SQL 注入攻击_6 | 学习笔记

开发者学堂课程【网络安全攻防 - Web渗透测试：SQL 注入攻击_6】学习笔记，与课程紧密联系，让用户快速学习知识。

课程地址：https://developer.aliyun.com/learning/course/630/detail/9909

SQL 注入攻击_6

内容介绍

一、  自动化注入

二、  SQLmap帮助

三、  语句测试

四、  Get方法注入

一、   自动化注入

SQL 注入比较好用的工具，首推开源工具 SQLmap。SQLnap 是一个国内外著名的安全稳定性测试工具，可以用来进行自动化检测，利用 SOL 注入漏洞，获取数据库服务器的权限。

它具有功能强大的检测引擎，针对各种不同类型数据库的安全稳定性测试的功能选项，包括获取数据库中 数据，访问操作系统文件甚至可以通过外带数据连接的方式执行操作系统命令。

SQLmap 支持 MySQL,Oracle, PostgreSQL, Microsoft SQLServer, Microsoft Access, IBM DB2, SQLite,Firebird,Sybase 和 SAP MaxDB 数据库的各种安全漏洞检测。

二、   SQLmap 帮助

1.  root@kali:~# sqlmap -h |less

（1）  得到注射器的图

（1）  Target:

At least one oftheseoptionshas to be provided to define the target(s)

-d DIRECT Connection string for direct database connection

-u URL.--url=URL Target URL (e.g."http://www.site.com/vuln.php?id=1")

-l LOGFILE Parse target(s) from Burp or WebScarab proxy logfile

-x SITEMAPURL Parse target(s) from remote sitemap(.xml) file

-m BULKFILE Scan multiple targets given in a textual file

-r REQUESTFILE Load HTTP request from a file

-g GOOGLEDORK Process Google dork results as target URLs

-c CONFIGFILE Load options from a configuration INI file

（2）  Request:

These options can be used to specify how to connect to the target URL

--method=METHOD Force usage of given HTTP method (e.g. PUT)

--data=DAm Data string to be sent through POST

--param-del=PARA.. Character used forsplitting parameter values

--cookie=COOKIE HTTP Cookie header value

-cookie-del=C00.. Character usedforsplittina cookie values

load-cookies=L..File containing cookies in Netscape/wget format -drop-set-cookie Ignore Set-Cookie header from response

--user-agent=AGENTHTTP User-Agent header value

--random-agent Use randomly selected HTTP User-Agent header value

--host=HOST HTTP Host header value

--referer-REFERER HTTP Referer header value

-H HEADER. --hea..Extra header (e.g."X-Forwarded-For:127.0.0.1")

--headers=HEADERS Extra headers (e.g."Accept-Language:fr\nETag:123")

--auth-type=AUTH.. HTTP authentication type (Basic, Digest, NTLM or PKI)

--auth-cred=AUTH.. HTTP authentication credentials (name:password)

--auth-file=AUTH.. HTTP authentication PEM cert/private key file

--ignore-code=IG.. Ignore HTTP error code (e.g. 401)

--ignore-proxy Ignore systemdefault proxy settings

--ignore-redirects Ignore redirection attempts

（3）  Injection:

These options can be used to specify which parameters to test for. provide custom injection payloads and optional tampering scripts -P TESTPARAMETER Testable parameter(s)

--skip=SKIP Skip testing for given parameter(s)

--skip-static Skip testing parameters that not appear to be dynamic

--param-exclude=.. Regexp to exclude parameters from testing (e.g."ses")

--dbms=DBMS Force back-end D.BMSto this value

--dbms-ared=DBMS.. DBMS authentication credentials (user:password)

--oS=OS Force back-end DBMSoperating system to this value

--invalid-bignum Use big numbersfor invalidating values

--invalid-logical Use logical operations for invalidating values

（4）  Enumeration:

These options can be used to enumeratethe back-enddatabasemanagementsysteminformation,structureanddatacontainedinthetables.MoreoveryoucanrunyourownSQLstatements

-a, --all Retrieve everything

-b.--banner Retrieve DBMS banner

--current-user Retrieve DBMS current user

-current-db Retrieve DBMS current database

-hostname Retrieve DBMS server hostname

--is-dba Detect if the DBMS current user is DBA

--users Enumerate DBMS users

-passwords Enumerate DBMS users password hashes

-privilges Enumerate DBMS users privileges

-roles Enumerate DBMS users roles

-dbs Enumerate DBMS databases

--tables Enumerate DBMS database tables

--columns Enumerate DBMS database table columns

--schema Enumerate DBMS schema

--count Retrieve number of entriesfor table(s)

--dump Dump DBMSdatabase table entries

- -dump-all Dump all DBMS databasestables entries

--search Search column(s), table(s) and/or database name(s) --comments Retrieve DBMS comments

-D DB DBMS database to enumerate

-T TBL DBMS database table(s) to enumerate

-C COL DBMS database table column(s) to enumerate

-X EXCLUDE DBMSdatabase identifier(s) to not enumerate

-U USER DBMS user to enumerate

--excluda sysdbs Exclude DBMS system databaseswhen enumerating tables

--pivot-column=P.. Pivot column name

--where=DUMPWHERE Use WHERE condition while table dumping

--start=LIMITSTART First dump table entry to retrieve

（5）  Operating system access:

These options can be used to access the back-end database management

system underlying operating system

--os-cmd=0SCMD Execute an operating system command

- -os-shell Prompt for an interactive operating system shell

--os-pwn Prompt for an 00B shell, Meterpreter or VNC

- -os-smbrelay One click prompt for an OOB shell,

Meterpreter or VNC

- -os-bof Stored procedure buffer overflow exploitation

--priv-esc Database processuser privilege escalation

--msf-path=MSFPATH Local path whereMetasploit Framework is installed

--tmp-path=JMPPATH Remote absolute path of temporary files directory

三、  语句测试

出现错误

修改：上述语句后加--batch

错误提示

修改：再加--level=5..risk=3（加大级别）

测试

四、   GET 方法注入

root@kali:~# sqlmap -u“http://192.168.106.134/mutilluasandex.php?page-user-

info.php&username=yangge&password=123&user-info-php-submit-button=View+Account+Details’’-p usemame