信息读取 Fay·D·Flourite

09 May 2020 6607字 23分
BY-SA 4.0(除特别声明或转载文章外)

信息读取

sqlite文件读取

sqlite是一个无服务器的数据库,也称为嵌入式数据库。和mysql不同的是,sqlite整个数据库都集中在一个文件中,也因此十分轻便,很多小软件啊,安卓应用啊,都会使用。

这里放两篇文章,有比较详细的对比。

https://blog.csdn.net/qq_31930499/article/details/80420246

https://www.simcf.cc/8814.html

但既然数据库作为文件存在而不是存放于服务端去读取,则更加容易被我们所读取。

注:当然mysql也有文件存在,只是说读取不如sqlite方便。主要是以下这几个点

  1. 我是用python读取,我觉得其他的语言应该也是,就是和mysql交互需要host,user,passwd,db之类的数据(因为mysql基于服务器),要想交互取得数据还得取得用户名和密码之类的。如连接代码:
  • mysqldb

MySQLdb.connect(host='localhost',user='user',passwd='password',db='database',charset='utf-8')

  • sqlite3

sqlite3.connect('文件地址')

  • mysql命令行

mysql -h主机地址 -u用户名 -p用户密码

  1. sqlite3是python3自带库而MySQLdb不是(用法相似)
  1. mysql的文件按照不同的引擎而分成多个文件,比如:

按照不同的表,不同的数据,不同的引擎而分成多个文件存储,也不方便直接读取原文件以还原mysql数据库

可以尝试一下搜一搜你的电脑里文件后缀为.sqlite或者.db的文件(sqlite数据库文件其实并没有后缀,用后缀是为了方便辨认,任何后缀名都是可以的),你会发现其实有非常多的数据库文件,譬如firefox,firefox就是用的sqlite存储诸如书签,cookies甚至于用户密码

C:\Users\用户名\AppData\Roaming\Mozilla\Firefox\Profiles该地址下搜后缀名为.db或是.sqlite你就能找到一堆。(不知道这个是不是通用的地址,大家还是按照自己的来,我觉得应该是嗷)我们拿书签的数据库举例。

