_option Get an option for a task
10 sqlmap_get_status Get the status of a task
11 sqlmap_list_tasks List the knows tasks. New tasks are not stored in D
B, so lives as long as the console does
12 sqlmap_new_task Create a new task
13 sqlmap_save_data Save the resulting data as web_vulns
14 sqlmap_set_option Set an option for a task
15 sqlmap_start_task Start the task

1 msf exploit(multi/handler) > help sqlmaphelp 加載的模塊名,為顯示第三方的幫助文檔。
msf上的sqlmap插件依賴于sqlmap的sqlmapapi.py 在使用前需要啟動sqlmapapi.py
然后在msf上建立任務(wù)。

而sqlmap對msf也完美支持。

靶機(jī):192.168.1.115,Sql server 2005 +aspx.net

構(gòu)造注入點(diǎn),如圖1:
圖1:
數(shù)據(jù)結(jié)構(gòu),如圖2:
關(guān)于msf與sqlmap的結(jié)合在未來的系列中還會繼續(xù)講述,本季作為基礎(chǔ)。

附錄:
注入點(diǎn)代碼:
1 <%@ Page Language="C#" AutoEventWireup="true" %>
2 <%@ Import Namespace="System.Data" %>
3 <%@ Import namespace="System.Data.SqlClient" %>
4 <!DOCTYPE html>
5 <script runat="server">
6 private DataSet resSet=new DataSet();
7 protected void Page_Load(object sender, EventArgs e)
8 {
9 String strconn = "server=.;database=xxrenshi;uid=sa;pwd=123456";
10 string id = Request.Params["id"];
11 //string sql = string.Format("select * from admin where id={0}", id);
12 string sql = "select * from sys_user where id=" + id;
13 SqlConnection connection=new SqlConnection(strconn);
14 connection.Open();
15 SqlDataAdapter dataAdapter = new SqlDataAdapter(sql, connection);
16 dataAdapter.Fill(resSet);
17 DgData.DataSource = resSet.Tables[0];
18 DgData.DataBind();
19 Response.Write("sql:<br>"+sql);
20 Response.Write("<br>Result:");
21 }
22
23 </script>
24
25 <html xmlns="http://www.w3.org/1999/xhtml">
26 <head runat="server">
27 <meta http‐equiv="Content‐Type" content="text/html; charset=utf‐8"/>
28 <title></title>
29 </head>
30 <body>
31 <form id="form1" runat="server">
32 <div>
33
34 <asp:DataGrid ID="DgData" runat="server" BackColor="White" BorderColo
r="#3366CC"
35 BorderStyle="None" BorderWidth="1px" CellPadding="4"
36 HeaderStyle‐CssClass="head" Width="203px">
37 <FooterStyle BackColor="#99CCCC" ForeColor="#003399" />

38 <SelectedItemStyle BackColor="#009999" Font‐Bold="True" ForeColor="#C
CFF99" />
39 <PagerStyle BackColor="#99CCCC" ForeColor="#003399"
HorizontalAlign="Left"
40 Mode="NumericPages" />
41 <ItemStyle BackColor="White" ForeColor="#003399" />
42 <HeaderStyle CssClass="head" BackColor="#003399" Font‐Bold="True" Fore
Color="#CCCCFF"></HeaderStyle>
43 </asp:DataGrid>
44
45 </div>
46 </form>
47 </body>
48 </html>

Micropoor
?