brief introduction

         Open source SQL Injection vulnerability detection tool , Can detect... In dynamic pages get/post Parameters ,cookie,http head , You can also view data , File system access , It can even execute operating system commands .

         Test method ： Bull's blind note 、 Time blind note 、 An error injection 、UNION Joint query injection 、 Stack Injection

         Support database ：Mysql、Oracle、PostgreSQL、MSSQL、Microsoft Access、IBM DB2、SQLite、Firebird、Sybase、SAP MaxDb

Download and install

        1、 Download the official website address ：https://sqlmap.org/

        2、 Environmental Science ： because sqlmap be based on Python Language development , So we need to Python The language environment to install .

        3、 Will download okay sqlmap Unzip and copy To python Under the path

         4、 Create a... On the desktop cmd Shortcut to , And named it SQLMap

        5、 Right click the new shortcut “ attribute ”, take “ The starting position ” Change to yourself sqlmap The path of , Click ok .

        6、  Double click the shortcut you have created , Input sqlmap.py -h, The following information indicates that the installation is successful .

Parameters use

         Designated target

-u  "url"

        ( Appoint URL,get Request mode )

-r request.txt         

        Post submission , Use HTTP Request file , This file is available from BurpSuit Derived from .

-m url.txt

         Use one that contains multiple url File for scanning . If there's a repetition ,sqlmap Will be automatically identified as a .

-g  "inurl:\"  .php?id=1\"

         scanning , Use Google Grammar url.

-l log.txt --scope=" Regular expressions "

        Post submission , Use BurpSuit Of log file .（Options—>Misc—>Logging—>Proxy—> Check Request ,scope The role of is Filter log contents based on regular expressions , Filter the objects to be scanned .

-c sqlmap.conf

         Scan with profile (sqlmap.conf And sqlmap.py In the same directory )

         Specify target parameters

-p  "username,id"

         Specify the parameters to scan

--data="username=admin&password=123"

         Specify parameters for scanning ,get/post All applicable

--method=GET

         Specify request method , also POST

--cookie="security=low;PHPSESSID=121123131"

         Use cookie Identity authentication

--skip  "username,id"

         Exclude specified scan parameters

--param-del=" ;"

         Change the separator , The default is &, Because some websites don't use & Transfer multiple data .

--drop-set-cookie（ Put it in cookie End position in the value of ）

         Sometimes after a request is made , The server will restart Set-cookie To the client ,SQLmap By default, the new cookie, This parameter can be set at this time , It means to use the original cookie.

--user-agent  " aaaaaaa"

         Use browser proxy headers

--random-agent

         Use random browser proxy headers

--host=" aaaaa"

         Specify host header

--referer="aaaaaa"

         Appoint referer head

--headers="host:aaaa\nUser-Agent:bbbb"

         Some websites require specific headers to authenticate

--auth-type , —auth-cred

        —auth-type Basic —auth-cred “user:pass”         Identity Authentication , also Digest、NTLM

--auth-file="ca.PEM"

         Use the private key certificate to authenticate

--proxy="url"

         Use a proxy to scan the target , The port occupied by the agent software is 8080

--proxy-cred="name:pass"

         The account and password when using the proxy

--ignore-proxy

         Ignore system level proxy settings , Usually used to scan local network targets , This segment .

         View data information

--users

         Query all database accounts

--dbs

         Query all databases

--schema

         Query the source database （ Contains data that defines data ）

-a

         Query the current user、 Current database 、 Host name 、 At present user Whether you are the maximum authority administrator 、 Database accounts, etc

-D Database name

         Specify database

--current-user

         Query all user names in the current database

--current-db

         Query the current database name

--hostname

         Check the host name of the server

--Privileges -U username

         Inquire about username Authority

--roles

         Query roles

--tables

         Look at all the tables

-T  Table name

         Designated table

--columns

         View all fields

-C Field name

         Specified field

--count

         Count , See how many pieces of data there are

--exclude-sysdbs

         Exclude system libraries

--dump

         View the data

--start 3

         Look at Article 3

--end 4

         See article 4

--sql-query “select * from users”

         Execute statement

--common-columns

         Brute force field , Applied in two cases ：① No permission to read data .②mysql<5.0 , No, infomation_schema library

--common-tables

         Brute force cracking table

--check-waf

         testing WAF/IPS/IDS

--hpp

         Bypass WAF/IPS/IDS

—identify-waf

         Thoroughly test WAF/IPS/IDS