>>> import sqlite3
>>> conn = sqlite3.connect('C:/Users/Fay.D.Flourite/AppData/Roaming/Mozilla/Firefox/Profiles/xfxcwdod.default-release/weave/bookmarks.sqlite')
>>> c=conn.cursor()
>>> h=c.execute("select name from sqlite_master where type='table' order by name")
>>> for i in h:
...  print(i)
...
('items',)
('meta',)
('sqlite_stat1',)
('structure',)
('tags',)
('urls',)
>>> h=c.execute("select * from items")
>>> for i in h:
...  print(i)
...
(1, 'root________', 'root________', 0, 0, 1, 0, 3, 0, None, None, None, None, None, None, None, None)
(6, '6UPrdLeaDQ4X', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(7, '8gpb4v8gymO-', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(8, 'bSGB9EdDwCGk', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(9, 'BuvlWKVOtGF0', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(10, 'CFFWqsFDqRnn', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(11, 'CypCVUdfUOh3', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(12, 'dstM843MDKaV', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(13, 'D_EstuhRJKux', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(14, 'fA6qpgDBzvhb', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(15, 'G6dbxRt47Hfd', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(16, 'gS-ZCpjHMwkq', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(17, 'GytqdXL09fp5', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(18, 'hAVFpWo6nf3Q', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(19, 'JoUJjlI-oXOq', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(20, 'KDmhx-aGFFQS', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(21, 'LA4JoKlHRIkm', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(22, 'NPXZ03wDsSnt', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(23, 'NRPjIIxYta9b', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(24, 'NwhHmv317mkQ', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(25, 'PQWHSKtBqR65', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(26, 'R1aErym81n4C', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(27, 'R8_hNSCiYMcb', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(28, 'Tmg5hx4rccKD', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(29, 'y0kJMsJRy9H1', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(30, 'yr4x3EDanM9i', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(31, 'z5W0OIYwO7mN', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(32, 'zC5nek_GVyG9', None, 1501937188140, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(33, 'lNPco5MSHsYJ', None, 1501937384590, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(34, '4CHhdl7p8hLF', None, 1501939593490, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(35, '4yUgXCCUFeVe', None, 1501939593490, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(36, 'sIP-SDoXmjWT', None, 1501939593490, 0, 1, 1, -1, 0, None, None, None, None, None, None, None, None)
(37, '14ufERbpkLwy', '537CPELWSyBr', 1567003788170, 0, 1, 0, 1, 1567003735943, '参与进来', 1, None, None, None, None, None, None)
(38, '25rpzClpdlKo', 'menu________', 1567003788170, 0, 1, 0, 1, 1496641875450, '魅族官网', 2, None, None, None, None, None, None)
(39, '2CKizYgAQllf', 'DstF-Supt5Gk', 1567003788170, 0, 1, 0, 1, 1567003736081, '百度', 3, None, None, None, None, None, None)
(40, '2RUJAEzDro2u', 'menu________', 1567003788170, 0, 1, 0, 1, 1496641875450, '聚美优品', 4, None, None, None, None, None, None)
(41, '31pAjTo6e7HJ', 'toolbar_____', 1567003788170, 0, 1, 0, 3, 1496641875450, '常用网址', None, None, None, None, None, None, None)
(42, '364KfPjvYRKG', 'toolbar_____', 1567003788170, 0, 1, 0, 1, 1496641875450, '京东商城', 5, 'mozcn:toolbar:jd', None, None, None, None, None)
(43, '3hcNtSTaFfew', 'DstF-SzNh9OS', 1567003788170, 0, 1, 0, 1, 1567003736028, '火狐扩展精选', 6, None, None, None, None, None, None)
(44, '3rstxV7YRe99', 'toolbar_____', 1567003788170, 0, 1, 0, 3, 1496641875450, '火狐官方站点', None, None, None, None, None, None, None)
(45, '52xIOultw8b2', 'menu________', 1567003788170, 0, 1, 0, 1, 1496641875450, '支付宝', 7, None, None, None, None, None, None)
(46, '537CPELWSyBr', 'menu________', 1567003788170, 0, 1, 0, 3, 1567003735943, 'Mozilla Firefox', None, None, None, None, None, None, None)
(47, '5S_MS9yOtS7n', '537CPELWSyBr', 1567003788170, 0, 1, 0, 1, 1567003735943, '关于我们', 8, None, None, None, None, None, None)
(48, '67dxPSqpLR7v', 'menu________', 1567003788170, 0, 1, 0, 1, 1496641875450, '小米官网', 9, None, None, None, None, None, None)
(49, '8eIdEh0a7Fz6', 'toolbar_____', 1567003788170, 0, 1, 0, 1, 1567003735980, '新手上路', 10, None, None, None, None, None, None)
(50, '8Ejf8Tl81lTm', 'DstF-SzNh9OS', 1567003788170, 0, 1, 0, 1, 1567003736051, '火狐中文网', 11, None, None, None, None, None, None)
(51, 'aD37PG5jc0uH', 'menu________', 1567003788170, 0, 1, 0, 1, 1496641875450, '专注于Win7', 12, None, None, None, None, None, None)
............以下省略无数书签

可以看到我们就这么轻松的拿到了所有的书签,而比如cookies.sqlite这种数据库,直接就可以拿到存储的所有cookie信息,能做什么就不用多说了8。包括里面有个key4.db文件,存储的好像是密码…?我也打开看过

搜了一哈,好像这是解密用密钥,要配合logins.json使用,里面才是保存的用户名密码。其余文件包括place.sqlite为上网记录之类的。可参照官方文档:

https://support.mozilla.org/zh-CN/kb/%E7%94%A8%E6%88%B7%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6?s=%E7%94%A8%E6%88%B7%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6&r=0&e=es&as=s#w_eejulaagcelygouenaoeeenieulgiikiigka

其他浏览器之类的含有sqlite数据库文件也可以找到,譬如google的地址:

C:\Users\用户名\AppData\Local\Google\Chrome\User Data\Default

含有的数据也非常非常的多,类似这种基本都可在官方文档的配置文件中找到默认地址,我觉得这也算是拿下靶机后可以收集的重要数据之一。

后:尝试了下qq的聊天记录数据库文件,和chorme的书签之类的,基本上都是有加密的。确实会安全不少,但是只要他要使用这个数据库,就必然会使用密码。搜了一下,以qq为例,这个密码来自于远端服务器,不在本地,在会用的时候会发过来。(要动调了- -)