Shulou(Shulou.com)06/01 Report--

This article shows you what sqlmap is, concise and easy to understand, absolutely can make your eyes shine, through the detailed introduction of this article I hope you can gain something.

sqlmap is a tool for detecting sql injection, introducing sqlmap's quick start scanning process and parameters.

Operating environment is kali

get method

The first is the case of get mode transmission value, which needs to be accompanied by the transmission data name, such as: id=1

The simple command is sqlmap -u 'http://xxxx id=1'

post method

Post mode needs to be exported as a text file first, and injection is tested in package mode.

First, use the package capture tool to capture the packet. Here, use burp to capture the packet. Right click to export the packet and save it as txt.

After saving, type sqlmap -r/root/post.txt/root/post.txt for the exported package.

Once executed, verify that sql injection exists

sqlmap bypass protection device

Bypass using--tamper reference substitution

This can be done by typing sqlmap -u 'http://xx'--tamper=xxxx.py

xxxx.py needs to be selected according to the database type and protection device rules. sqlmap comes with some bypass scripts. You can open the tamper directory or type sqlmap --list-tampers to view them.

It's best to explore the rules and write your own bypass script

sqlmap common functions

The most common way to detect an injection point is to burst the database

Add--dbs --tables --colmus --dump after the above parameters

--dbs Get all databases

-D XXX --tables Get tables from xxx database

-D xxx -T sss --columns Get SSS field in XXX table

-D xxx -T sss -C "user, password" Get the data in the field user, password

Another--os-shell website permission has write permission to generate an upload point

What is sqlmap? Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.