Home > Others

Some tips for Sqlmap

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

There are two ways to post injection for post injection, one is to use --dataparameter, the post key and value are submitted in a similar get method. The second is to use -rparameter, Sqlmap reads the POST request packet that the user has captured for post injection detection.
View payload has been added to the local agent, and then use Burpsuit to see Sqlmap payload, until now found using -vParameters can be implemented. Always thought -vThe only implementation is the control warning, debug information level. actually use -v 3The injected payload,4,5,6 can also be displayed to display HTTP requests, HTTP response headers, and pages.
Using Google search sqlmap can test SQL injection in Google search results, which is a powerful feature. The use method is parameter -g。 However, it is still very rare to use it in practice.
Request delay may be blocked by a firewall when it is requested too frequently during injection. --delayThe parameter is working. You can set the delay between HTTP requests two times. Some Web programs block all requests after multiple false accesses, which results in all subsequent tests not being able to be done, bypassing this policy to use --safe-urlTo access a normal page every once in a while.
Pseudo-static pages Some Web servers are URL rewrite or the site is pseudo-static and cannot be directly supplied with test parameters, which can be used *Instead of the parameters to be tested.
Execute system command when the database is supported, and the current user has permissions, you can execute system commands, using --os-cmdOr --os-shell, specifically, when multiple statements can be executed, a UDF (Mysql,postgrepsql) or xp_cmdshell (MSSQL) is attempted to execute the system commands. When you cannot execute multiple statements, you still try to create a Webshell to execute the statement, which requires the absolute path of the web. Overall, the success rate is low, but the individual also has a successful experience ~
Test level Sqlmap Use --levelParameters for different comprehensiveness of the test, the default is 1, different parameters affect the use of which payload,2 when the cookie injection detection, 3 will be useragentDetection.

Some tips for Sqlmap

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More